[Horizon] [train] Horizon port security group management fails

Albert Braden ozzzo at yahoo.com
Wed Sep 14 12:36:24 UTC 2022


 On CLI I can type "openstack port set --no-security-group <ID>" to remove all security groups. In Horizon, the equivalent operation would be using the - button to remove all groups and then clicking "Update." Using the + button would be the equivalent of typing "openstack port set --security-group <group ID>". There doesn't seem to be a way to remove a single security group via CLI; I think the only way would be to set --no-security-group and then add back the desired groups.

I can successfully add security groups to a port via CLI, or I can remove all security groups. If I go into Horizon and try these operations then I get the error when I click "Update." So it appears that security groups can be added and removed, with port security set, via CLI. We only see the failure when we try to do it via Horizon.

Regarding RHOSP support; I assume that you are joking, or maybe haven't experienced the support that they offer.
     On Tuesday, September 13, 2022, 06:30:11 PM EDT, Laurent Dumont <laurentfdumont at gmail.com> wrote:  
 
 If you are running RHOSP, you might have a support contract with Red Hat?
Are you trying to remove all the security groups from a port that has port_security enabled?
On Tue, Sep 13, 2022 at 11:53 AM Albert Braden <ozzzo at yahoo.com> wrote:

 Unfortunately we are running RHOSP in which Train is the latest and greatest. This is what we see in horizon.log:

[Tue Sep 13 15:28:15.362703 2022] [wsgi:error] [pid 27:tid 139683266553600] [remote 10.232.233.11:57498] Failed to update port 08fdbb97-4896-4afb-9390-41481ff27cac: ((rule:update_port and rule:update_port:binding:vnic_type) and rule:update_port:port_security_enabled) is disallowed by policy
     On Friday, September 9, 2022, 10:59:34 AM EDT, Pierre Riteau <pierre at stackhpc.com> wrote:  
 
 Hello,
This is more likely to be a Horizon bug than an issue with Kolla itself, since Kolla doesn't change much from the default configuration.
You should check Horizon logs in /var/log/kolla/horizon to find the error. I would also encourage you to upgrade to a more recent release, since Train has been marked as End of Life in Kolla recently.
Cheers,Pierre Riteau (priteau)
On Fri, 9 Sept 2022 at 15:41, Albert Braden <ozzzo at yahoo.com> wrote:

We're running kolla train and we're seeing an apparent bug when we try to add or remove security groups on a port. We see error "Failed to update port <ID>". It works fine in CLI; we only see this in Horizon. Is this a known bug, or are we doing something wrong?


  
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220914/4ee0fb07/attachment.htm>


More information about the openstack-discuss mailing list