juju-core

Openstack: possible security group name conflicts

Bug #1300755 reported by Abel Deuring
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Juju
Invalid
Medium
Unassigned
juju-core
Won't Fix
Medium
Unassigned

Bug Description

Setup two Juju environments for Openstack, where one environment has an arbitrary name and where the second environment has the same name as the first envronment followed by "-nnn", where nnn is a number. In the example below, I used the names "playground-abel" and "playground-abel-0".

Each deployed machine gets its own Openstack security group, where the security group name is "juju-<env-name>-<machine-number>". Additionally, the environment gets a common security, called "juju-<env-name>".

With the example environment names, this means that the environment "playgrond-abel" uses the security groups "juju-playground-abel" and "juju-playground-abel-0", while the envirnment "playgrond-abel-0" uses the security groups "juju-playground-abel-0" and "juju-playground-abel-0-0".

Depending on which environment is bootstrapped first, the configuration of the security group "juju-playground-abel-0" is different.

Example output:

$ juju bootstrap -e playground-abel
$ nova list
+--------------------------------------+--------------------------------+--------+------------+-------------+-------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+--------------------------------+--------+------------+-------------+-------------------------+
| ff8859dc-4218-412c-b981-fc4c7bcb52a3 | juju-playground-abel-machine-0 | ACTIVE | None | Running | canonistack=10.55.60.56 |
+--------------------------------------+--------------------------------+--------+------------+-------------+-------------------------+

$ nova secgroup-list
+--------+------------------------+-------------+
| Id | Name | Description |
+--------+------------------------+-------------+
| 99426 | default | default |
| 126060 | juju-playground-abel | juju group |
| 126061 | juju-playground-abel-0 | juju group |
+--------+------------------------+-------------+

$ nova secgroup-list-rules juju-playground-abel
+-------------+-----------+---------+-----------+----------------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+----------------------+
| tcp | 22 | 22 | 0.0.0.0/0 | |
| tcp | 37017 | 37017 | 0.0.0.0/0 | |
| tcp | 17070 | 17070 | 0.0.0.0/0 | |
| tcp | 1 | 65535 | | juju-playground-abel |
| udp | 1 | 65535 | | juju-playground-abel |
| icmp | -1 | -1 | | juju-playground-abel |
+-------------+-----------+---------+-----------+----------------------+

$ nova secgroup-list-rules juju-playground-abel-0
<empty output>

$ juju bootstrap -e playground-abel-0

$ nova list
+--------------------------------------+----------------------------------+--------+------------+-------------+-------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+----------------------------------+--------+------------+-------------+-------------------------+
| a2a8f149-bef6-4ab9-8493-a212f5cf5f61 | juju-playground-abel-0-machine-0 | ACTIVE | None | Running | canonistack=10.55.60.71 |
| ff8859dc-4218-412c-b981-fc4c7bcb52a3 | juju-playground-abel-machine-0 | ACTIVE | None | Running | canonistack=10.55.60.56 |
+--------------------------------------+----------------------------------+--------+------------+-------------+-------------------------+

$ nova secgroup-list
+--------+--------------------------+-------------+
| Id | Name | Description |
+--------+--------------------------+-------------+
| 99426 | default | default |
| 126060 | juju-playground-abel | juju group |
| 126061 | juju-playground-abel-0 | juju group |
| 126062 | juju-playground-abel-0-0 | juju group |
+--------+--------------------------+-------------+

$ nova secgroup-list-rules juju-playground-abel-0
<empty output>

$ juju destroy-environment -e playground-abel-0
$ juju destroy-environment -e playground-abel
$ nova secgroup-delete juju-playground-abel
$ nova secgroup-delete juju-playground-abel-0
$ nova secgroup-delete juju-playground-abel-0-0

$ juju bootstrap -e playground-abel-0
$ nova secgroup-list
+--------+--------------------------+-------------+
| Id | Name | Description |
+--------+--------------------------+-------------+
| 99426 | default | default |
| 126063 | juju-playground-abel-0 | juju group |
| 126064 | juju-playground-abel-0-0 | juju group |
+--------+--------------------------+-------------+

$ nova secgroup-list-rules juju-playground-abel-0
+-------------+-----------+---------+-----------+------------------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+------------------------+
| tcp | 22 | 22 | 0.0.0.0/0 | |
| tcp | 37017 | 37017 | 0.0.0.0/0 | |
| tcp | 17070 | 17070 | 0.0.0.0/0 | |
| tcp | 1 | 65535 | | juju-playground-abel-0 |
| udp | 1 | 65535 | | juju-playground-abel-0 |
| icmp | -1 | -1 | | juju-playground-abel-0 |
+-------------+-----------+---------+-----------+------------------------+

$ juju bootstrap -e playground-abel
$ nova secgroup-list
+--------+--------------------------+-------------+
| Id | Name | Description |
+--------+--------------------------+-------------+
| 99426 | default | default |
| 126065 | juju-playground-abel | juju group |
| 126063 | juju-playground-abel-0 | juju group |
| 126064 | juju-playground-abel-0-0 | juju group |
+--------+--------------------------+-------------+

$ nova secgroup-list-rules juju-playground-abel-0
+-------------+-----------+---------+-----------+------------------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+------------------------+
| tcp | 22 | 22 | 0.0.0.0/0 | |
| tcp | 37017 | 37017 | 0.0.0.0/0 | |
| tcp | 17070 | 17070 | 0.0.0.0/0 | |
| tcp | 1 | 65535 | | juju-playground-abel-0 |
| udp | 1 | 65535 | | juju-playground-abel-0 |
| icmp | -1 | -1 | | juju-playground-abel-0 |
+-------------+-----------+---------+-----------+------------------------+

See original description
Revision history for this message
Curtis Hovey (sinzui) wrote :

This issue overlaps with bug 1217595.

tags: added: openstack-provider security
Changed in juju-core:
status: New → Triaged
importance: Undecided → High
Abel Deuring (adeuring)
description: updated
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju-core:
importance: High → Medium
Revision history for this message
Anastasia (anastasia-macmood) wrote :

Re-targeting to be fixed on new generation of Juju, 2.x.

Changed in juju:
status: New → Triaged
importance: Undecided → Medium
milestone: none → 2.1.0
Changed in juju-core:
status: Triaged → Won't Fix
Curtis Hovey (sinzui)
Changed in juju:
milestone: 2.1-rc2 → none
Revision history for this message
Heather Lanigan (hmlanigan) wrote :

In juju 2.x, OpenStack security groups are named with the UUID of the model it will be used for. This eliminates the possibility of subsets of model names causing issues.

Changed in juju:
status: Triaged → Invalid
Revision history for this message
Heather Lanigan (hmlanigan) wrote :

Not a valid bug for juju 2.x. given #3

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.