destroy-environment on an unbootstrapped MAAS environment can release all my nodes
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | MAAS |
High
|
Unassigned | ||
| | juju |
High
|
Cheryl Jennings | ||
| | juju-core |
High
|
Tim Penhey | ||
| | 1.25 |
High
|
Tim Penhey | ||
Bug Description
sabdfl reported a bug ( https:/
This resulted in the installer host itself being released.
Expected behavior would be for nothing to happen.
I haven't tested this with a sample environment yet, but I believe what's happening is juju is seeing a valid maas environment, and is calling provider/
However, if maas-agent-name is not set in the config (because it was never bootstrapped), maasAgentName() will return "": https:/
It appears that passing the empty string as agent_name to MAAS will return all instances owned by the user.
It simply reads the value from the query string here http://
Then it does a filter of the Django QuerySet, which contains Nodes, which have a default agent_name of '' : http://
So if a system was acquired by something that didn't change the default agent_name, then it looks like that filter will leave it in, and thus juju will end up releasing it because it thinks its agent_name is '' also.
| tags: | added: openstack-installer |
| Mike McCracken (mikemc) wrote : | #1 |
| tags: |
added: cloud-installer removed: openstack-installer |
| Mike McCracken (mikemc) wrote : | #2 |
Added affecting MAAS as well because on second look I don't understand why MAAS is releasing all nodes. It looks like the op=release request should not do anything.
| description: | updated |
| Jason Hobbs (jason-hobbs) wrote : | #3 |
We saw something similar happen in OIL yesterday - all nodes were released around the time we received a release request from juju.
| tags: | added: oil |
| Andres Rodriguez (andreserl) wrote : | #4 |
Seems like a Juju bug.
| Blake Rouse (blake-rouse) wrote : | #5 |
If Juju calls /MAAS/api/
I still think it should be possible for a user to release all nodes but should not be the default behavior. Adding a force_all=True parameter would be better behavior to make it explicit for the user.
| Changed in maas: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| milestone: | none → 1.9.0 |
| Blake Rouse (blake-rouse) wrote : | #6 |
I still think it would be good for Juju to not make that call if it knows it doesn't have any allocated nodes.
| tags: | added: destroy-environment maas-provider |
| Changed in juju-core: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| milestone: | none → 1.25.1 |
| Changed in juju-core: | |
| milestone: | 1.25.1 → 1.25.2 |
| Tim Penhey (thumper) wrote : | #7 |
It seems that the maas-agent-name started to be used with Juju 1.18.
Any environment created since then will have a valid maas-agent-name.
Effectively erroring out now if agent name is empty when calling destroy. A warning message is output explaining why, and if this is a running environment to manually decommission the machines using maas.
| Changed in juju-core: | |
| assignee: | nobody → Tim Penhey (thumper) |
| status: | Triaged → In Progress |
| Changed in juju-core: | |
| status: | In Progress → Fix Committed |
| Changed in juju-core: | |
| milestone: | 1.25.2 → 1.26-alpha3 |
| status: | Fix Committed → Triaged |
| Changed in juju-core: | |
| milestone: | 1.26-alpha3 → 2.0-alpha1 |
| Changed in juju-core: | |
| milestone: | 2.0-alpha1 → 2.0-alpha2 |
| Changed in juju-core: | |
| milestone: | 2.0-alpha2 → 2.0-alpha3 |
| Changed in maas: | |
| status: | Triaged → Invalid |
| milestone: | 1.9.0 → none |
| Changed in juju-core: | |
| milestone: | 2.0-alpha3 → 2.0-beta3 |
| Changed in juju-core: | |
| assignee: | Tim Penhey (thumper) → Cheryl Jennings (cherylj) |
| Cheryl Jennings (cherylj) wrote : | #9 |
| Changed in juju-core: | |
| status: | Triaged → Fix Committed |
| Changed in juju-core: | |
| status: | Fix Committed → Fix Released |
| affects: | juju-core → juju |
| Changed in juju: | |
| milestone: | 2.0-beta3 → none |
| milestone: | none → 2.0-beta3 |
| Changed in juju-core: | |
| assignee: | nobody → Tim Penhey (thumper) |
| importance: | Undecided → High |
| status: | New → Fix Released |
I've reproduced this on trusty with maas 1.8.
Here's what I did:
1. spin up two hosts on maas
2. sign into one of them
3. write out a valid environments.yaml with a 'maas' env with valid maas api key and ip. (via the openstack installer packaging)
4. attempt a bootstrap that fails (in the bug it failed because juju wasn't installed, but it's also sufficient to bootstrap --to nonexistent-
5. 'juju destroy-environment maas' fails reasonably with an error message that it can't connect to the (juju) API because env isn't bootstrapped.
6. 'juju destroy-environment --force maas ' issues these requests to the MAAS API:
- 172.16.0.61 - - [01/Sep/
- 172.16.0.61 - - [01/Sep/
7. and now everything I owned in maas is now released - including the system I was running the juju client on, and the other system I deployed, neither of which were created by juju.
I think that juju should check if agent_name is set to "" and avoid releasing in that case. Since it is set when bootstrap succeeds, it appears reasonable to assume that if agent_name isn't set, there's no way to safely only destroy things juju started so it should bail.