Page MenuHomePhabricator
Create Task
Maniphest T333874

Permission error while trying to create magnum cluster
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • create "jump" bastion box in "duct" CloudVPS project
  • create application credentials for duct with role "member" and "Unrestricted (dangerous)" checked
  • download openrc.sh for application credential
  • scp openrc.sh for application credential onto "jump"
  • ssh onto "jump"
  • sudo apt install python3-magnumclient
  • source app-cred-duct-magnum-openrc.sh
  • openstack coe cluster create duct --cluster-template k8s23 --master-count 1 --node-count 1
  • watch openstack coe cluster list
  • openstack coe cluster show duct

What happens?:

status changes to "CREATE_FAILED" with faults

default-master: 'Resource CREATE failed: Forbidden: resources.kube_masters.resources[0].resources.kube_master_eth0:
  ((rule: create_port and (rule: create_port: fixed_ips and (rule: create_port:
  fixed_ips: subnet_id))) and (rule: create_port: allowed_address_pairs and (rule:
  create_port: allowed_address_pairs: ip_address))) is disallowed by policy

  Neutron server returns request_ids: [''req-14215cec-59f7-4d23-9793-dc3ab7cea49b'']'
default-worker: 'Resource CREATE failed: Forbidden: resources.kube_masters.resources[0].resources.kube_master_eth0:
  ((rule: create_port and (rule: create_port: fixed_ips and (rule: create_port:
  fixed_ips: subnet_id))) and (rule: create_port: allowed_address_pairs and (rule:
  create_port: allowed_address_pairs: ip_address))) is disallowed by policy

  Neutron server returns request_ids: [''req-14215cec-59f7-4d23-9793-dc3ab7cea49b'']'

What should have happened instead?:

The cluster should have been successfully created.

Software version (skip for WMF-hosted wikis like Wikipedia):

kindrobot@jump:~$ openstack --version
openstack 5.8.0

Other information (browser name/version, screenshots, etc.):
Full output of openstack coe cluster show duct -f yaml

status: CREATE_FAILED
health_status: null
cluster_template_id: bdaab57a-b784-483b-aa48-2600f228557f
node_addresses: []
uuid: a37ad549-8c24-4fb1-9451-aefa8f5bddfe
stack_id: 88ca1d41-0817-446e-a128-f5875fa21741
status_reason: default-master failed, default-worker failed
created_at: '2023-04-03T19:15:20+00:00'
updated_at: '2023-04-03T19:15:53+00:00'
coe_version: v1.23.15-rancher1-linux-amd64
labels:
  cloud_provider_enabled: 'true'
  hyperkube_prefix: docker.io/rancher/
  kube_tag: v1.23.15-rancher1-linux-amd64
labels_overridden: {}
labels_skipped: {}
labels_added: {}
fixed_network: lan-flat-cloudinstances2b
fixed_subnet: cloud-instances2-b-eqiad
floating_ip_enabled: false
faults:
  default-master: 'Resource CREATE failed: Forbidden: resources.kube_masters.resources[0].resources.kube_master_eth0:
    ((rule: create_port and (rule: create_port: fixed_ips and (rule: create_port:
    fixed_ips: subnet_id))) and (rule: create_port: allowed_address_pairs and (rule:
    create_port: allowed_address_pairs: ip_address))) is disallowed by policy

    Neutron server returns request_ids: [''req-14215cec-59f7-4d23-9793-dc3ab7cea49b'']'
  default-worker: 'Resource CREATE failed: Forbidden: resources.kube_masters.resources[0].resources.kube_master_eth0:
    ((rule: create_port and (rule: create_port: fixed_ips and (rule: create_port:
    fixed_ips: subnet_id))) and (rule: create_port: allowed_address_pairs and (rule:
    create_port: allowed_address_pairs: ip_address))) is disallowed by policy

    Neutron server returns request_ids: [''req-14215cec-59f7-4d23-9793-dc3ab7cea49b'']'
keypair: null
api_address: null
master_addresses: []
master_lb_enabled: false
create_timeout: 60
node_count: 1
discovery_url: https://discovery.etcd.io/9e08bedb2aac98ef6ad59211c548f1c8
docker_volume_size: 20
master_count: 1
container_version: 1.12.6
name: duct
master_flavor_id: g3.cores2.ram4.disk20
flavor_id: g3.cores2.ram4.disk20
health_status_reason: {}
project_id: duct

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
neutron policy: more policy rule changes to support our shared networkoperations/puppetproduction+5 -0
neutron policy: policy rules to permit members to create magnum clustersoperations/puppetproduction+10 -0
Heat and Magnum: include service token with subcallsoperations/puppetproduction+4 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

SDunlap created this task.Apr 3 2023, 7:35 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 3 2023, 7:35 PM
taavi subscribed.EditedApr 3 2023, 7:41 PM

This looks like Magnum trying to manage network stuff (namely managing ports) that's restricted to admins only in our particular OpenStack deployment. :/

rook added subscribers: Andrew, rook.Apr 3 2023, 7:43 PM
rook added a parent task: T328712: Create a community offering of OpenStack Magnum.Apr 3 2023, 7:58 PM
rook added a subtask: T326435: Investigate ansible/terraform to deploy paws to codfw1dev.Apr 4 2023, 11:55 AM
rook added a project: PAWS.

This is the same error that occurs when trying to deploy magnum with terraform

rook closed subtask T326435: Investigate ansible/terraform to deploy paws to codfw1dev as Resolved.Apr 4 2023, 11:56 AM
rook added a subscriber: Jelto.May 21 2023, 9:42 PM
rook added a subtask: T336941: Create a #openstack-magnum.May 22 2023, 12:07 PM
Framawiki awarded a token.May 25 2023, 5:47 PM
nskaggs closed subtask T336941: Create a #openstack-magnum as Resolved.May 26 2023, 6:04 PM
rook edited projects, added Openstack-Magnum; removed Cloud-VPS.May 26 2023, 6:09 PM
rook moved this task from Backlog to Dysfunction on the Openstack-Magnum board.
rook mentioned this in T337559: TF code to test all the things.May 31 2023, 6:57 PM
rook added a parent task: T337559: TF code to test all the things.
bd808 subscribed.Jun 15 2023, 6:18 PM
Andrew added a comment.Jun 15 2023, 6:25 PM

I am testing this today (in your project 'duct') sorry in advance for the noise and whatever cruft gets left behind.

Andrew added a comment.Jun 15 2023, 6:35 PM

to my surprise, reverting to the default upstream neutron policies does not seem to change this result.

gerritbot added a comment.Jun 15 2023, 6:46 PM

Change 930676 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Heat and Magnum: include service token with subcalls

https://gerrit.wikimedia.org/r/930676

gerritbot added a project: Patch-For-Review.Jun 15 2023, 6:46 PM
gerritbot added a comment.Jun 15 2023, 6:48 PM

Change 930676 merged by Andrew Bogott:

[operations/puppet@production] Heat and Magnum: include service token with subcalls

https://gerrit.wikimedia.org/r/930676

Maintenance_bot removed a project: Patch-For-Review.Jun 15 2023, 7:11 PM
gerritbot added a comment.Jun 15 2023, 7:32 PM

Change 930681 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] neutron policy: policy rules to permit members to create magnum clusters

https://gerrit.wikimedia.org/r/930681

gerritbot added a project: Patch-For-Review.Jun 15 2023, 7:32 PM

Change 930681 merged by Andrew Bogott:

[operations/puppet@production] neutron policy: policy rules to permit members to create magnum clusters

https://gerrit.wikimedia.org/r/930681

Andrew closed this task as Resolved.Jun 15 2023, 7:50 PM
Andrew claimed this task.

I can't make promises about the magnum cluster itself, but this particular auth issue should be fixed. Please re-open if you see it again.

Note that I had to increase your cores/RAM quotas slightly to actually create a a cluster as the project was mostly full already. I'm going to leave them where they are (+2 cores and +4G ram) so you don't have to bump up against that second problem.

Maintenance_bot removed a project: Patch-For-Review.Jun 15 2023, 8:10 PM
gerritbot added a comment.Jun 15 2023, 8:15 PM

Change 930683 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] neutron policy: more policy rule changes to support our shared network

https://gerrit.wikimedia.org/r/930683

gerritbot added a project: Patch-For-Review.Jun 15 2023, 8:15 PM
gerritbot added a comment.Jun 15 2023, 8:20 PM

Change 930683 merged by Andrew Bogott:

[operations/puppet@production] neutron policy: more policy rule changes to support our shared network

https://gerrit.wikimedia.org/r/930683

Maintenance_bot removed a project: Patch-For-Review.Jun 15 2023, 8:29 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits