Ask Your Question

Disabling security groups in Horizon

asked 2013-12-27 14:35:03 -0600

bswrchrd gravatar image

updated 2014-01-22 15:13:08 -0600

Evgeny gravatar image

Anyone know how to disable the use of the securitygroup API in Horizon (or if it is even possible)? We are running Havana/Ubuntu/ML2/OVS agent/GRE without iptables (via the neutron.agent.firewall.NoopFirewallDriver driver) but are receiving the Error: Unable to retrieve security groups error in Horizon when a customer tries to provision a new VM.

There is a comment in Horizon's Django config file that I am interpreting as the ability to switch off "security groups" via a config entry like 'enable_secgroups': False but I can't find any reference to the correct property anywhere in the code.

# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional
# services provided by neutron. Options currenly available are load
# balancer service, security groups, quotas, VPN service.
    'enable_lb': False,
    'enable_firewall': False,
    'enable_quotas': True,
    'enable_vpn': False,
    # The profile_support option is used to detect if an external router can be
    # configured via the dashboard. When using specific plugins the
    # profile_support can be turned on if needed.
    'profile_support': None,
    #'profile_support': 'cisco',

The enable_firewall property enables/disables FWaaS which is not what we need.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2013-12-27 20:27:59 -0600

dheeru gravatar image

updated 2013-12-27 20:32:02 -0600

If you do not want to use a firewall in Compute or Networking, you need to edit both(nova and neutron) configuration files and set 
Also, edit the /etc/nova/nova.conf file and comment out or remove the 
security_group_api=neutron statement.

Files to be edited /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini and /etc/nova/nova.con

edit flag offensive delete link more


Since he is running OVS he will have to set the `firewall_driver=` in his OVS plugin configuration file. He said he set "neutron.agent.firewall.NoopFirewallDriver" in his nova.conf already.

SamYaple gravatar imageSamYaple ( 2013-12-27 20:31:27 -0600 )edit

True also, he need to disable neutron security configuration in nova.conf

dheeru gravatar imagedheeru ( 2013-12-27 20:33:07 -0600 )edit

Agreed. Upvotes all around!

SamYaple gravatar imageSamYaple ( 2013-12-27 20:37:01 -0600 )edit

answered 2013-12-27 20:27:48 -0600

SamYaple gravatar image

updated 2013-12-27 20:36:43 -0600

In your /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file you need to set firewall_driver under [securitygroup] to neutron.agent.firewall.NoopFirewall

See below


Also, dheeru mentioned in his answer, make sure you set below in your /etc/nova/nova.conf file


Notice the different firewall_driver names for each conf file.

edit flag offensive delete link more


we answered at same time :)

dheeru gravatar imagedheeru ( 2013-12-27 20:28:40 -0600 )edit

I saw that! :)

SamYaple gravatar imageSamYaple ( 2013-12-27 20:32:18 -0600 )edit

Sorry guys, I should have been more descriptive. firewall_driver=NoopFirewall already set in both ML2 config file and nova.conf. The issue is with Horizon and Nova CLI, I can't figure out how to get around selecting a in Access & Security tab in the Launch Instance window or nova boot cmd.

bswrchrd gravatar imagebswrchrd ( 2013-12-30 12:47:06 -0600 )edit

Hi! I see this bug and looks like it's still actual in Juno.

Bobych gravatar imageBobych ( 2015-05-15 09:36:26 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-12-27 14:35:03 -0600

Seen: 5,378 times

Last updated: Dec 27 '13