Canonical Juju

cannot "open-port icmp" on GCE

Bug #1829512 reported by Junien F on 2019-05-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Fix Released	High	Tim McNamara	Canonical Juju 2.6.3

Bug Description

Hi,

Running juju 2.5.4, I'm seeing the following on GCE :

2019-05-17 12:15:11 ERROR juju.worker.dependency engine.go:636 "firewaller" manifold worker returned unexpected error: cannot respond to units changes for "machine-0": opening port(s) [-1/icmp 5666/tcp 9103/tcp]: googleapi: Error 400: Invalid value for field 'resource.allowed[0].ports[0]': '-1'. Ports may only be specified on rules whose protocol is one of [TCP, UDP, SCTP]., invalid

I suspect you can repro by doing something like :
juju deploy ubuntu
juju run --unit ubuntu/0 "open-port icmp"
juju expose ubuntu

Thanks

Revision history for this message

Junien F (axino) wrote on 2019-05-17:

Assigned to @wallyworld as per @thumper :)

Changed in juju:
assignee:	nobody → Ian Booth (wallyworld)

Ian Booth (wallyworld) on 2019-05-17

Changed in juju:
assignee:	Ian Booth (wallyworld) → Tim McNamara (tim-clicks)
milestone:	none → 2.6.3
importance:	Undecided → High
status:	New → Triaged

Revision history for this message

Tim McNamara (tim-clicks) wrote on 2019-05-21:

Thanks for reporting this Junien. This problem occurs because Juju (incorrectly) sends a port number of -1 to the providers. Most providers ignore this, but Google requires that the port number is empty when icmp is set[0].

The code changes to address this are in process. We're looking to update Juju's code during our next available release.

[0] https://cloud.google.com/vpc/docs/firewalls#protocols_and_ports