I this is both expected and a bug :DThere is an option to disable port security for a Network. This is potentially the right thing in a world where Tooling here is really Toolforge and we want ferm/iptables to manage rulesets and not be overlapping with security groups. If this is its own VXLAN network that could make sense.So to test this I issued:# optional mass turning off of port-security mode for a networkneutron net-update --port-security-enabled=false <net uuid>This documented in modules/openstack/templates/bootstrap/neutron/neutron_ seed.sh.erb port-security (security group application) can be disabled per-port or per-network. Per-port seems to be fairly well worked out, but per network seems to come with confusion between nova and neutron. Nova assumes in some cases that every port will have a security group and so balks. I see https://review.openstack.org/#/c/59578/ in relation but haven't found a similar bug for disabled for an entire network but I'm sure I've seen one I just can't find it. If only we could read redhat's magic docs at https://access.redhat.com/solutions/2143121 . Possibly https://bugzilla.redhat.com/show_bug.cgi?id= 1291210 I don't recall doing anything special to create the existing instances so that's interesting, and this seems not to happen if we first make a port with security groups disabled and then attach an instance. So in general I think this is just mismatched expectations between nova and neutron when security groups are disabled for an entire network. There a few known upstream reports of similar things.--On Fri, Jun 1, 2018 at 7:43 AM, Arturo Borrero Gonzalez <aborrero@wikimedia.org> wrote:Hi,
I've been working on some sanity checks for our labtestn
(mitaka/neutron) deployment [0].
I found a weird issue when trying to create an instance in the 'tooling'
network (the vxlan based network):
<<
Network requires port_security_enabled and subnet associated in order to
apply security groups.
>>
This error is seen in the /var/log/nova/nova-conductor.log file when I
create an instance with this cmdline:
% openstack server create --flavor 2 \
--image 66e544e8-fe4f-41f7-9809-6723e53b5a99 aborrero-test1 \
--nic port-id=9389a984-d58e-4776-8b7a-30ff93073917 \
--property subnet=3ec06de7-3b9e-4de3-86c6-67ba1895b253
However:
% neutron port-show 9389a984-d58e-4776-8b7a-30ff93073917 \
| grep port_security_enabled
| port_security_enabled | True
(this port was created manually by me)
Not sure if the 'server create' command is lacking some additional
option. I generated it following what I saw in our bootstrap docs +
labtestcontrol2003 history
I also tried with this command:
% openstack server create --flavor 2 \
--image 66e544e8-fe4f-41f7-9809-6723e53b5a99 aborrero-test1 \
--nic net-id=60aa9467-253c-4fdf-9fa0-eba42dafc975
with the same result (i.e, a net instead of a port)
I'm probably misunderstanding some openstack concepts: nics, ports,
subnets, nets, etc.
[0]
https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/ Deployment_sanity_checklist
Chase Pettetchasemp on phabricator and IRC