OpenStack: open-port icmp doesn't work

Bug #1970295 reported by Haw Loeung
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Juju
Fix Released
High
Thomas Miller

Bug Description

Hi,

When trying to allow ICMP ping (echo-request) for units, I tried "open-port icmp". Unfortunately, that doesn't work and doesn't create the requested security groups to allow this.

Commands to reproduce this:

 * juju deploy cs:ubuntu --series focal haw-test-icmp
 * juju run --application haw-test-icmp "open-port icmp"
 * juju expose haw-test-icmp

Unfortunately, even exposing the application, you can see that there are no secgroups for icmp:

| [hloeung@dharkan tmp]$ openstack security group rule list juju-f0ef5860-f0b8-4b93-8560-17d39fe32dcc-0c70431b-10eb-44b5-8288-b799de87625f-119
| +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+
| | ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group |
| +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+
| | 2789d335-c574-4b45-b5e6-6fb894b9993c | None | IPv4 | 0.0.0.0/0 | | None |
| | a06a496b-c6b7-4279-bc87-07a8d2de7d6c | None | IPv6 | ::/0 | | None |
| +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+

See output in pastebin below:

https://paste.ubuntu.com/p/QYGhmTsHgs/

Running the commands below adds the required secgroup:

* openstack security group rule create --prefix 0.0.0.0/0 --protocol icmp --ethertype ipv4 juju-f0ef5860-f0b8-4b93-8560-17d39fe32dcc-0c70431b-10eb-44b5-8288-b799de87625f-119

This is confirmed with Juju 2.9.22 (Canonistack).

Revision history for this message
Ian Booth (wallyworld) wrote :

If the firewaller worker fails to create the security group rule, it should log an error. It would be good to get the relevant controller logs so we can see what might be failing. Juju is supposed to make the correct api call to set up a rule for icmp protocol so it is expected to work. Hopefully logs will let us see what's going wrong. It might be we're passing a port range along with icmp which I think is nit allowed.

tags: added: openstack-provider
Changed in juju:
status: New → Incomplete
Revision history for this message
Haw Loeung (hloeung) wrote :

All that I see logged is this:

| 2022-04-28 07:07:55 INFO juju.provider.openstack firewaller.go:275 opened ports in security group f7dcbf08-6865-4a49-8074-c6e69d8aef01-0: [icmp from 0.0.0.0/0,::/0 5666/tcp from 0.0.0.0/0,::/0]

(a different environment spun up new running Juju 2.9.27)

Changed in juju:
status: Incomplete → New
Revision history for this message
Haw Loeung (hloeung) wrote :

... and the secgroup:

jenkins@juju-59050e-is-mojo-ci-0:~$ openstack security group rule list juju-c99ee3f0-b4d5-481d-8218-467183b31fcc-f7dcbf08-6865-4a49-8074-c6e69d8aef01-0

+--------------------------------------+-------------+-----------+------------+-----------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+-----------+------------+-----------------------+
| 130ad029-697c-48c8-bcdb-915474114201 | tcp | 0.0.0.0/0 | 5666:5666 | |
| 9ebc1e32-eb61-444a-b3a8-a79cf635cd2d | tcp | ::/0 | 5666:5666 | |
+--------------------------------------+-------------+-----------+------------+-----------------------+
jenkins@juju-59050e-is-mojo-ci-0:~$

nrpe charm calls open-port icmp, I just ran 'juju expose nrpe'.

Revision history for this message
Ian Booth (wallyworld) wrote :

Thanks for the extra logging. From that, I can see that the openstack provider is requesting the security group rule get created, but sadly, any error is not logged properly - it only comes out at debug level

_, err := neutronClient.CreateSecurityGroupRuleV2(rule)
if err != nil {
  handleCredentialError(err, ctx)
  // TODO: if err is not rule already exists, raise?
  logger.Debugf("error creating security group rule: %v", err.Error())
}

We'd need to have DEBUG enabled for "juju.provider.openstack" to see what the error was.

We definitely need to fix the error handling.

Changed in juju:
milestone: none → 2.9.30
importance: Undecided → High
status: New → Triaged
Revision history for this message
Haw Loeung (hloeung) wrote :

Okay, here we go:

| 2022-04-29 00:02:16 DEBUG juju.provider.openstack firewaller.go:807 error creating security group rule: failed to create a rule for the security group with id: 519d4a2c-17cd-45a4-818c-da1d83824221
caused by: request (http://10.24.0.178:9696/v2.0/security-group-rules) returned unexpected status: 400; error info: {"NeutronError": {"message": "Invalid value for port -1", "type": "SecurityGroupInvalidPortValue", "detail": ""}}
| 2022-04-29 00:02:16 DEBUG juju.provider.openstack firewaller.go:807 error creating security group rule: failed to create a rule for the security group with id: 519d4a2c-17cd-45a4-818c-da1d83824221
caused by: request (http://10.24.0.178:9696/v2.0/security-group-rules) returned unexpected status: 400; error info: {"NeutronError": {"message": "Invalid value for port -1", "type": "SecurityGroupInvalidPortValue", "detail": ""}}
| 2022-04-29 00:02:16 INFO juju.provider.openstack firewaller.go:275 opened ports in security group f7dcbf08-6865-4a49-8074-c6e69d8aef01-0: [icmp from 0.0.0.0/0,::/0 5666/tcp from 0.0.0.0/0,::/0]

Maybe the "-1" was the old way and things have changed since?

Revision history for this message
Haw Loeung (hloeung) wrote :

Looking at the docs, perhaps we need to omit the port for ICMP.

Revision history for this message
Ian Booth (wallyworld) wrote :

Thanks for the info, this should be a quick fix

Changed in juju:
milestone: 2.9.30 → 2.9.31
assignee: nobody → Thomas Miller (tlmiller)
Ian Booth (wallyworld)
Changed in juju:
status: Triaged → In Progress
Revision history for this message
Thomas Miller (tlmiller) wrote :
Changed in juju:
status: In Progress → Fix Committed
milestone: 2.9.31 → 2.9.32
Changed in juju:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.