cannot "open-port icmp" on GCE

Bug #1829512 reported by Junien Fridrick on 2019-05-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Tim McNamara

Bug Description


Running juju 2.5.4, I'm seeing the following on GCE :

2019-05-17 12:15:11 ERROR juju.worker.dependency engine.go:636 "firewaller" manifold worker returned unexpected error: cannot respond to units changes for "machine-0": opening port(s) [-1/icmp 5666/tcp 9103/tcp]: googleapi: Error 400: Invalid value for field 'resource.allowed[0].ports[0]': '-1'. Ports may only be specified on rules whose protocol is one of [TCP, UDP, SCTP]., invalid

I suspect you can repro by doing something like :
juju deploy ubuntu
juju run --unit ubuntu/0 "open-port icmp"
juju expose ubuntu


Revision history for this message
Junien Fridrick (axino) wrote :

Assigned to @wallyworld as per @thumper :)

Changed in juju:
assignee: nobody → Ian Booth (wallyworld)
Ian Booth (wallyworld) on 2019-05-17
Changed in juju:
assignee: Ian Booth (wallyworld) → Tim McNamara (tim-clicks)
milestone: none → 2.6.3
importance: Undecided → High
status: New → Triaged
Revision history for this message
Tim McNamara (tim-clicks) wrote :

Thanks for reporting this Junien. This problem occurs because Juju (incorrectly) sends a port number of -1 to the providers. Most providers ignore this, but Google requires that the port number is empty when icmp is set[0].

The code changes to address this are in process. We're looking to update Juju's code during our next available release.


Revision history for this message
Tim McNamara (tim-clicks) wrote :

For future reference, the code that sets the port number to -1 is in the uniter worker[1].


Revision history for this message
Tim McNamara (tim-clicks) wrote :

A fix has been implemented and is currently going through code review[2]


Changed in juju:
status: Triaged → In Progress
status: In Progress → Fix Committed
Changed in juju:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers