From 5d4b75fc7dfbefc0394e6d9ec61c2d489ec6a74d Mon Sep 17 00:00:00 2001 From: Salvatore Orlando Date: Tue, 28 Sep 2021 10:12:57 -0700 Subject: [PATCH] Delete bindings for provider SG only if needed When provider security groups are removed, the corresponding bindings could have already been removed by _update_port_preprocess_security. This change ensures binding deletion is done only when needed, and avoids failures in case the bindings have already been removed. Change-Id: Iaccf4f3ddb9fef6d8dcb254bc978883b99c947f3 --- vmware_nsx/db/extended_security_group.py | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/vmware_nsx/db/extended_security_group.py b/vmware_nsx/db/extended_security_group.py index 80c4bf51e5..8a47b401ad 100644 --- a/vmware_nsx/db/extended_security_group.py +++ b/vmware_nsx/db/extended_security_group.py @@ -337,13 +337,25 @@ class ExtendedSecurityGroupPropertiesMixin(object): original_port.get(provider_sg.PROVIDER_SECURITYGROUPS, [])) if provider_sg_changed or sg_changed: - if not sg_changed: + has_security_groups = self._check_update_has_security_groups(port) + del_security_groups = self._check_update_deletes_security_groups( + port) + if not (has_security_groups or del_security_groups): + # In this case we need to delete the bindings query = context.session.query( securitygroups_db.SecurityGroupPortBinding) for sg in original_port[provider_sg.PROVIDER_SECURITYGROUPS]: + # use one_or_none because we don't want to fail if the + # binding does not exist binding = query.filter_by( - port_id=p['id'], security_group_id=sg).one() - context.session.delete(binding) + port_id=p['id'], security_group_id=sg).one_or_none() + if binding: + context.session.delete(binding) + else: + LOG.debug("Security group binding for sg %s and " + "port %s not found. Skipping", + sg, p['id']) + self._process_port_create_provider_security_group( context, updated_port, updated_port[provider_sg.PROVIDER_SECURITYGROUPS])