On Thu, Apr 4, 2019 at 12:07 PM Miguel Duarte de Mora Barroso <mdbarroso@redhat.com> wrote:

> Questions:
> - what is the role of the "Network port security" option for an OVN network?

It means that newly created ports under that network will inherit the
port security value from the network - e.g. if the network's port
security attribute is active, so will the newly created port's port
security.

Port security on a port means 2 things:
  #1 - security group rules *will* apply to the VM having that port attached
  #2 - only the specified mac address will be allowed to send/receive
through that port. MAC spoofing protection is applied.

> - what is the meaning of "Undefined" option for it other than "Enabled" and "Disabled"?

It means that the network will inherit the value from the provider's
configuration - you can check what it translates to in
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf

Thanks for clarifications. Digging around RHV 4.2 vs 4.3beta docs I see now that "Network Port Security" will be also one of the new features for it
In 4.3 beta the third option is explictly defined as "Inherited" (reflecting your explanation) and not "Undefined" as in current oVirt 4.3.2)
 

> - it seems I cannot edit the value for "Network port security" option of an existing OVN network, is it correct?

You cannot do it *through the UI*. You can use ansible / REST api to
update the network - or ports - port_security_enabled value.

 

I am working on creating a couple of playbooks for this; hopefully I
can provide those early next week. It would be helpful to agilize this
process.


Indeed. Because in Openstack web mgmt interface all the settings related to security groups are simplified and intuitive, but here we have not...
Also because it seems from rhv 4.3beta manual that creation of security groups themselves will not be possible through web gui...
 
There is a notion of 'default' group, that ensures connectivity to all
VMs whose ports belong to that group - and all ports with active port
security, by default do.

I'm not sure how you reached that situation, but let's first make sure
of a couple of things; please provider the output of:
  - ovn-nbctl list logical_switch_port # this will feature info of the
port security value, and of which groups the port belongs to - the
latter in the 'external_ids' column.
  - ovn-nbctl list port_group # this is where the security groups are
stored; it has associations to the ACLs belonging to the group, and of
the ports that are using it
  - ovn-nbctl list address_set # this is where the IPs per group are
stored. security groups are an L3 concept.

A pastebin with the aforementioned info is welcome.

See here:
https://drive.google.com/file/d/1hgXMGttMgb0oaDEy5k6aWFdb01dYsjwq/view?usp=sharing 

Gianluca