controller models with valid credentials becoming suspended
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Fix Released
|
High
|
Ian Booth |
Bug Description
The other day I was rolling out some monitoring services to the JAAS controllers and I noticed that "juju expose" seemed to have no effect. This turned out to be because the controller had suspended the controller model itself: "suspended since cloud credential is not valid".
I ran "juju update-credential $cloud $credential" and the message went away and the newly exposed ports became accessible. I checked again today and two of the controller models are suspended again. Today's victims are an Azure controller running 2.6.5, and an AWS controller running 2.6.6. It's also happened with GCE controllers running 2.6.6.
I've checked the logs and the only message that mentions credentials is a bunch of:
WARNING juju.api.
One of the controllers also reports "credential cloudcred-
I've taken a look at the cloudCredentials collection. Azure isn't too helpful:
juju:PRIMARY> db.cloudCredent
{
"_id" : "azure#
"owner" : "admin",
"cloud" : "azure",
"name" : "jaas-prodstack
"revoked" : false,
"auth-type" : "service-
},
"txn-revno" : NumberLong(14),
"txn-queue" : [ ],
"invalid" : true,
}
juju:PRIMARY> _
AWS is more verbose, but the credentials absolutely work, so I'm puzzled why it's in this state:
juju:PRIMARY> db.cloudCredent
{
"_id" : "aws#admin#jaas",
"owner" : "admin",
"cloud" : "aws",
"name" : "jaas",
"revoked" : false,
"auth-type" : "access-key",
},
"txn-revno" : NumberLong(28),
"txn-queue" : [ ],
"invalid" : true,
}
juju:PRIMARY> _
I dug through the AWS controller's logs and found some AuthFailure errors, although they were for instances that are not in the controller model, so I assume they're unrelated to this problem.
description: | updated |
Changed in juju: | |
status: | Invalid → New |
status: | New → Confirmed |
Changed in juju: | |
status: | In Progress → Fix Committed |
Changed in juju: | |
status: | Fix Committed → Fix Released |
All credenitals that are stored on the controller are called 'remote' or 'controller' credentials. Controllers do not actually use credentials, only models do. Controllers only store credentials.
If the models share a credential and that credential is deemed by a cloud provider as 'invalid', i.e. a model starts getting auth errors from cloud calls, then Juju will mark credential as invalid and ALL models that are using it will be suspended.
There are several scenarios that need to be considered here. If your models are sharing a credential that is valid for some models but is not valid for other, then you should be using different credentials in these models. You can 'set-model- credential' to change a model credential.
If the credential becomes invalid and you have run 'update- credential' , Juju will temporarily mark it as valid and will try to use it. BUT if you have not actually done anything to ensure that cloud provider considers the credential as valid again, then cloud calls will start failing with auth errors again and Juju will mark the credential as invalid again and suspend models.
I am happy to talk you through individual instances. Feel free to reach out on IRC.
I think that Juju is behaving as expected here.