Canonical Juju

All rules deleted from juju security groups on OpenStack

Bug #1900702 reported by Martijn van der Woud
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Juju
Expired
High
Unassigned

Bug Description

We have a juju installation on OpenStack, running the Kubernetes Core bundle with the Openstack-integrator charm. We are using Cinder volumes and Neutron loadbalancers. After running without any issue for several weeks, we have seen that the security groups created by Juju suddenly become empty: all rules are gone.

We have encountered this issue several times now, but we were not able to discover any pattern in when it is occurring, nor do we have any clue what could be causing this behavior. We do suspect an issue with Juju, since we have been running some other projects (without Juju) on the same Openstack cloud for years and we have never seen this behavior before.

Is there any logging we can check or debug settings that we can activate so that we can provide additional information here?

See original description
Martijn van der Woud (martijnvanderwoud)
description: updated
Revision history for this message
Heather Lanigan (hmlanigan) wrote :

Hi Martijn, what version of juju are you running? Which OpenStack release?

Check the juju.provider.openstack logging for more info:
`juju debug-log -m controller --replay --include-module juju.provider.openstack`

You may need to increase the logging level for the future, by adding `;juju.provider.openstack=DEBUG` to the model config logging-config.

Changed in juju:
status: New → Incomplete
Revision history for this message
Martijn van der Woud (martijnvanderwoud) wrote :

Hi Heather,

We are running juju version 2.8.3.

OpenStack is version 3, I believe. I have asked the support desk of our hosting provider to tell me the exact version and will add that info here when I receive it.

The debug logs just give me this:

```
machine-0: 17:57:29 INFO juju.provider.openstack opening model "controller"
machine-0: 17:57:30 INFO juju.provider.openstack opening model "controller"
machine-0: 17:57:30 INFO juju.provider.openstack opening model "controller"
```

I have added `;juju.provider.openstack=DEBUG` to the logging-config, so hopefully we will be able to gather more useful information later

Also: yesterday I saw security rules being wiped immediately after deleting a K8S service of type LoadBalancer. I believe the OpenStack integrator charm is responsible for deletion of the neutron lbaas at that point, so maybe the problem could be in the integrator charm?

Revision history for this message
Martijn van der Woud (martijnvanderwoud) wrote :

Just heard back from my Cloud provider: OpenStack version is 2.0 Okata

Pen Gale (pengale)
Changed in juju:
status: Incomplete → New
Revision history for this message
Heather Lanigan (hmlanigan) wrote :

Martijn, are you using ipv4, ipv6 or both?

Revision history for this message
Martijn van der Woud (martijnvanderwoud) wrote :

Hi Heather, we are using ipv4 only at the moment

Revision history for this message
Pen Gale (pengale) wrote :

I'm not sure that we have all the information that we need to reproduce. This is a worrying issue, though. Triaging as high and dropping it into a near future milestone to remind us to follow-up, and also to try to reproduce on our end.

Changed in juju:
status: New → Triaged
importance: Undecided → High
milestone: none → 2.9.1
Ian Booth (wallyworld)
Changed in juju:
milestone: 2.9.1 → 2.9.2
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.2 → 2.9.3
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.3 → 2.9.4
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.4 → 2.9.5
Pen Gale (pengale)
Changed in juju:
milestone: 2.9.5 → 2.9-next
status: Triaged → Incomplete
Ian Booth (wallyworld)
Changed in juju:
milestone: 2.9-next → none
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for Canonical Juju because there has been no activity for 60 days.]

Changed in juju:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.