juju-core

juju 2 doesn't remove openstack security groups

Bug #1625624 reported by Francis Ginther on 2016-09-20

This bug affects 7 people

	Status	Importance	Assigned to	Milestone
Canonical Juju	Fix Released	High	Martin Packman	Canonical Juju 2.0.3
2.0	Fix Released	High	Liam Young	Canonical Juju 2.0.3
2.1	Fix Released	High	Unassigned	Canonical Juju 2.1-rc1
2.2	Fix Released	High	Unassigned	Canonical Juju 2.2-alpha1
juju-core	Fix Released	Critical	Liam Young	juju-core 1.25.9

Bug Description

This was most recently observed with 2.0-beta18-xenial-amd64. The cloud is provided by a landscape autopilot deploy of openstack version 'mitaka'.

I noticed this with 'destroy-model' and 'kill-controller', but it may happen when removing services and machines too. In my testing, I do see that 'kill-controller' attempts to remove security groups, but is just unsuccessful:

buntu@juju2-b18:~/inner$ juju kill-controller -y osa-controller
Destroying controller "osa-controller"
Waiting for resources to be reclaimed
All hosted models reclaimed, cleaning up controller machines
WARNING cannot delete security group "juju-b5ee8749-31c5-48a4-8b2c-a53e45d2c9bd-dcad8c29-df6a-46f8-8094-bb0094a1af3b
-0". Used by another model?
ERROR health ping timed out after 30s
WARNING cannot delete security group "juju-b5ee8749-31c5-48a4-8b2c-a53e45d2c9bd-dcad8c29-df6a-46f8-8094-bb0094a1af3b
". Used by another model?
WARNING cannot delete security group "juju-b5ee8749-31c5-48a4-8b2c-a53e45d2c9bd-dcad8c29-df6a-46f8-8094-bb0094a1af3b
-0". Used by another model?
WARNING cannot delete security group "juju-b5ee8749-31c5-48a4-8b2c-a53e45d2c9bd-275b148e-9e0b-49f3-8f71-5441fe95dbd9
". Used by another model?
WARNING cannot delete security group "juju-b5ee8749-31c5-48a4-8b2c-a53e45d2c9bd-275b148e-9e0b-49f3-8f71-5441fe95dbd9
-0". Used by another model?
WARNING cannot delete security group "juju-b5ee8749-31c5-48a4-8b2c-a53e45d2c9bd-dcad8c29-df6a-46f8-8094-bb0094a1af3b
". Used by another model?
WARNING cannot delete security group "juju-b5ee8749-31c5-48a4-8b2c-a53e45d2c9bd-dcad8c29-df6a-46f8-8094-bb0094a1af3b
-0". Used by another model?

A short time later (less then a minute), the security groups could be removed with 'openstack security group delete'. I only see these messages with 'kill-controller'. The 'destroy-model' command didn't appear to attempt to remove any security groups.

This becomes a problem once a couple of deploys have been performed and removed and I start to run out of openstack security groups.

Attached is a script log showing 'bootstrap', 'deploy', 'destroy-model' and 'kill-controller' and the security groups in between.

See original description

Tags:

Revision history for this message

Francis Ginther (fginther) wrote on 2016-09-20:

security-group-test.log Edit (17.0 KiB, text/plain)

Richard Harding (rharding) on 2016-09-20

Changed in juju:
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → Richard Harding (rharding)
milestone:	none → 2.0.0

Revision history for this message

Curtis Hovey (sinzui) wrote on 2016-09-20:

Which version of Openstack. Juju appears to clean up in some, but not all openstacks.

Anastasia (anastasia-macmood) on 2016-09-21

Changed in juju:
status:	Triaged → Incomplete

Revision history for this message

Francis Ginther (fginther) wrote on 2016-09-21:

The openstack version is use is 'liberty'.

Anastasia (anastasia-macmood) on 2016-09-21

Changed in juju:
status:	Incomplete → Triaged

Revision history for this message

Francis Ginther (fginther) wrote on 2016-09-24:

Correction, the openstack version is mitaka.

description:

updated

Richard Harding (rharding) on 2016-09-29

Changed in juju:
milestone:	2.0.0 → 2.0.1
assignee:	Richard Harding (rharding) → Alexis Bruemmer (alexis-bruemmer)

Curtis Hovey (sinzui) on 2016-11-01

Changed in juju:
milestone:	2.0.1 → none

Revision history for this message

Antti Rahikainen (anrah) wrote on 2016-11-11:

Security group deletion also broken when using OpenStack Newton.

Revision history for this message

Martijn Evers (mevers) wrote on 2016-11-11:

Here too for Mitaka and 2.0.0-trusty-amd64.

Curtis Hovey (sinzui) on 2016-11-16

summary:	- juju 2 beta 18 doesn't remove openstack security groups + juju 2 doesn't remove openstack security groups
tags:	added: ci openstack-provider

Revision history for this message

Liam Young (gnuoy) wrote on 2016-11-23:

I think I've got to the bottom of this, its a bug in goose so I assume it affects Juju 1.X and 2.X at the moment.

When Juju requests the deletion of a security group it hits the API with these parameters:

sendRateLimitedRequest method: DELETE
sendRateLimitedRequest URL: http://10.245.161.158:8774/v2/a65e1673ca784ec3b3a4b76c95a254b0/os-security-groups/3e4ff483-4b12-4a07-b466-ed93a146a56a
sendRateLimitedRequest headers: map[User-Agent:[goose (0.1.0)] X-Auth-Token:[54baab4248574e5c862de354100021fc] Content-Type:[application/octet-stream] Accept:[application/octet-stream]]
sendRateLimitedRequest reqData: []

(Output above doesn't match the uuids below because there from different test runs but you get the picture)

If I take those parameters and use curl I get:

$ curl -g -i -X DELETE http://10.245.161.158:8774/v2/a65e1673ca784ec3b3a4b76c95a254b0/os-security-groups/592c0b2e-ce86-4c6a-9778-faf8c89cdf61 -H "User-Agent: goose (0.1.0)" -H "Content-Type:[application/octet-stream]
" -H "Accept: application/octet-stream" -H "X-Auth-Token: b11ada0df6a342e1a667e579f6e6f153"
HTTP/1.1 415 Unsupported Media Type
Content-Type: application/json; charset=UTF-8
Content-Length: 70
X-Compute-Request-Id: req-d19a46a2-736f-479d-a0b4-156ffa4da8de
Date: Wed, 23 Nov 2016 12:15:02 GMT

{"badMediaType": {"message": "Unsupported Content-Type", "code": 415}

So the delete, fails and Juju keeps on trying. The problem is the sending of the "Content-Type:[application/octet-stream]" header, which isn't needed at all since I don't think DELETEs ever have a payload?

I have patched juju 1.X locally ( https://pastebin.canonical.com/171596/ ) to remove the Content-Type header from Delete requests for JsonRequest and BinaryRequest. This fixes the issue for me.

Revision history for this message

Liam Young (gnuoy) wrote on 2016-11-23:

Sorry, patch was reversed https://pastebin.canonical.com/171602/

Martin Packman (gz) on 2016-11-23

Changed in juju:
milestone:	none → 2.1-beta2
Changed in juju-core:
importance:	Undecided → High
milestone:	none → 1.25.9
status:	New → Triaged

Revision history for this message

Anastasia (anastasia-macmood) wrote on 2016-11-23:

Changed to "critical" for 1.25.9 as we only fix "critical"s in 1.25.x series.

Changed in juju-core:
importance:	High → Critical

Edward Hope-Morley (hopem) on 2016-11-25

tags:

added: sts

Revision history for this message

James Page (james-page) wrote on 2016-11-28:

#10

potentially related bug 1645298

Revision history for this message

Mario Splivalo (mariosplivalo) wrote on 2016-11-29:

#11

I have built patched juju 1.25.6 based on Liam's comment (https://pastebin.canonical.com/171602/):

https://launchpad.net/~mariosplivalo/+archive/ubuntu/lp1625624

I've tested this against our testing Openstack (Mitaka), and security groups get deleted. Moreover, 'juju destroy-environment' takes cca 20 seconds (compared to cca 15 minutes when juju is failing to delete security groups, retrying along the way).

Revision history for this message

Liam Young (gnuoy) wrote on 2016-11-30:

#12

Pull request with fix:

https://github.com/go-goose/goose/pull/37

Martin Packman (gz) on 2016-11-30

Changed in juju:
status:	Triaged → In Progress
assignee:	Alexis Bruemmer (alexis-bruemmer) → Liam Young (gnuoy)

Revision history for this message

Anastasia (anastasia-macmood) wrote on 2016-11-30:

#13

PR against 1.25: https://github.com/juju/juju/pull/6638

PR against 2.0: https://github.com/juju/juju/pull/6640

Changed in juju-core:
status:	Triaged → In Progress
assignee:	nobody → Liam Young (gnuoy)

Curtis Hovey (sinzui) on 2016-12-01

Changed in juju:
milestone:	2.1-beta2 → none

Curtis Hovey (sinzui) on 2016-12-02

Changed in juju:
milestone:	none → 2.1-rc1

Revision history for this message

Dean Maniatis (dean-maniatis) wrote on 2016-12-02:

#14

I'm facing the same problem when using a private openstack mitaka with juju 2.0.1. In addition of not being able to remove security groups during removal of a service or even when destroying controller I've also noticed that it creates 2 security groups per service. Is that expected?

Martin Packman (gz) on 2016-12-02

Changed in juju-core:
status:	In Progress → Fix Committed

Revision history for this message

Martin Packman (gz) wrote on 2016-12-02:

#15

And final dep bump for develop/2.1 branch:

<https://github.com/juju/juju/pull/6651>

Changed in juju:
assignee:	Liam Young (gnuoy) → Martin Packman (gz)

Martin Packman (gz) on 2016-12-02

Changed in juju:
status:	In Progress → Fix Committed

Curtis Hovey (sinzui) on 2016-12-07

Changed in juju-core:
status:	Fix Committed → Fix Released

Revision history for this message

Nicholas Skaggs (nskaggs) wrote on 2016-12-09:

#16

These changes are in the proposed ppa / stream. Confirmation that this doesn't occur in the proposed client is appreciated. See https://launchpad.net/~juju/+archive/ubuntu/1.25-proposed, and the ppa description for details on setting your environment to use the proposed agents to go with the binary.

Francis, thank you in advance for verifying.

Revision history for this message

Francis Ginther (fginther) wrote on 2016-12-12:

#17

@nskaggs, verified with juju 1.25.9-0ubuntu1~14.04.2~juju1 that openstack security groups were removed with environment-destroy. This was tested with mitaka.

Have not tested with any version of juju 2 yet. Will attempt that next.

Revision history for this message

Francis Ginther (fginther) wrote on 2016-12-13:

#18

@nskaggs, is there a 2.0.3 package available for testing?

Anastasia (anastasia-macmood) on 2016-12-13

Changed in juju:
milestone:	2.1-rc1 → 2.1-beta3

Curtis Hovey (sinzui) on 2016-12-15

Changed in juju:
status:	Fix Committed → Fix Released

Revision history for this message

Dean Maniatis (dean-maniatis) wrote on 2016-12-23:

#19

The fix committed doesn't seem to address fully openstack Mitaka. I've upgraded existing bootstrapped controller to 2.1-beta3.1, I added a new model and deployed a couple services. This yielded +3 new security groups (+2 on the first deployed charm and +1 on the second). Upon removal of both charms only 2 security groups were removed instead of 3 and I had to remove the last one by hand.

Revision history for this message

Anastasia (anastasia-macmood) wrote on 2017-01-12:

#20

It looks like the fix was applied to Juju 1.25.x and Juju 2.0.x but was not forward-ported to 2.1.x and 2.2.x. We'll get right on it!
Thank you for reporting it, Dean!

Changed in juju:
milestone:	2.1-beta3 → 2.0.3

Revision history for this message

Anastasia (anastasia-macmood) wrote on 2017-02-01:

#21

After closer examination, it looks like fixes has been forward-ported.

The extra security group that you are seeing probably belongs to the model. It was created with deployment of first application. If you re-try - i.e. (a) create model, (b) deploy application, (c) destroy application, (d) destroy model - you should not have any security groups related to that model or its applications.