Fix ML2 securitygroup API enable/disable

Securitygroup API is enabled by default, and a dummy
firewall_driver is no longer needed. This patch
rearranges content to make it clear which files are
edited on which servers, and fixes the use of the flag
values.

Change-Id: I7b2a6e646bbf02aa79b39f7f118a2ce0f6bb6a40
Closes-Bug: 1332104

doc/admin-guide-cloud/networking/section_networking-scenarios.xml

@@ -755,25 +755,25 @@ l2_population = True</programlisting>
         </section>
         <section xml:id="ml2_l2_security_group">
             <title>Enable security group API</title>
-            <para>Because the ML2 plug-in can concurrently support different L2 agents (or other
-                mechanisms) with different configuration files, the actual <option>firewall_driver
-                </option> value in the <filename>ml2_conf.ini</filename> file does not matter in the
-                server, but <option>firewall_driver</option> must be set to a non-default value in
-                the ml2 configuration to enable the securitygroup extension. To enable securitygroup
-                API, edit the <filename>ml2_conf.ini</filename> file:</para>
-            <programlisting language="ini">[securitygroup]
-firewall_driver = dummy</programlisting>
-            <para>Each L2 agent configuration file (such as
+            <para>The ML2 plug-in can concurrently support different L2 agents (or other
+                mechanisms) with different configuration files, so each L2 agent
+                configuration file (such as
                     <filename>ovs_neutron_plugin.ini</filename> or
                     <filename>linuxbridge_conf.ini</filename>) should contain the appropriate
-                    <option>firewall_driver</option> value for that agent. To disable securitygroup
-                API, edit the <filename>ml2_conf.ini</filename> file:</para>
+                    <option>firewall_driver</option> value for that
+                 agent in addition to setting <option>enable_security_group</option> to
+                 <literal>True</literal> (which is the default).</para>
+
+                <para>The <option>firewall_driver</option> value in the API server's <filename>ml2_conf.ini</filename> file
+                 does not matter.</para>
+
+            <para>To disable the securitygroup API, edit the <filename>ml2_conf.ini</filename> file
+            on the API server, and <filename>ovs_neutron_plugin.ini</filename>,
+                    <filename>linuxbridge_conf.ini</filename> or other L2 agent
+configuration files on the agent servers :</para>
             <programlisting language="ini">[securitygroup]
+enable_security_group = False
 firewall_driver = neutron.agent.firewall.NoopFirewallDriver</programlisting>
-            <para>Also, each L2 agent configuration file (such as
-                    <filename>ovs_neutron_plugin.ini</filename> or
-                    <filename>linuxbridge_conf.ini</filename>) should contain this value in
-                    <option>firewall_driver</option> parameter for that agent.</para>
         </section>
     </section>
 </section>