I also did some tests to confirm whether any manual intervention is required when the flag is toggled from true to false [1].
The flow [2] will not be deleted by the following tests.
1, update SG member
PROJECT_ID=$(openstack project show --domain admin_domain admin -f value -c id)
SECGRP_ID=$(openstack security group list --project ${PROJECT_ID} | awk '/default/ {print $2}')
openstack security group rule create ${SECGRP_ID} --protocol tcp --dst-port 2222 --ingress
2, update port SG
openstack port set f9977d83-dade-4849-b0a5-b151c9812e94 --no-security-group
openstack port set f9977d83-dade-4849-b0a5-b151c9812e94 --disable-port-security
openstack port set f9977d83-dade-4849-b0a5-b151c9812e94 --enable-port-security
openstack port set f9977d83-dade-4849-b0a5-b151c9812e94 --security-group $SECGRP_ID
3, update network SG
openstack network set private --disable-port-security
openstack network set private --enable-port-security
4, restart neutron-openvswitch-agent.service
Unless I restart the machine, but rebooting machine might not be acceptable in production, so removing the following flows by hand may be a workaround to get it up with the config change with minimal destruction, it can avoid restarting the machine.
I also did some tests to confirm whether any manual intervention is required when the flag is toggled from true to false [1].
The flow [2] will not be deleted by the following tests.
1, update SG member
PROJECT_ ID=$(openstack project show --domain admin_domain admin -f value -c id) ID=$(openstack security group list --project ${PROJECT_ID} | awk '/default/ {print $2}')
SECGRP_
openstack security group rule create ${SECGRP_ID} --protocol tcp --dst-port 2222 --ingress
2, update port SG
openstack port set f9977d83- dade-4849- b0a5-b151c9812e 94 --no-security-group dade-4849- b0a5-b151c9812e 94 --disable- port-security dade-4849- b0a5-b151c9812e 94 --enable- port-security dade-4849- b0a5-b151c9812e 94 --security-group $SECGRP_ID
openstack port set f9977d83-
openstack port set f9977d83-
openstack port set f9977d83-
3, update network SG
openstack network set private --disable- port-security port-security
openstack network set private --enable-
4, restart neutron- openvswitch- agent.service
Unless I restart the machine, but rebooting machine might not be acceptable in production, so removing the following flows by hand may be a workaround to get it up with the config change with minimal destruction, it can avoid restarting the machine.
# fa:16:3e:7a:11:7d is mac of sg-xxx interface 12|priority= 10' 0xf6202ec41ea72 82d, duration=329.516s, table=94, n_packets=0, n_bytes=0, idle_age=333, priority= 12,reg6= 0x2,dl_ dst=fa: 16:3e:7a: 11:7d actions=output:5 0xf6202ec41ea72 82d, duration=329.516s, table=94, n_packets=0, n_bytes=0, idle_age=333, priority= 10,reg6= 0x2,dl_ src=fa: 16:3e:7a: 11:7d,dl_ dst=00: 00:00:00: 00:00/01: 00:00:00: 00:00 actions= mod_vlan_ vid:2,output: 2
# ovs-ofctl dump-flows br-int |grep fa:16:3e:7a:11:7d |grep -E 'priority=
cookie=
cookie=
[1] https:/ /review. opendev. org/c/openstack /charm- neutron- openvswitch/ +/813407 /bugs.launchpad .net/neutron/ +bug/1945306/ comments/ 3
[2] https:/