[Horizon] [train] Horizon port security group management fails
Laurent Dumont
laurentfdumont at gmail.com
Wed Sep 14 22:00:09 UTC 2022
That’s a bit strange. I’ll give it a try.
Regarding RH support, I wasn’t trying to be sarcastic. Like any large scale
support service, the quality might vary a little bit but it’s been fairly
good in my personal experience.
Of course, a good TAM and some poking is always a good asset.
On Wed, Sep 14, 2022 at 12:25 PM Albert Braden <ozzzo at yahoo.com> wrote:
> Hi Brendan, thanks for offering to help! I'll contact you privately with
> info about some languishing cases.
>
> Here's the policy line:
> "update_port:port_security_enabled": "rule:context_is_advsvc or
> rule:admin_or_network_owner"
>
> Does this policy only affect Horizon? I'm using the same non-admin user
> for both CLI and Horizon, on a project where that user is a member. The
> network was created by the admin user.
> On Wednesday, September 14, 2022, 10:41:31 AM EDT, Brendan Shephard <
> bshephar at redhat.com> wrote:
>
>
> Hi Albert,
>
> While I may not be the best person to address your Horizon concern. I can
> probably help you with your Red Hat support concerns. If you had any issues
> you wanted addressed, or feedback you wanted to provide. Feel free to give
> me a yell.
>
> Looking at your Horizon issue though. It seems the default policy file is
> what prevents you from updating that port. We can see the default policy
> like this for example:
>
> [root at controller-2 ~]# podman exec -it neutron_api
> oslopolicy-policy-generator --namespace neutron | grep
> "update_port:port_security_enabled"
> "update_port:port_security_enabled": "rule:context_is_advsvc or
> rule:admin_or_network_owner"
>
> When you execute the command via the CLI, which user are you using? Are
> you just sourcing the overcloudrc file, or using export OS_CLOUD=overcloud.
> If that’s the case then you would be using the admin user on the CLI, but
> probably a different user when logging into Horizon.
>
> I too would suggest opening a support case. It sounds like you have
> previously had a negative experience with that. If you want to open a new
> one and share the case number with me, I can follow up on that for you. As
> someone who personally knows a lot of the RHOSP Technical Support team from
> around the world. I’m confident we can right whatever wrong may have
> occurred there.
>
> Let me know if I can help in any way.
>
> Regards,
>
> Brendan Shephard
> Senior Software Engineer
> Brisbane, Australia
>
>
>
> On 14 Sep 2022, at 10:36 pm, Albert Braden <ozzzo at yahoo.com> wrote:
>
> On CLI I can type "openstack port set --no-security-group <ID>" to remove
> all security groups. In Horizon, the equivalent operation would be using
> the - button to remove all groups and then clicking "Update." Using the +
> button would be the equivalent of typing "openstack port set
> --security-group <group ID>". There doesn't seem to be a way to remove a
> single security group via CLI; I think the only way would be to set
> --no-security-group and then add back the desired groups.
>
> I can successfully add security groups to a port via CLI, or I can remove
> all security groups. If I go into Horizon and try these operations then I
> get the error when I click "Update." So it appears that security groups can
> be added and removed, with port security set, via CLI. We only see the
> failure when we try to do it via Horizon.
>
> Regarding RHOSP support; I assume that you are joking, or maybe haven't
> experienced the support that they offer.
> On Tuesday, September 13, 2022, 06:30:11 PM EDT, Laurent Dumont <
> laurentfdumont at gmail.com> wrote:
>
>
> If you are running RHOSP, you might have a support contract with Red Hat?
>
> Are you trying to remove all the security groups from a port that has
> port_security enabled?
>
> On Tue, Sep 13, 2022 at 11:53 AM Albert Braden <ozzzo at yahoo.com> wrote:
>
> Unfortunately we are running RHOSP in which Train is the latest and
> greatest. This is what we see in horizon.log:
>
> [Tue Sep 13 15:28:15.362703 2022] [wsgi:error] [pid 27:tid
> 139683266553600] [remote 10.232.233.11:57498] Failed to update port
> 08fdbb97-4896-4afb-9390-41481ff27cac: ((rule:update_port and
> rule:update_port:binding:vnic_type) and
> rule:update_port:port_security_enabled) is disallowed by policy
> On Friday, September 9, 2022, 10:59:34 AM EDT, Pierre Riteau <
> pierre at stackhpc.com> wrote:
>
>
> Hello,
>
> This is more likely to be a Horizon bug than an issue with Kolla itself,
> since Kolla doesn't change much from the default configuration.
>
> You should check Horizon logs in /var/log/kolla/horizon to find the error.
> I would also encourage you to upgrade to a more recent release, since Train
> has been marked as End of Life in Kolla recently.
>
> Cheers,
> Pierre Riteau (priteau)
>
> On Fri, 9 Sept 2022 at 15:41, Albert Braden <ozzzo at yahoo.com> wrote:
>
> We're running kolla train and we're seeing an apparent bug when we try to
> add or remove security groups on a port. We see error "Failed to update
> port <ID>". It works fine in CLI; we only see this in Horizon. Is this a
> known bug, or are we doing something wrong?
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220914/5a31e05b/attachment.htm>
More information about the openstack-discuss
mailing list