OpenStack Heat

Failed to Update the resource of AWS::EC2::SecurityGroup

Bug #1503672 reported by PanFengyun
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Heat
Fix Released
Low
Ethan Lynn
OpenStack Heat mitaka-rc1 "RC1"

Bug Description

The first update the resource type of AWS::EC2::SecurityGroup will fail, and the second can be updated successfully.

The problem as follows:
--------------------------------------------------
1.created test.yaml,its contents are as follows:

$ cat test.yaml

heat_template_version: 2013-05-23

description: test

resources:

  securitygroup:

    type: AWS::EC2::SecurityGroup

    properties:

      GroupDescription: 'Enable HTTP access via port 80 plus SSH access'

      SecurityGroupIngress:

        - IpProtocol: 'icmp'

          FromPort: '-1'

          ToPort: '-1'

          CidrIp: '0.0.0.0/0'

        - IpProtocol: 'tcp'

          FromPort: '22'

          ToPort: '22'

          CidrIp: '0.0.0.0/0'

2.created a stack with test.yaml

$ heat stack-create –f test.yaml test

3.updated test.yaml, added 80 port ,its contents are as follows:

$ cat test.yaml

heat_template_version: 2013-05-23

description: test

resources:

  securitygroup:

    type: AWS::EC2::SecurityGroup

    properties:

      GroupDescription: 'Enable HTTP access via port 80 plus SSH access'

      SecurityGroupIngress:

        - IpProtocol: 'icmp'

          FromPort: '-1'

          ToPort: '-1'

          CidrIp: '0.0.0.0/0'

        - IpProtocol: 'tcp'

          FromPort: '22'

          ToPort: '22'

          CidrIp: '0.0.0.0/0'

        - IpProtocol: 'tcp'

          FromPort: '80'

          ToPort: '80'

          CidrIp: '0.0.0.0/0'

4.updated stack

$ heat stack-update –f test.yaml test

5.it will get“UPDATE_FAILED”

$ heat event-list test

+---------------+--------------------------------------+----------------------------------------------+--------------------+----------------------+

| resource_name | id | resource_status_reason | resource_status | event_time |

+---------------+--------------------------------------+----------------------------------------------+--------------------+----------------------+

| test | 7f84df5e-094e-4905-927b-ee3344fdbd6a | Stack CREATE started | CREATE_IN_PROGRESS | 2015-09-02T07:40:33Z |

| securitygroup | 8142ab59-820d-46ea-9fff-0c53d82c826d | state changed | CREATE_IN_PROGRESS | 2015-09-02T07:40:33Z |

| securitygroup | 92847493-5027-42a5-a727-efd3515c3324 | state changed | CREATE_COMPLETE | 2015-09-02T07:40:34Z |

| test | 96676760-66ff-4c69-8795-56a95ba65a9a | Stack CREATE completed successfully | CREATE_COMPLETE | 2015-09-02T07:40:34Z |

| test | bafc7ee4-fcd9-49fb-8fe7-550783c0a812 | Stack UPDATE started | UPDATE_IN_PROGRESS | 2015-09-02T07:42:07Z |

| securitygroup | bfa11ae7-beec-47e2-8990-136399f36397 | state changed | UPDATE_IN_PROGRESS | 2015-09-02T07:42:07Z |

| securitygroup | 8549fda5-4092-415b-903d-3d84d6573845 | TypeError: 'NoneType' object is not iterable | UPDATE_FAILED | 2015-09-02T07:42:07Z |

+---------------+--------------------------------------+----------------------------------------------+--------------------+----------------------+

6.No modified test.yaml,update stack again:

$ heat stack-update -f test.yaml test

7. it will get“CREATE_COMPLETE”

$ heat event-list test

+---------------+--------------------------------------+----------------------------------------------+--------------------+----------------------+

| resource_name | id | resource_status_reason | resource_status | event_time |

+---------------+--------------------------------------+----------------------------------------------+--------------------+----------------------+

| test | 7f84df5e-094e-4905-927b-ee3344fdbd6a | Stack CREATE started | CREATE_IN_PROGRESS | 2015-09-02T07:40:33Z |

| securitygroup | 8142ab59-820d-46ea-9fff-0c53d82c826d | state changed | CREATE_IN_PROGRESS | 2015-09-02T07:40:33Z |

| securitygroup | 92847493-5027-42a5-a727-efd3515c3324 | state changed | CREATE_COMPLETE | 2015-09-02T07:40:34Z |

| test | 96676760-66ff-4c69-8795-56a95ba65a9a | Stack CREATE completed successfully | CREATE_COMPLETE | 2015-09-02T07:40:34Z |

| test | bafc7ee4-fcd9-49fb-8fe7-550783c0a812 | Stack UPDATE started | UPDATE_IN_PROGRESS | 2015-09-02T07:42:07Z |

| securitygroup | bfa11ae7-beec-47e2-8990-136399f36397 | state changed | UPDATE_IN_PROGRESS | 2015-09-02T07:42:07Z |

| securitygroup | 8549fda5-4092-415b-903d-3d84d6573845 | TypeError: 'NoneType' object is not iterable | UPDATE_FAILED | 2015-09-02T07:42:07Z |

| test | c6d66db2-7c8c-4702-9a19-755bc8bc8fa0 | Stack UPDATE started | UPDATE_IN_PROGRESS | 2015-09-02T07:42:35Z |

| securitygroup | c84b7de6-247f-452d-bdef-0988a445ef36 | state changed | CREATE_IN_PROGRESS | 2015-09-02T07:42:35Z |

| securitygroup | 173f5a6c-53b0-433a-869a-ee50e7b244a4 | state changed | CREATE_COMPLETE | 2015-09-02T07:42:36Z |

+---------------+--------------------------------------+----------------------------------------------+--------------------+----------------------+

--------------------------------------------------

Reason: when updating the resource of AWS::EC2::SecurityGroup, you must set SecurityGroupIngress and SecurityGroupEgress。Missing any one would lead to “UPDATE_FAILED”。

          But creating the resource of AWS::EC2::SecurityGroup,you need no SecurityGroupEgress to get "CREATE_COMPLETE"

          And when Nova creates the resource of SecurityGroup,just have SecurityGroupIngress。

--------------------------------------------------

PanFengyun (pan-feng-yun)
information type: Private Security → Public
Sergey Kraynev (skraynev)
Changed in heat:
status: New → Triaged
importance: Undecided → Low
milestone: none → mitaka-1
PanFengyun (pan-feng-yun)
summary: - Updated AWS::EC2::SecurityGroup has some problem
+ Failed to Update the resource of AWS::EC2::SecurityGroup
Revision history for this message
PanFengyun (pan-feng-yun) wrote :

1. Before getting the property value of SecurityGroupIngress
 and SecurityGroupEgress from SecurityGroup, need to determine whether
 SecurityGroup contains the property of them. 2. Getting the property value of
 a list object by property name, instead of number.

Revision history for this message
Steve Baker (steve-stevebaker) wrote :

Can you please submit this change through gerrit?

http://docs.openstack.org/infra/manual/developers.html

Sergey Kraynev (skraynev)
Changed in heat:
milestone: mitaka-1 → mitaka-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/254609

Changed in heat:
assignee: nobody → Ethan Lynn (ethanlynn)
status: Triaged → In Progress
Sergey Kraynev (skraynev)
Changed in heat:
milestone: mitaka-2 → mitaka-3
Sergey Kraynev (skraynev)
Changed in heat:
milestone: mitaka-3 → mitaka-rc1
PanFengyun (pan-feng-yun)
Changed in heat:
assignee: Ethan Lynn (ethanlynn) → PanFengyun (pan-feng-yun)
PanFengyun (pan-feng-yun)
Changed in heat:
assignee: PanFengyun (pan-feng-yun) → nobody
OpenStack Infra (hudson-openstack)
Changed in heat:
assignee: nobody → Ethan Lynn (ethanlynn)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (master)

Reviewed: https://review.openstack.org/254609
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=5ebf28b994280f60c81d319c02e3aaa3f4e7742a
Submitter: Jenkins
Branch: master

commit 5ebf28b994280f60c81d319c02e3aaa3f4e7742a
Author: Ethan Lynn <email address hidden>
Date: Wed Dec 9 00:49:50 2015 +0800

    Fix AWS::EC2::SecurityGroup update problem

    In some case, update function will get None value instead of list,
    that will cause not iterable error.

    Change-Id: Ibea6e01ba1870524914d165f6c8f9ed48d64f652
    Closes-Bug: #1503672

Changed in heat:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/heat 6.0.0.0rc1

This issue was fixed in the openstack/heat 6.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.