provider/openstack: updating security groups is broken (again) #4714
Comments
|
Thanks for reporting this. Unfortunately I'm not able to reproduce the issue... there might be some slight difference between your environment and mine that we'll need to pin down. Just to get this out of the way: are you sure you've updated all terraform binaries to 0.6.9, even the |
|
Yes, I'm 100% sure - but it's not really the case. I ran "git bisect" - so, version before commit 3db7922 is working, after commit 3db7922 is not. DEBUG plan DEBUG apply (second one) Not sure why no rulesToMap() call during second apply. |
|
Yes, and if you compare 1st and 2nd apply run you'll see quite odd thing, look: Second apply: So, rule.2180185248 (icmp) is same in both runs - good, rule.836640770 (ssh) is also there. |
|
Ah, that's how Openstack returns ICMP rules: |
|
So, changing to 'fixes' the issue. |
|
Ah, please disregard, change above fixing second apply, but breaks first one: So, some proper fix is still needed. |
|
from_port issue reported separately - #4716 |
|
OK, #4716 confirmed. Looping back to the original issue, are you still seeing a problem if you apply the following twice? resource "openstack_compute_secgroup_v2" "test_secgroup" {
name = "test_secgroup"
description = "Test secgroup"
# ssh
rule {
from_port = 22
to_port = 22
ip_protocol = "tcp"
cidr = "0.0.0.0/0"
}
} |
|
No, ssh only works. to when applying the first time, but failing with detection that configuration back from OpenStack when doing second apply. Maybe mine OpenStack reports ICMP in a different way than your version. |
|
OK cool -- at least we're narrowing the issue down 😄 I haven't been able to reproduce this issue in a production Kilo environment as well as a "standard" DevStack environment I use for all Terraform OpenStack tests. Are you using Neutron or nova-network? If Neutron, what plugin/driver are you using? |
|
Heya, We are using Neutron with contrail. |
|
Is Contrail providing the security groups? |
|
Heya, Sorry for the late reply. Neutron is providing the security groups. Also just had a look at terraform and it looks like when trying to update a rule in the security group is attempting to remove the group and then re-create. Is this normal behavior? Because if it is then is normal to get a 500 from the API as the security group is still attached to the VM so you can't delete it. |
|
Thanks for the info!
Right, but what driver do you have for the firewall? In a default installation with ML2/OVS, you'd see the following in Do you have something Contrail-specific? If so, this might explain why security groups are acting strange -- Contrail is interpreting / manipulating the rules differently. (note: firewall here is not the same as FWaaS). (also note: if you're unable to find the
It's not, but the behavior you're seeing where there is a change upon each execution of Can you run Terraform in debug mode and paste output of both the first $ TF_LOG=DEBUG terraform apply...It might be better to paste the output to a gist -- there will be a lot of it. Thanks for your help! |
|
Hi, @jtopjian - please check these gists. @mariusv - it seems we have a problem with ICMP only. If you have no ICMP rules we can apply the same file many times - there're no changes - 0 changed. I suspect that our OpenStack reports ICMP secrules in a different way then default installation... |
|
Awesome - thanks! I'll take a look at the logs later on today. |
|
I found a discrepancy. On the first apply, I see: When creating a security group in a "working" environment, I see: Can you confirm if the security group did not exist when you ran the first |
|
No, I can't. Maybe I didn't run TF clearly that time. Sorry for misleading you. :(
|
|
State file looks like this btw: |
|
No problem at all! OK, I see something else odd: Both rules are for ICMP, but the rule being removed has -1 for the "to" and "from" port and the rule being added has "0" and "65535" respectively. Can you confirm that the configuration you're testing with has only one icmp rule and that rule is using the -1 format? If that is true, then I have a theory: Neutron/Contrail is accepting -1/-1 when you create the rule, but reports back 0/65536. |
|
Oh, and you should be able to verify this outside of Terraform. If you use the |
|
Ah, you're right, it's exactly that. I had no idea that TF brings -1/-1 ports directly, I thought it was corrected internally by TF. |
|
Nice! So looks like we've narrowed the issue down. I guess the best way to fix this is to get Gophercloud patched to accept Out of curiosity, is it just -1 that is being changed by Contrail / Neutron? Is it accepting other ICMP types and codes? |
|
Really sorry for the late reply..been a bit busy this days. |
|
No problem at all. Would you guys agree that fixing #4716 is an acceptable solution to this problem? |
|
I'm fine - but unfortunately, nobody picks up mine (or anyone else) fix for gophercloud lib... |
|
It can sometimes take a while to get patches into Gophercloud. Don't get discouraged 😄 |
|
BTW: I'm going to close this issue since #4716 will resolve the core problem. |
|
👍 |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
I have issue similar to #3816 or #3770 - I can't re-apply secgroup config twice, even if no changes.
It's quite easy to reproduce:
I'm running terraform 0.6.9 on Mac OS X and Openstack Kilo.
I just run "git bisect" and got broken commit -
Yes, it's #3857 - which is fixing both #3816 and #3770
The text was updated successfully, but these errors were encountered: