1. DSR Cloud Installation Guide
  2. Application VIP Failover Options (OpenStack)
  3. After a VM Instance has been Booted: Port Security

G.7 After a VM Instance has been Booted: Port Security

If you need to disable port security for a port after it has already been associated with a VM instance, then you need to run one or both of the following commands to use the port security option. First, if the VM instance with which the existing port is associated has any associated security groups (run nova list-secgroup <VM instance name> to check), then you first need to run a command of the following form for each of the security group(s) associated with the VM instance:
# nova remove-secgroup <VM instance name> <Security group name>

Where the bolded item has the following meaning:

  • <VM instance name>

    Identifies the name of the VM instance for which the identified security group name should be deleted.

  • <Security group name>

    Identifies the name of the security group that should be removed from the VM instance.

For example, if you wanted to remove the default security group from a VM instance named ‘testvm4’, then you would type a command similar to the following:
# nova remove-secgroup testvm4 default
Once any security groups associated with VM instance to which the Neutron port is assigned have been removed, then the Neutron port(s) associated with the target VM instance need to be updated to disable port security on those ports. The command to disable port security for a specific Neutron port is of the form:
# neutron port-update <Port ID> -- port-security-enabled=false

Where the bolded item has the following meaning:

  • <Port ID>

    Identifies the ID of the port within Neutron which can be determined by listing the ports, neutron port-list, or if the port is named then the port ID can be obtained directly in the above command with a sequence such as $(neutron port-show –f value –F id <Port Name>).

So for example if you wanted to indicate to Neutron that port security should be disabled for a port with an ID of 6d48b5f2-d185-4768-b5a4-c0d1d8075e41 then you would type the following command:
# neutron port-update 6d48b5f2-d185-4768-b5a4-c0d1d8075e41 --port-security-enabled=false

If the port-update command succeeds, within the VM instance with which the 6d48b5f2-d185-4768-b5a4-c0d1d8075e41 port is associated, application managed VIPs can now be added to the network interface within the VM instance associated with the port and network traffic using that VIP address should now propagate.