<div dir="auto">That’s a bit strange. I’ll give it a try.</div><div dir="auto"><br></div><div dir="auto">Regarding RH support, I wasn’t trying to be sarcastic. Like any large scale support service, the quality might vary a little bit but it’s been fairly good in my personal experience.</div><div dir="auto"><br></div><div dir="auto">Of course, a good TAM and some poking is always a good asset.</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 14, 2022 at 12:25 PM Albert Braden <<a href="mailto:ozzzo@yahoo.com">ozzzo@yahoo.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)"><div>                Hi Brendan, thanks for offering to help! I'll contact you privately with info about some languishing cases.<br><br>Here's the policy line:<br>"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"<br><br>Does this policy only affect Horizon? I'm using the same non-admin user for both CLI and Horizon, on a project where that user is a member. The network was created by the admin user.<br>            </div>            <div style="margin:10px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">                        <div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;color:rgb(38,40,42)">                                <div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">                    On Wednesday, September 14, 2022, 10:41:31 AM EDT, Brendan Shephard <<a href="mailto:bshephar@redhat.com" target="_blank" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">bshephar@redhat.com</a>> wrote:                </div>                <div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><br></div>                <div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><br></div>                <div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><div id="m_-2093600233188239425yiv3809434980" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">Hi Albert,<div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><br clear="none"></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">While I may not be the best person to address your Horizon concern. I can probably help you with your Red Hat support concerns. If you had any issues you wanted addressed, or feedback you wanted to provide. Feel free to give me a yell.</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><br clear="none"></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">Looking at your Horizon issue though. It seems the default policy file is what prevents you from updating that port. We can see the default policy like this for example:</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><br clear="none"></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><font face="Menlo" style="font-family:Menlo;color:rgb(38,40,42)">[root@controller-2 ~]# podman exec -it neutron_api oslopolicy-policy-generator --namespace neutron | grep "update_port:port_security_enabled"</font></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><font face="Menlo" style="font-family:Menlo;color:rgb(38,40,42)">"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"</font></div></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><br clear="none"></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">When you execute the command via the CLI, which user are you using? Are you just sourcing the <font face="Menlo" style="font-family:Menlo;color:rgb(38,40,42)">overcloudrc</font> file, or using <font face="Menlo" style="font-family:Menlo;color:rgb(38,40,42)">export</font> <font face="Menlo" style="font-family:Menlo;color:rgb(38,40,42)">OS_CLOUD=overcloud. </font>If that’s the case then you would be using the admin user on the CLI, but probably a different user when logging into Horizon.</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><br clear="none"></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">I too would suggest opening a support case. It sounds like you have previously had a negative experience with that. If you want to open a new one and share the case number with me, I can follow up on that for you. As someone who personally knows a lot of the RHOSP Technical Support team from around the world. I’m confident we can right whatever wrong may have occurred there.</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><br clear="none"></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">Let me know if I can help in any way.</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><br clear="none"></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">Regards,</div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><br clear="none"></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">Brendan Shephard<br clear="none">Senior Software Engineer<br clear="none">Brisbane, Australia<br clear="none"><br clear="none"><br clear="none"></div><div id="m_-2093600233188239425yiv3809434980yqt68957" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><br clear="none"><blockquote type="cite" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">On 14 Sep 2022, at 10:36 pm, Albert Braden <<a href="mailto:ozzzo@yahoo.com" target="_blank" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">ozzzo@yahoo.com</a>> wrote:</div><br clear="none"><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">                On CLI I can type "openstack port set --no-security-group <ID>" to remove all security groups. In Horizon, the equivalent operation would be using the - button to remove all groups and then clicking "Update." Using the + button would be the equivalent of typing "openstack port set --security-group <group ID>". There doesn't seem to be a way to remove a single security group via CLI; I think the only way would be to set --no-security-group and then add back the desired groups.<br clear="none"><br clear="none">I can successfully add security groups to a port via CLI, or I can remove all security groups. If I go into Horizon and try these operations then I get the error when I click "Update." So it appears that security groups can be added and removed, with port security set, via CLI. We only see the failure when we try to do it via Horizon.<br clear="none"><br clear="none">Regarding RHOSP support; I assume that you are joking, or maybe haven't experienced the support that they offer.<br clear="none">            </div>            <div style="margin:10px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;border-left-color:rgb(204,204,204)">                        <div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;color:rgb(38,40,42)">                                <div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">                    On Tuesday, September 13, 2022, 06:30:11 PM EDT, Laurent Dumont <<a href="mailto:laurentfdumont@gmail.com" target="_blank" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">laurentfdumont@gmail.com</a>> wrote:                </div>                <div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><br clear="none"></div>                <div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><br clear="none"></div>                <div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><div id="m_-2093600233188239425yiv3809434980" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><div dir="ltr" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">If you are running RHOSP, you might have a support contract with Red Hat?<div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><br clear="none"></div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">Are you trying to remove all the security groups from a port that has port_security enabled?</div></div><br clear="none"><div id="m_-2093600233188239425yiv3809434980yqt44993" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif"><div dir="ltr" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">On Tue, Sep 13, 2022 at 11:53 AM Albert Braden <<a rel="nofollow noopener noreferrer" shape="rect" href="mailto:ozzzo@yahoo.com" target="_blank" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">ozzzo@yahoo.com</a>> wrote:<br clear="none"></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;border-left-color:rgb(204,204,204)"><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">                Unfortunately we are running RHOSP in which Train is the latest and greatest. This is what we see in horizon.log:<br clear="none"><br clear="none">[Tue Sep 13 15:28:15.362703 2022] [wsgi:error] [pid 27:tid 139683266553600] [remote <a rel="nofollow noopener noreferrer" shape="rect" href="http://10.232.233.11:57498/" target="_blank" style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">10.232.233.11:57498</a>] Failed to update port 08fdbb97-4896-4afb-9390-41481ff27cac: ((rule:update_port and rule:update_port:binding:vnic_type) and rule:update_port:port_security_enabled) is disallowed by policy<br clear="none">            </div>            <div style="margin:10px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;border-left-color:rgb(204,204,204)">                        <div style="font-family:Helvetica,Arial,sans-serif;font-size:13px;color:rgb(38,40,42)">                                <div style="font-family:Helvetica,Arial,sans-serif">                    On Friday, September 9, 2022, 10:59:34 AM EDT, Pierre Riteau <<a rel="nofollow noopener noreferrer" shape="rect" href="mailto:pierre@stackhpc.com" target="_blank" style="font-family:Helvetica,Arial,sans-serif">pierre@stackhpc.com</a>> wrote:                </div>                <div style="font-family:Helvetica,Arial,sans-serif"><br clear="none"></div>                <div style="font-family:Helvetica,Arial,sans-serif"><br clear="none"></div>                <div style="font-family:Helvetica,Arial,sans-serif"><div id="m_-2093600233188239425yiv3809434980m_-4487918859824189139yiv8965467104" style="font-family:Helvetica,Arial,sans-serif"><div style="font-family:Helvetica,Arial,sans-serif"><div dir="ltr" style="font-family:Helvetica,Arial,sans-serif"><div style="font-family:Helvetica,Arial,sans-serif">Hello,</div><div style="font-family:Helvetica,Arial,sans-serif"><br clear="none"></div><div style="font-family:Helvetica,Arial,sans-serif">This is more likely to be a Horizon bug than an issue with Kolla itself, since Kolla doesn't change much from the default configuration.</div><div style="font-family:Helvetica,Arial,sans-serif"><br clear="none"></div><div style="font-family:Helvetica,Arial,sans-serif">You should check Horizon logs in /var/log/kolla/horizon to find the error. I would also encourage you to upgrade to a more recent release, since Train has been marked as End of Life in Kolla recently.</div><div style="font-family:Helvetica,Arial,sans-serif"><br clear="none"></div><div style="font-family:Helvetica,Arial,sans-serif">Cheers,</div><div style="font-family:Helvetica,Arial,sans-serif">Pierre Riteau (priteau)</div><br clear="none"><div id="m_-2093600233188239425yiv3809434980m_-4487918859824189139yiv8965467104yqt41160" style="font-family:Helvetica,Arial,sans-serif"><div style="font-family:Helvetica,Arial,sans-serif"><div dir="ltr" style="font-family:Helvetica,Arial,sans-serif">On Fri, 9 Sept 2022 at 15:41, Albert Braden <<a rel="nofollow noopener noreferrer" shape="rect" href="mailto:ozzzo@yahoo.com" target="_blank" style="font-family:Helvetica,Arial,sans-serif">ozzzo@yahoo.com</a>> wrote:<br clear="none"></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;font-family:Helvetica,Arial,sans-serif;border-left-color:rgb(204,204,204)">We're running kolla train and we're seeing an apparent bug when we try to add or remove security groups on a port. We see error "Failed to update port <ID>". It works fine in CLI; we only see this in Horizon. Is this a known bug, or are we doing something wrong?<br clear="none"><br clear="none"></blockquote></div></div></div></div></div></div>            </div>                </div></blockquote></div></div></div></div></div>            </div>                </div></div></blockquote></div></div><br clear="none"></div></div></div></div>            </div>                </div></blockquote></div></div>