Ask Your Question
2

Kilo port_security_enabled=false for network

asked 2015-08-10 13:07:46 -0500

anonymous user

Anonymous

updated 2015-08-13 02:03:15 -0500

Created a network by setting port_security_enabled=false and added a subnet. Launching a VM with this network fails with " SecurityGroupCannotBeApplied: Network requires port_security_enabled and subnet associated in order to apply security groups"

Is this a known issue? If so, are there any workarounds?

Here are the details of the net and subnet cfg:

net-show
    +---------------------------+--------------------------------------+
    | Field                     | Value                                |
    +---------------------------+--------------------------------------+
    | admin_state_up            | True                                 |
    | id                        | 9fd3f0ca-acae-4327-bdb3-0b9a0c5120c5 |
    | mtu                       | 0                                    |
    | name                      | testnet1                             |
    | port_security_enabled     | False                                |
    | provider:network_type     | vlan                                 |
    | provider:physical_network | physnet1                             |
    | provider:segmentation_id  | 12                                   |
    | router:external           | False                                |
    | shared                    | False                                |
    | status                    | ACTIVE                               |
    | subnets                   | fb1a7fcc-616b-48a8-ba18-57c2ce2e5e0f |
    | tenant_id                 | da8a5e8116a54534a2040b5fc56a85d2     |
    +---------------------------+--------------------------------------+

subnet-show
    +-------------------+--------------------------------------------+
    | Field             | Value                                      |
    +-------------------+--------------------------------------------+
    | allocation_pools  | {"start": "13.0.0.2", "end": "13.0.0.254"} |
    | cidr              | 13.0.0.0/24                                |
    | dns_nameservers   |                                            |
    | enable_dhcp       | True                                       |
    | gateway_ip        | 13.0.0.1                                   |
    | host_routes       |                                            |
    | id                | fb1a7fcc-616b-48a8-ba18-57c2ce2e5e0f       |
    | ip_version        | 4                                          |
    | ipv6_address_mode |                                            |
    | ipv6_ra_mode      |                                            |
    | name              | testnet1-subnet                            |
    | network_id        | 9fd3f0ca-acae-4327-bdb3-0b9a0c5120c5       |
    | subnetpool_id     |                                            |
    | tenant_id         | da8a5e8116a54534a2040b5fc56a85d2           |
    +-------------------+--------------------------------------------+
edit retag flag offensive close merge delete

Comments

Can you post a neutron subnet-show, net-show, port-show, and nova show of the resources you are working with.

omar-munoz gravatar imageomar-munoz ( 2015-08-10 15:20:40 -0500 )edit

What information are you looking for specifically? I created a network with port_security_enabled=false and added a subnet to it. On launching a VM with this network resulted in the failure. Is this known to work with Kilo release?

opstkusr gravatar imageopstkusr ( 2015-08-11 11:31:27 -0500 )edit

probably this one - but not backported to kilo - https://review.openstack.org/#/c/2840...

darragh-oreilly gravatar imagedarragh-oreilly ( 2016-08-09 12:01:51 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-08-11 10:37:41 -0500

dm07c3 gravatar image

Hello there,

It looks like your deployed instance is delivered with a security group. Be sure that there isn't a security group inside. (Found here)

Otherwise create a security group which allows all protocols for all IPs in all directions.

edit flag offensive delete link more

Comments

I have tried launching the Vm without associating the default security group too. Also how would this work if you had 2 networks(one with port_securty_enabled=false). Does this feature not provide the flexibility to enable security groups on one interface and not on the other?

opstkusr gravatar imageopstkusr ( 2015-08-12 09:51:31 -0500 )edit

I've also noted that the functionality seems to be fine if i create a port with port_security_enabled=false and hot plug to a vm.

opstkusr gravatar imageopstkusr ( 2015-08-12 11:40:36 -0500 )edit

Also looks like this patch specifically targets the issue that i am seeing: https://review.openstack.org/#/c/59578/

opstkusr gravatar imageopstkusr ( 2015-08-12 14:56:28 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2015-08-10 13:07:46 -0500

Seen: 1,657 times

Last updated: Aug 13 '15