[ovirt-users] Re: How to fix ovn apparent inconsistency?

On Thu, Apr 4, 2019 at 12:07 PM Miguel Duarte de Mora Barroso <mdbarroso(a)redhat.com&gt; wrote: > > > > Questions: > > - what is the role of the "Network port security" option for an OVN network? > > It means that newly created ports under that network will inherit the > port security value from the network - e.g. if the network's port > security attribute is active, so will the newly created port's port > security. > > Port security on a port means 2 things: > #1 - security group rules *will* apply to the VM having that port attached > #2 - only the specified mac address will be allowed to send/receive > through that port. MAC spoofing protection is applied. > > > - what is the meaning of "Undefined" option for it other than "Enabled" and "Disabled"? > > It means that the network will inherit the value from the provider's > configuration - you can check what it translates to in > /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf Thanks for clarifications. Digging around RHV 4.2 vs 4.3beta docs I see now that "Network Port Security" will be also one of the new features for it In 4.3 beta the third option is explictly defined as "Inherited" (reflecting your explanation) and not "Undefined" as in current oVirt 4.3.2) > > > > - it seems I cannot edit the value for "Network port security" option of an existing OVN network, is it correct? > > You cannot do it *through the UI*. You can use ansible / REST api to > update the network - or ports - port_security_enabled value. > > > I am working on creating a couple of playbooks for this; hopefully I > can provide those early next week. It would be helpful to agilize this > process. > Indeed. Because in Openstack web mgmt interface all the settings related to security groups are simplified and intuitive, but here we have not... Also because it seems from rhv 4.3beta manual that creation of security groups themselves will not be possible through web gui... > > There is a notion of 'default' group, that ensures connectivity to all > VMs whose ports belong to that group - and all ports with active port > security, by default do. > > I'm not sure how you reached that situation, but let's first make sure > of a couple of things; please provider the output of: > - ovn-nbctl list logical_switch_port # this will feature info of the > port security value, and of which groups the port belongs to - the > latter in the 'external_ids' column. > - ovn-nbctl list port_group # this is where the security groups are > stored; it has associations to the ACLs belonging to the group, and of > the ports that are using it > - ovn-nbctl list address_set # this is where the IPs per group are > stored. security groups are an L3 concept. > > A pastebin with the aforementioned info is welcome. See here: https://drive.google.com/file/d/1hgXMGttMgb0oaDEy5k6aWFdb01dYsjwq/view?us...