Canonical Juju

OpenStack: open-port icmp doesn't work

Bug #1970295 reported by Haw Loeung on 2022-04-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Fix Released	High	Thomas Miller	Canonical Juju 2.9.32

Bug Description

Hi,

When trying to allow ICMP ping (echo-request) for units, I tried "open-port icmp". Unfortunately, that doesn't work and doesn't create the requested security groups to allow this.

Commands to reproduce this:

* juju deploy cs:ubuntu --series focal haw-test-icmp
* juju run --application haw-test-icmp "open-port icmp"
* juju expose haw-test-icmp

Unfortunately, even exposing the application, you can see that there are no secgroups for icmp:

See output in pastebin below:

https://paste.ubuntu.com/p/QYGhmTsHgs/

Running the commands below adds the required secgroup:

* openstack security group rule create --prefix 0.0.0.0/0 --protocol icmp --ethertype ipv4 juju-f0ef5860-f0b8-4b93-8560-17d39fe32dcc-0c70431b-10eb-44b5-8288-b799de87625f-119

This is confirmed with Juju 2.9.22 (Canonistack).

Tags:

Revision history for this message

Ian Booth (wallyworld) wrote on 2022-04-28:

If the firewaller worker fails to create the security group rule, it should log an error. It would be good to get the relevant controller logs so we can see what might be failing. Juju is supposed to make the correct api call to set up a rule for icmp protocol so it is expected to work. Hopefully logs will let us see what's going wrong. It might be we're passing a port range along with icmp which I think is nit allowed.

tags:	added: openstack-provider
Changed in juju:
status:	New → Incomplete

Revision history for this message

Haw Loeung (hloeung) wrote on 2022-04-28:

All that I see logged is this:

| 2022-04-28 07:07:55 INFO juju.provider.openstack firewaller.go:275 opened ports in security group f7dcbf08-6865-4a49-8074-c6e69d8aef01-0: [icmp from 0.0.0.0/0,::/0 5666/tcp from 0.0.0.0/0,::/0]

(a different environment spun up new running Juju 2.9.27)

Changed in juju:
status:	Incomplete → New

Revision history for this message

Haw Loeung (hloeung) wrote on 2022-04-28:

... and the secgroup:

jenkins@juju-59050e-is-mojo-ci-0:~$ openstack security group rule list juju-c99ee3f0-b4d5-481d-8218-467183b31fcc-f7dcbf08-6865-4a49-8074-c6e69d8aef01-0

+--------------------------------------+-------------+-----------+------------+-----------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+-----------+------------+-----------------------+
| 130ad029-697c-48c8-bcdb-915474114201 | tcp | 0.0.0.0/0 | 5666:5666 | |
| 9ebc1e32-eb61-444a-b3a8-a79cf635cd2d | tcp | ::/0 | 5666:5666 | |
+--------------------------------------+-------------+-----------+------------+-----------------------+
jenkins@juju-59050e-is-mojo-ci-0:~$

nrpe charm calls open-port icmp, I just ran 'juju expose nrpe'.

Revision history for this message

Ian Booth (wallyworld) wrote on 2022-04-28:

Thanks for the extra logging. From that, I can see that the openstack provider is requesting the security group rule get created, but sadly, any error is not logged properly - it only comes out at debug level

_, err := neutronClient.CreateSecurityGroupRuleV2(rule)
if err != nil {
  handleCredentialError(err, ctx)
  // TODO: if err is not rule already exists, raise?
  logger.Debugf("error creating security group rule: %v", err.Error())
}

We'd need to have DEBUG enabled for "juju.provider.openstack" to see what the error was.

We definitely need to fix the error handling.

Changed in juju:
milestone:	none → 2.9.30
importance:	Undecided → High
status:	New → Triaged

Revision history for this message

Haw Loeung (hloeung) wrote on 2022-04-29:

Okay, here we go:

| 2022-04-29 00:02:16 DEBUG juju.provider.openstack firewaller.go:807 error creating security group rule: failed to create a rule for the security group with id: 519d4a2c-17cd-45a4-818c-da1d83824221
caused by: request (http://10.24.0.178:9696/v2.0/security-group-rules) returned unexpected status: 400; error info: {"NeutronError": {"message": "Invalid value for port -1", "type": "SecurityGroupInvalidPortValue", "detail": ""}}
| 2022-04-29 00:02:16 DEBUG juju.provider.openstack firewaller.go:807 error creating security group rule: failed to create a rule for the security group with id: 519d4a2c-17cd-45a4-818c-da1d83824221
caused by: request (http://10.24.0.178:9696/v2.0/security-group-rules) returned unexpected status: 400; error info: {"NeutronError": {"message": "Invalid value for port -1", "type": "SecurityGroupInvalidPortValue", "detail": ""}}
| 2022-04-29 00:02:16 INFO juju.provider.openstack firewaller.go:275 opened ports in security group f7dcbf08-6865-4a49-8074-c6e69d8aef01-0: [icmp from 0.0.0.0/0,::/0 5666/tcp from 0.0.0.0/0,::/0]

Maybe the "-1" was the old way and things have changed since?

Revision history for this message

Haw Loeung (hloeung) wrote on 2022-04-29:

Looking at the docs, perhaps we need to omit the port for ICMP.

Revision history for this message

Ian Booth (wallyworld) wrote on 2022-05-03:

Thanks for the info, this should be a quick fix

Juan M. Tirado (tiradojm) on 2022-05-12

Changed in juju:
milestone:	2.9.30 → 2.9.31
assignee:	nobody → Thomas Miller (tlmiller)

Ian Booth (wallyworld) on 2022-05-19

Changed in juju:
status:	Triaged → In Progress

Revision history for this message

Thomas Miller (tlmiller) wrote on 2022-05-26:

PR: https://github.com/juju/juju/pull/14080

Changed in juju:
status:	In Progress → Fix Committed
milestone:	2.9.31 → 2.9.32

Canonical Juju QA Bot (juju-qa-bot) on 2022-06-24

Changed in juju:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.