Allow disabling security groups
For some use cases it might be needed to disable security groups.
For example best DPDK performance can be achieved only with disabled
security groups.
Change-Id: I067fa230c0cc5f8042bc405249f99e09250893ec
diff --git a/README.rst b/README.rst
index e8e633f..d3a64ae 100644
--- a/README.rst
+++ b/README.rst
@@ -707,6 +707,20 @@
map_file: '/etc/pycadf/neutron_api_audit_map.conf'
....
+Neutron with security groups disabled
+
+.. code-block:: yaml
+
+ neutron:
+ server:
+ security_groups_enabled: False
+ ....
+ compute:
+ security_groups_enabled: False
+ ....
+ gateway:
+ security_groups_enabled: False
+
Neutron Client
--------------
diff --git a/metadata/service/compute/single.yml b/metadata/service/compute/single.yml
index e1196b2..3422e39 100644
--- a/metadata/service/compute/single.yml
+++ b/metadata/service/compute/single.yml
@@ -17,6 +17,7 @@
local_ip: ${_param:tenant_address}
dvr: false
external_access: false
+ security_groups_enabled: true
metadata:
host: ${_param:cluster_vip_address}
password: ${_param:metadata_password}
diff --git a/metadata/service/control/single.yml b/metadata/service/control/single.yml
index 3be2831..24b5a2f 100644
--- a/metadata/service/control/single.yml
+++ b/metadata/service/control/single.yml
@@ -12,6 +12,7 @@
fwaas: false
dns_domain: novalocal
tunnel_type: vxlan
+ security_groups_enabled: true
version: ${_param:neutron_version}
bind:
address: ${_param:single_address}
diff --git a/metadata/service/gateway/single.yml b/metadata/service/gateway/single.yml
index 4ff30d1..a9628f0 100644
--- a/metadata/service/gateway/single.yml
+++ b/metadata/service/gateway/single.yml
@@ -17,6 +17,7 @@
local_ip: ${_param:tenant_address}
dvr: false
external_access: True
+ security_groups_enabled: true
metadata:
host: ${_param:cluster_vip_address}
password: ${_param:metadata_password}
diff --git a/neutron/files/ocata/ml2_conf.ini b/neutron/files/ocata/ml2_conf.ini
index 736ce2d..ad4e100 100644
--- a/neutron/files/ocata/ml2_conf.ini
+++ b/neutron/files/ocata/ml2_conf.ini
@@ -249,17 +249,22 @@
# Driver for security groups firewall in the L2 agent (string value)
#firewall_driver = <None>
-{%- if server.dpdk %}
-firewall_driver = openvswitch
-{%- else %}
-firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
-{%- endif %}
# Controls whether the neutron security group API is enabled in the server. It
# should be false when using no security groups or using the nova security
# group API. (boolean value)
#enable_security_group = true
+
+{%- if not server.get('security_groups_enabled', True) %}
+firewall_driver = neutron.agent.firewall.NoopFirewallDriver
+enable_security_group = False
+{%- elif server.dpdk %}
+firewall_driver = openvswitch
enable_security_group = True
+{%- else %}
+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+enable_security_group = True
+{%- endif %}
# Use ipset to speed-up the iptables based security groups. Enabling ipset
# support requires that ipset is installed on L2 agent node. (boolean value)
diff --git a/neutron/files/ocata/openvswitch_agent.ini b/neutron/files/ocata/openvswitch_agent.ini
index 0536d2a..ef9d767 100644
--- a/neutron/files/ocata/openvswitch_agent.ini
+++ b/neutron/files/ocata/openvswitch_agent.ini
@@ -304,17 +304,22 @@
# Driver for security groups firewall in the L2 agent (string value)
#firewall_driver = <None>
-{%- if neutron.dpdk %}
-firewall_driver = openvswitch
-{%- else %}
-firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
-{%- endif %}
# Controls whether the neutron security group API is enabled in the server. It
# should be false when using no security groups or using the nova security
# group API. (boolean value)
#enable_security_group = true
+
+{%- if not neutron.get('security_groups_enabled', True) %}
+firewall_driver = neutron.agent.firewall.NoopFirewallDriver
+enable_security_group = False
+{%- elif neutron.dpdk %}
+firewall_driver = openvswitch
enable_security_group = True
+{%- else %}
+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+enable_security_group = True
+{%- endif %}
# Use ipset to speed-up the iptables based security groups. Enabling ipset
# support requires that ipset is installed on L2 agent node. (boolean value)