puppet-nova

nova_security_group and nova_security_rule are not idempotent

Bug #1571259 reported by Alex Schultz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-nova
Fix Released
Medium
Mohammed Naser

Bug Description

We found in Fuel when trying to leverage nova_security_group and nova_security_rule that they are not idempotent (see Bug 1570862). I tested with the latest version of the code and was able to replicate the non-idempotent nature of these providers.

First run...
Notice: /Stage[main]/Main/Nova_security_group[global_ssh]/ensure: created
Notice: /Stage[main]/Main/Nova_security_group[global_http]/ensure: created
Notice: /Stage[main]/Main/Nova_security_group[allow_all]/ensure: created
Notice: /Stage[main]/Main/Nova_security_rule[all_02]/ensure: created
Notice: /Stage[main]/Main/Nova_security_rule[http_02]/ensure: created
Notice: /Stage[main]/Main/Nova_security_rule[all_03]/ensure: created
Notice: /Stage[main]/Main/Nova_security_rule[ssh_01]/ensure: created
Notice: /Stage[main]/Main/Nova_security_rule[all_01]/ensure: created
Notice: /Stage[main]/Main/Nova_security_rule[http_01]/ensure: created

Second run...
Info: Applying configuration version '1460844864'
Notice: /Stage[main]/Main/Nova_security_group[global_ssh]/description: defined 'description' as 'Allow SSH traffic'
Notice: /Stage[main]/Main/Nova_security_group[global_http]/description: defined 'description' as 'Allow HTTP traffic'
Notice: /Stage[main]/Main/Nova_security_group[allow_all]/description: defined 'description' as 'Allow all traffic'
Error: Execution of '/bin/nova secgroup-add-rule allow_all udp 1 65535 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 4 (HTTP 400) (Request-ID: req-d19b85b4-1bef-4780-a5db-3734c7ac2b9f)
Error: /Stage[main]/Main/Nova_security_rule[all_02]/ensure: change from absent to present failed: Execution of '/bin/nova secgroup-add-rule allow_all udp 1 65535 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 4 (HTTP 400) (Request-ID: req-d19b85b4-1bef-4780-a5db-3734c7ac2b9f)
Error: Execution of '/bin/nova secgroup-add-rule global_http tcp 443 443 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 3 (HTTP 400) (Request-ID: req-c97d8b23-a15e-42bb-b11e-642a0ea7b195)
Error: /Stage[main]/Main/Nova_security_rule[http_02]/ensure: change from absent to present failed: Execution of '/bin/nova secgroup-add-rule global_http tcp 443 443 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 3 (HTTP 400) (Request-ID: req-c97d8b23-a15e-42bb-b11e-642a0ea7b195)
Error: Execution of '/bin/nova secgroup-add-rule allow_all icmp 1 255 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 4 (HTTP 400) (Request-ID: req-233366fc-f8f5-45c2-aca1-786e0dfcd3ea)
Error: /Stage[main]/Main/Nova_security_rule[all_03]/ensure: change from absent to present failed: Execution of '/bin/nova secgroup-add-rule allow_all icmp 1 255 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 4 (HTTP 400) (Request-ID: req-233366fc-f8f5-45c2-aca1-786e0dfcd3ea)
Error: Execution of '/bin/nova secgroup-add-rule global_ssh tcp 22 22 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 2 (HTTP 400) (Request-ID: req-ac4119d7-cc7e-4d0f-98b8-872cf4fba85f)
Error: /Stage[main]/Main/Nova_security_rule[ssh_01]/ensure: change from absent to present failed: Execution of '/bin/nova secgroup-add-rule global_ssh tcp 22 22 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 2 (HTTP 400) (Request-ID: req-ac4119d7-cc7e-4d0f-98b8-872cf4fba85f)
Error: Execution of '/bin/nova secgroup-add-rule allow_all tcp 1 65535 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 4 (HTTP 400) (Request-ID: req-7bda21e0-d7cc-4ef1-9ecf-3e25c52f23f5)
Error: /Stage[main]/Main/Nova_security_rule[all_01]/ensure: change from absent to present failed: Execution of '/bin/nova secgroup-add-rule allow_all tcp 1 65535 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 4 (HTTP 400) (Request-ID: req-7bda21e0-d7cc-4ef1-9ecf-3e25c52f23f5)
Error: Execution of '/bin/nova secgroup-add-rule global_http tcp 80 80 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 3 (HTTP 400) (Request-ID: req-e28ec016-b0b4-41c9-b2cd-fbec0f9d6771)
Error: /Stage[main]/Main/Nova_security_rule[http_01]/ensure: change from absent to present failed: Execution of '/bin/nova secgroup-add-rule global_http tcp 80 80 0.0.0.0/0' returned 1: ERROR (BadRequest): This rule already exists in group 3 (HTTP 400) (Request-ID: req-e28ec016-b0b4-41c9-b2cd-fbec0f9d6771)
Notice: Finished catalog run in 100.31 seconds

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/306787

Changed in puppet-nova:
assignee: nobody → Alex Schultz (alex-schultz)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/307888

Cody Herriges (ody-cat)
Changed in puppet-nova:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-nova (master)

Change abandoned by Alex Schultz (<email address hidden>) on branch: master
Review: https://review.openstack.org/306787
Reason: Maybe i'll get back to this some day

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Alex Schultz (<email address hidden>) on branch: master
Review: https://review.openstack.org/307888
Reason: Maybe i'll get back to this some day

Revision history for this message
Mohammed Naser (mnaser) wrote :

This was resolved with these patches and backported to Newton and Ocata.

https://review.openstack.org/#/c/487244/
https://review.openstack.org/#/c/487493/

Changed in puppet-nova:
status: In Progress → Fix Released
assignee: Alex Schultz (alex-schultz) → Mohammed Naser (mnaser)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.