Hide Forgot
In OSP 7, after activation of the port-security feature on the controllers, an existing port's port security cannot be disabled. The reason is that the MySQL `ovs_neutron` table `portsecuritybindings` is not populated with new entries on an update operation, only on a port create. A manual insertion in this table fixes this issue easily. How to reproduce: Set on all controllers: ~~~ [root@overcloud-controller-0 ~]# grep port_sec /etc/neutron/plugins/ml2/ml2_conf.ini extension_drivers = port_security ~~~ Restart neutron server ~~~ pcs resource restart neutron-server-clone ~~~ (in fact, restarting all resources with pcs resource restart rabbitmq-clone was tried as well) Update an existing port ~~~ [stack@undercloud-7 ~]$ neutron port-update bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 --port_security_enabled=false Updated port: bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 ~~~ Verify this port ~~~ [stack@undercloud-7 ~]$ neutron port-show bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 | grep secu | port_security_enabled | True | | security_groups | 456ab73e-118b-46bc-9450-faca924159f5 ~~~ Verify in the database that the binding for this port was not created ~~~ MariaDB [ovs_neutron]> select * from portsecuritybindings \G *************************** 1. row *************************** port_id: 1a2f1165-4dc5-44b1-a3fb-27304004d979 port_security_enabled: 0 1 row in set (0.01 sec) ~~~ Create a new port ~~~ [stack@undercloud-7 ~]$ neutron port-create --tenant-id 699394ca24544abd85d03d1e35d745fa --fixed-ip subnet_id=d1107cc5-3195-4d1d-87d0-bdd1c8cc7e19,ip_address=192.168.0.20 c8cee2bb-9b53-47fd-a526-4f24b252e980Created a new port: +-----------------------+-------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+-------------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | | | binding:host_id | | | binding:profile | {} | | binding:vif_details | {} | | binding:vif_type | unbound | | binding:vnic_type | normal | | device_id | | | device_owner | | | fixed_ips | {"subnet_id": "d1107cc5-3195-4d1d-87d0-bdd1c8cc7e19", "ip_address": "192.168.0.20"} | | id | 475df4c5-1aaf-4b6e-87ef-231669a7eb55 | | mac_address | fa:16:3e:a6:1c:d0 | | name | | | network_id | c8cee2bb-9b53-47fd-a526-4f24b252e980 | | security_groups | 456ab73e-118b-46bc-9450-faca924159f5 | | status | DOWN | | tenant_id | 699394ca24544abd85d03d1e35d745fa | +-----------------------+-------------------------------------------------------------------------------------+ ~~~ Verify that the binding was not created in the database ~~~ MariaDB [ovs_neutron]> select * from portsecuritybindings \G *************************** 1. row *************************** port_id: 1a2f1165-4dc5-44b1-a3fb-27304004d979 port_security_enabled: 0 1 row in set (0.00 sec) ~~~ Create a new port with port-security explicitly enabled/disabled ~~~ [stack@undercloud-7 ~]$ neutron port-create --tenant-id 699394ca24544abd85d03d1e35d745fa --fixed-ip subnet_id=d1107cc5-3195-4d1d-87d0-bdd1c8cc7e19,ip_address=192.168.0.21 --port-security-enabled=false c8cee2bb-9b53-47fd-a526-4f24b252e980 Created a new port: +-----------------------+-------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+-------------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | | | binding:host_id | | | binding:profile | {} | | binding:vif_details | {} | | binding:vif_type | unbound | | binding:vnic_type | normal | | device_id | | | device_owner | | | fixed_ips | {"subnet_id": "d1107cc5-3195-4d1d-87d0-bdd1c8cc7e19", "ip_address": "192.168.0.21"} | | id | a3f1394d-61d4-4a1a-9b5e-1b75e2b4d7e3 | | mac_address | fa:16:3e:a5:2f:d7 | | name | | | network_id | c8cee2bb-9b53-47fd-a526-4f24b252e980 | | port_security_enabled | False | | security_groups | | | status | DOWN | | tenant_id | 699394ca24544abd85d03d1e35d745fa | +-----------------------+-------------------------------------------------------------------------------------+ [stack@undercloud-7 ~]$ neutron port-create --tenant-id 699394ca24544abd85d03d1e35d745fa --fixed-ip subnet_id=d1107cc5-3195-4d1d-87d0-bdd1c8cc7e19,ip_address=192.168.0.22 --port-security-enabled=true c8cee2bb-9b53-47fd-a526-4f24b252e980 Created a new port: +-----------------------+-------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+-------------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | | | binding:host_id | | | binding:profile | {} | | binding:vif_details | {} | | binding:vif_type | unbound | | binding:vnic_type | normal | | device_id | | | device_owner | | | fixed_ips | {"subnet_id": "d1107cc5-3195-4d1d-87d0-bdd1c8cc7e19", "ip_address": "192.168.0.22"} | | id | 66f5304d-b516-4f20-a5bb-e94c3f9248b4 | | mac_address | fa:16:3e:a6:d3:2a | | name | | | network_id | c8cee2bb-9b53-47fd-a526-4f24b252e980 | | port_security_enabled | True | | security_groups | 456ab73e-118b-46bc-9450-faca924159f5 | | status | DOWN | | tenant_id | 699394ca24544abd85d03d1e35d745fa | +-----------------------+-------------------------------------------------------------------------------------+ ~~~ Verify in the database ~~~ MariaDB [ovs_neutron]> select * from portsecuritybindings \G *************************** 1. row *************************** port_id: 1a2f1165-4dc5-44b1-a3fb-27304004d979 port_security_enabled: 0 *************************** 2. row *************************** port_id: 66f5304d-b516-4f20-a5bb-e94c3f9248b4 port_security_enabled: 1 *************************** 3. row *************************** port_id: a3f1394d-61d4-4a1a-9b5e-1b75e2b4d7e3 port_security_enabled: 0 3 rows in set (0.00 sec) ~~~ Create a binding for the first port manually in the database ~~~ MariaDB [ovs_neutron]> insert into portsecuritybindings values ('bcaedbdc-0b2d-48f8-8f5b-3c93b234b030',0); Query OK, 1 row affected (0.15 sec) ~~~ Update the port ~~~ [stack@undercloud-7 ~]$ neutron port-update bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 --port_security_enabled=false Port has security group associated. Cannot disable port security or ip address until security group is removed [stack@undercloud-7 ~]$ neutron port-update bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 --no-security-groups --port_security_enabled=false Updated port: bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 ~~~ Verify on the compute node that the change took effect ~~~ [root@overcloud-compute-0 ~]# iptables-save | grep bcaedbdc-0b -A neutron-openvswi-FORWARD -m physdev --physdev-out tapbcaedbdc-0b --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-openvswi-FORWARD -m physdev --physdev-in tapbcaedbdc-0b --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-openvswi-INPUT -m physdev --physdev-in tapbcaedbdc-0b --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT [root@overcloud-compute-0 ~]# ~~~
$ cat /etc/yum.repos.d/latest-installed 7 -p 2017-06-01.1 $ rpm -qa |grep openstack-neutron-2015 openstack-neutron-2015.1.4-14.el7ost.noarch fix verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1454