Canonical Juju

Firewalled instances (manual provider) is missing useful feedback for bootstrap

Bug #1736582 reported by Casey Marshall on 2017-12-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Triaged	Low	Unassigned

Bug Description

Trying to bootstrap a Juju controller with the manual provider doesn't work. I have SSH access to the machine but the bootstrap fails: http://paste.ubuntu.com/26120759/

When bootstrapping a manual provisioned machine, there may be a firewall blocking the important ports that Juju needs to operate. Currently the error messages we give are not very informative and don't provide a way for the user to understand and resolve the situation themselves.

See original description

Tags:

Revision history for this message

Casey Marshall (cmars) wrote on 2017-12-06:

I'm getting the same result with Juju 2.3-rc2.

bootstrap seems to be unable to get mongo configured correctly. tail end of it shows:

2017-12-06 02:53:25 WARNING juju.replicaset replicaset.go:122 Initiate: fetching replication status failed: cannot get replica set status: no replset config has been received
2017-12-06 02:53:25 WARNING juju.replicaset replicaset.go:122 Initiate: fetching replication status failed: cannot get replica set status: no replset config has been received
2017-12-06 02:53:26 WARNING juju.replicaset replicaset.go:122 Initiate: fetching replication status failed: cannot get replica set status: no replset config has been received
2017-12-06 02:53:26 INFO juju.worker.peergrouper initiate.go:64 finished InitiateMongoServer
ERROR failed to start mongo: cannot initiate replica set: cannot get replica set status: no replset config has been received
ERROR failed to bootstrap model: subprocess encountered error code 1

Revision history for this message

Casey Marshall (cmars) wrote on 2017-12-06:

I was able to workaround this by opening all ports on the machine. I tried just opening 17070 but that wasn't enough.

I think this is still a problem because as a user, I don't really know what to do with the error message. It should tell me that certain port(s) cannot be accessed.

It's also not obvious to me which ports need to be open & why.

Revision history for this message

John A Meinel (jameinel) wrote on 2017-12-11: Re: [Bug 1736582] Re: Cannot bootstrap manual provider with Juju 2.2.6

The particular port is 37017 because that is the port we use for Mongo to
communicate with other mongos. However, I wouldn't think that would be
necessary for just bootstrap. Although we might be connecting to the local
mongo via its "external" IP address because of differences once you do have
a replicaset. (eg, you could connect to localhost:37017, but as soon as you
have a replica set, you want to actually use 192.168.0.1:37017, so we
default to using 192.168.0.1:37107, and maybe that interacts poorly with
firewalls.)

Can you check with just 37017 open? The above doesn't look anything like a
bad port, but I have the feeling we may be getting a weird error internally
that isn't letting us see that there is a bad port.
Like maybe we *are* connecting to 127.0.0.1 but then getting told "I'm
actually part of a replicaset at 192.168.0.1 go talk there", but then we're
unable to actually talk to the redirected location because of a firewall.

On Wed, Dec 6, 2017 at 8:00 AM, Casey Marshall <<email address hidden>
> wrote:

> I was able to workaround this by opening all ports on the machine. I
> tried just opening 17070 but that wasn't enough.
>
> I think this is still a problem because as a user, I don't really know
> what to do with the error message. It should tell me that certain
> port(s) cannot be accessed.
>
> It's also not obvious to me which ports need to be open & why.
>
> --
> You received this bug notification because you are subscribed to juju.
> Matching subscriptions: juju bugs
> https://bugs.launchpad.net/bugs/1736582
>
> Title:
> Cannot bootstrap manual provider with Juju 2.2.6
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju/+bug/1736582/+subscriptions
>

Nicholas Skaggs (nskaggs) on 2017-12-11

Changed in juju:
status:	New → Incomplete
milestone:	none → 2.3.2

Revision history for this message

John A Meinel (jameinel) wrote on 2017-12-12:

The only ports we should need access to on the controller are 17070, 37017
and 22.

On Tue, Dec 12, 2017 at 1:53 AM, Nicholas Skaggs <
<email address hidden>> wrote:

> ** Changed in: juju
> Status: New => Incomplete
>
> ** Changed in: juju
> Milestone: None => 2.3.2
>
> --
> You received this bug notification because you are subscribed to juju.
> Matching subscriptions: juju bugs
> https://bugs.launchpad.net/bugs/1736582
>
> Title:
> Cannot bootstrap manual provider with Juju 2.2.6
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju/+bug/1736582/+subscriptions
>

Revision history for this message

John A Meinel (jameinel) wrote on 2018-01-09:

This turned out to not be that you *can't* bootstrap, but that we don't give good feedback as to what is failing. I don't think it makes sense to prioritize this for 2.3, unless we see more people hitting it.

summary:	- Cannot bootstrap manual provider with Juju 2.2.6 + Firewalled instances (manual provider) is missing useful feedback for + bootstrap
description:	updated
Changed in juju:
importance:	Undecided → Medium
status:	Incomplete → Triaged
tags:	added: errors feedback manual-provider observability
Changed in juju:
milestone:	2.3.2 → none

Revision history for this message

Canonical Juju QA Bot (juju-qa-bot) wrote on 2022-11-03:

This bug has not been updated in 2 years, so we're marking it Low importance. If you believe this is incorrect, please update the importance.

Changed in juju:
importance:	Medium → Low
tags:	added: expirebugs-bot

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.