Canonical Juju

Juju should report open-port failures more visibly (than just controller logs)

Bug #2009102 reported by Ben Hoyt on 2023-03-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Fix Released	Medium	Caner Derici	Canonical Juju 3.5.2

Bug Description

I was playing with open-port on a K8s sidecar charm, and apparently K8s doesn't support the ICMP protocol (VM charms do). However, open-port didn't return a failure, and even later there was no visible sign that something was wrong, except in the controller logs:

$ juju debug-log -m controller
...
controller-0: 15:00:50 ERROR juju.worker.dependency "caas-firewaller-embedded" manifold worker returned unexpected error: cannot update service port for application "database": protocol "icmp" for service "icmp" not valid
...

So I think there are two things we could do here to improve this:

1) Have the open-port / close-port hook tools reject protocol "icmp" early if it's a K8s sidecar charm.
2) In general, have a way for Juju to report firewaller worker errors more visibly. For example, setting a short error message in application status?

As it was, it took me a while to figure out what was going on, because "kubectl get svc" didn't show any of the ports opened (because K8s rejected the ICMP port, it rejected all the ports I asked for, so no changes were made -- that's probably good though that it does it atomically).

Revision history for this message

Harry Pidcock (hpidcock) wrote on 2023-03-05:

Thanks for the report. I think it makes sense for the hook tool to error, as a means to create robust charms.

Changed in juju:
assignee:	nobody → Yang Kelvin Liu (kelvin.liu)
importance:	Undecided → High
milestone:	none → 3.1.2
status:	New → Triaged

Canonical Juju QA Bot (juju-qa-bot) on 2023-04-06

Changed in juju:
milestone:	3.1.2 → 3.1.3

Canonical Juju QA Bot (juju-qa-bot) on 2023-06-13

Changed in juju:
milestone:	3.1.3 → 3.1.4

Canonical Juju QA Bot (juju-qa-bot) on 2023-06-15

Changed in juju:
milestone:	3.1.4 → 3.1.5

Canonical Juju QA Bot (juju-qa-bot) on 2023-06-22

Changed in juju:
milestone:	3.1.5 → 3.1.6

Canonical Juju QA Bot (juju-qa-bot) on 2023-09-22

Changed in juju:
milestone:	3.1.6 → 3.1.7

Canonical Juju QA Bot (juju-qa-bot) on 2023-12-07

Changed in juju:
milestone:	3.1.7 → 3.1.8

Harry Pidcock (hpidcock) on 2024-02-12

Changed in juju:
assignee:	Yang Kelvin Liu (kelvin.liu) → nobody
importance:	High → Medium
milestone:	3.1.8 → 3.5-beta1

Canonical Juju QA Bot (juju-qa-bot) on 2024-04-16

Changed in juju:
milestone:	3.5-beta1 → 3.5-beta2

Harry Pidcock (hpidcock) on 2024-05-07

Changed in juju:
milestone:	3.5-beta2 → 3.5.1

Canonical Juju QA Bot (juju-qa-bot) on 2024-05-27

Changed in juju:
milestone:	3.5.1 → 3.5.2

Caner Derici (cderici) on 2024-06-17

Changed in juju:
assignee:	nobody → Caner Derici (cderici)

Caner Derici (cderici) on 2024-06-24

Changed in juju:
status:	Triaged → In Progress

Revision history for this message

Caner Derici (cderici) wrote on 2024-06-27:

Fix is up for 3.4+ https://github.com/juju/juju/pull/17597

Just for future reference; here's what's happening, the charm calls the open_port(), ops pick it up, calls the jujuc, uniter picks it up, calls the client, which calls the apiserver, then the open port change is committed to the state. After that somewhere sometime the firewaller worker gets the trigger from mongo and starts trying to realize that, and ultimately freaks out.

This fix intercepts this at the apiserver before we commit the change to the state, so 1) there's nothing any downstream workers should be confused about, 2) the error can be communicated back to the model nicely, 3) that business logic should be on the apiserver anyways.

For the 2nd suggestion, because of the distributed nature of Juju, it is very difficult to communicate error messages from a worker back to the source of a workflow. If a worker fails, while the dependency engine can bounce the worker and log the error on the controller, it doesn't have a logical link to follow back, i.e. the concerns of workers don't (and shouldn't) one-to-one match with any workflow that Juju expose. Moreover, using status messages is not a good option either because I believe it would lead to a massively tight coupling between workers and juju entities, as a worker can fail for multitude of reasons related to different entities involved in a workflow.

Changed in juju:
status:	In Progress → Fix Committed

Canonical Juju QA Bot (juju-qa-bot) on 2024-07-10

Changed in juju:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.