Change security group

asked 2013-06-18 10:14:13 -0600

Arfghl gravatar image

updated 2013-06-20 03:42:10 -0600


Is it possible to change the security group of an instance "on the fly" ? I have created an instance with the security group default and I want to remove this group to an other wth Horizon or with a command-line tool

Thanks for your help


Thank you for the command I have not seen it before... Now when I try this command: "nova add-scegroup myserver mygroup" I get the following error. "ERROR: Network requires port_security_enabled and subnet associated in order to apply security groups. (HTTP 400)"

I use quantum for security groups

But this is an existing bug, there are some information about it here:

And this solved my problem:

Thank you :)

edit retag flag offensive close merge delete

4 answers

Sort by ยป oldest newest most voted

answered 2013-06-21 01:27:02 -0600

Ashokb gravatar image

Hi ,

Currently in grizzly you can remove the security group on the fly. But adding a security group to a running instance wont happen due to a bug. From horizon I am not sure whether it can be done. But you can use Nova CLI.

Even for the CLI you need to apply the below patch before you add the sec group.

--- a/nova/network/security_group/
+++ b/nova/network/security_group/
 @@ -340,8 +340,9 @@ class SecurityGroupAPI(security_group_base.SecurityGroupBase):
     has_ip = port.get('fixed_ips')
     if port_security_enabled and has_ip:
         return True
 - else:
- return False
+ elif 'port_security_enabled' not in port and has_ip:
+ return True
+ return False

 def add_to_instance(self, context, instance, security_group_name):

Hope this helps.

Best, Ashok

edit flag offensive delete link more


Yes I already have updated my question with the links for this bug.

for the discussion :

for the path :

Thank you

Arfghl gravatar imageArfghl ( 2013-06-24 04:55:24 -0600 )edit

answered 2013-06-18 11:00:20 -0600

jpichon gravatar image

updated 2013-06-19 08:58:24 -0600

It's possible to change the security groups on the fly using Horizon, if you're using the latest release Grizzly. Click on the "More" button for the instance you want to update and you should see an "Edit Security Groups" option.

For the previous versions, it's still possible to do this using the command-line tools, you can find out more at

EDIT: Actually I may have pointed to the wrong command. Looking at the command-line client, this is how it should be possible to do this using the CLI:

$ nova help add-secgroup
usage: nova add-secgroup <server> <secgroup>

Add a Security Group to a server.

Positional arguments:
  <server>    Name or ID of server.
  <secgroup>  Name of Security Group.

The code for this was added a year ago so I believe this should be available in Folsom.

Hope this helps!

edit flag offensive delete link more

answered 2013-07-19 01:41:47 -0600

thirunaresh gravatar image

Hi, I am new to openstack and learning myself. it may be a very noob question, but i am trying to apply this patch. can anyone help me in applying this patch.. how I can apply it. I am using RDO openstack single node

edit flag offensive delete link more


This is not a an answer, please post a different question

Jobin gravatar imageJobin ( 2013-07-19 02:44:38 -0600 )edit

Thirunaresh, go this link just modify the changed lines, restart nova services. You should succeed!

Ashokb gravatar imageAshokb ( 2013-07-19 10:56:35 -0600 )edit

answered 2013-06-19 08:40:40 -0600

Arfghl gravatar image

Thanks for your help :) With the Horizon solution I have 2 errors when I tried to switch security modules: Error: Failed to modify 2 instance security groups. and Error: Unable to modify instance "TestVM. Moreover I have a lot of errors in apache error.log

With the command-line tools we can edit security groups but not assign one security group to an instance

The only way to assign a security group to an instance whith command-line is on boot of the instance isn't it ?

edit flag offensive delete link more


Hey -- it's usually more helpful to update the Question rather than adding a new answer, as it makes it difficult to keep track of the discussion. I updated my answer with the correct CLI command for doing this, sorry for the mistaken link. Would you mind updating your question with the errors...

jpichon gravatar imagejpichon ( 2013-06-19 08:59:54 -0600 )edit're seeing in the logs, and also indicate whether you're using Nova or Quantum security groups? Thank you!

jpichon gravatar imagejpichon ( 2013-06-19 09:00:52 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2013-06-18 10:14:13 -0600

Seen: 7,636 times

Last updated: Jul 19 '13