Unable to delete security group

[mvasilenko]

Hello, I'm trying to provison infrastructure in OpenTelekomCloud, using terraform with opentelecomcloud provider as described here https://github.com/terraform-providers/terraform-provider-opentelekomcloud/tree/master/examples

Got an error Multiple possible networks found, use a Network ID to be more specific, how can i figure out required network id?

otc vpc list output

f80b14a3-9935-4f53-b203-e32ba501b88d   terraform-router   OK

otc subnet list output

067e5c19-e263-4ae6-8275-14b9f6d20f6c   terraform-subnet   UNKNOWN   192.168.10.0/24
d621e204-c0d3-4afb-833c-503a559034c3   terraform-subnet   UNKNOWN   192.168.10.0/24

otc security-group list output

16cde707-e25c-4025-aad9-856d92e1d817   terraform-secgrp-web
6a634cd8-1037-4c0a-8892-7366262a41cc   terraform-secgrp-web
804c67bf-4a0e-48a6-ae8b-1791af58dda9   default   default

otc ecs list output is empty

I'm unable to delete empty security groups, why?

$ otc security-group delete 6a634cd8-1037-4c0a-8892-7366262a41cc
ERROR[] : Security Group 6a634cd8-1037-4c0a-8892-7366262a41cc in use.

$ otc security-group delete 16cde707-e25c-4025-aad9-856d92e1d817
ERROR[] : Security Group 16cde707-e25c-4025-aad9-856d92e1d817 in use.

When trying to delete from web interface - got more specific error - The security group contains ECSs. Delete them and try again. - but there are no active or deleted ECSes.

Am i doing something wrong? Any help would be appreciated

[garloff]

Hi Mikhail,

just a few quick hints as I'm travelling:

• Use neutron net-list or openstack network list to get the UUIDs of the networks.
• In general, having several net/subnets with the same name is not such a great idea.
• Use neutron port-list and port-show to find which port is using the security-group.

I hope this is helpful to you -- if not, feel free to ask back!

-- Kurt

On 26.02.2018 16:09, Mikhail Vasilenko wrote:

Hello, I'm trying to provison infrastructure in OpenTelekomCloud, using terraform with opentelecomcloud provider as described here https://github.com/terraform-providers/terraform-provider-opentelekomcloud/tree/master/examples

Got an error |Multiple possible networks found, use a Network ID to be more specific|, how can i figure out required network id?

|otc vpc list| output

|f80b14a3-9935-4f53-b203-e32ba501b88d terraform-router OK |

|otc subnet list| output

|067e5c19-e263-4ae6-8275-14b9f6d20f6c terraform-subnet UNKNOWN 192.168.10.0/24 d621e204-c0d3-4afb-833c-503a559034c3 terraform-subnet UNKNOWN 192.168.10.0/24 |

|otc security-group list| output

|16cde707-e25c-4025-aad9-856d92e1d817 terraform-secgrp-web 6a634cd8-1037-4c0a-8892-7366262a41cc terraform-secgrp-web 804c67bf-4a0e-48a6-ae8b-1791af58dda9 default default |

|otc ecs list| output is empty

I'm unable to delete empty security groups, why?

|$ otc security-group delete 6a634cd8-1037-4c0a-8892-7366262a41cc ERROR[] : Security Group 6a634cd8-1037-4c0a-8892-7366262a41cc in use. $ otc security-group delete 16cde707-e25c-4025-aad9-856d92e1d817 ERROR[] : Security Group 16cde707-e25c-4025-aad9-856d92e1d817 in use. |

When trying to delete from web interface - got more specific error - |The security group contains ECSs. Delete them and try again.| - but there are no active or deleted ECSes.

Am i doing something wrong? Any help would be appreciated

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OpenTelekomCloud/otc-tools/issues/43, or mute the thread https://github.com/notifications/unsubscribe-auth/ASctEsED3EtowQ4aFctozw0MCGGQW3a6ks5tYtccgaJpZM4STfcN.

-- Kurt Garloff Head Architect OpenTelekomCloud T-Systems International GmbH Hahnstr. 43, Frankfurt a.M., DE

[mvasilenko]

@garloff thank you quick response!

not sure, how the ports are tied with security groups, but i'm unable to delete port

$ openstack port show 276f22eb-45ec-4810-95c4-c3d5d9bcfb35
+-----------------------+--------------------------------------+
| Field                 | Value                                |
+-----------------------+--------------------------------------+
| admin_state_up        | UP                                   |
| allowed_address_pairs |                                      |
| binding_host_id       | None                                 |
| binding_profile       | None                                 |
| binding_vif_details   |                                      |
| binding_vif_type      | None                                 |
| binding_vnic_type     | normal                               |
| created_at            | None                                 |
| data_plane_status     | None                                 |
| description           | None                                 |
| device_id             |                                      |
| device_owner          | network:dhcp                         |
| dns_assignment        | None                                 |
| dns_name              | None                                 |
| extra_dhcp_opts       |                                      |
| fixed_ips             |                                      |
| id                    | 276f22eb-45ec-4810-95c4-c3d5d9bcfb35 |
| ip_address            | None                                 |
| mac_address           | fa:16:3e:b8:bb:e3                    |
| name                  |                                      |
| network_id            | d621e204-c0d3-4afb-833c-503a559034c3 |
| option_name           | None                                 |
| option_value          | None                                 |
| port_security_enabled | False                                |
| project_id            | 5a42c10c439944eb8cc2065832314326     |
| qos_policy_id         | None                                 |
| revision_number       | None                                 |
| security_group_ids    |                                      |
| status                | DOWN                                 |
| subnet_id             | None                                 |
| tags                  |                                      |
| trunk_details         | None                                 |
| updated_at            | None                                 |
+-----------------------+--------------------------------------+

[28formica77]

Hi Mikhail,

What Kurt is saying is there must be at least one port with this security group assigned. You don't need to delete the port, just clear the security group. For the port you show, it does not look like there is a security group assigned but there must be another.

If this is a persistent issue with Terraform, I would be happy to look at your code or a sample that exhibits the problem.

Regards

Anthony

[mvasilenko]

Dear Anthony, thank you for the answer Here is the list of security group i can't delete, i've renamed them to staleX

+--------------------------------------+------------------------+--------------------------+----------------------------------+
| ID                                   | Name                   | Description              | Project                          |
+--------------------------------------+------------------------+--------------------------+----------------------------------+
| 16cde707-e25c-4025-aad9-856d92e1d817 | stale1                 | Webserver Security Group | 5a42c10c439944eb8cc2065832314326 |
| 6a634cd8-1037-4c0a-8892-7366262a41cc | stale2                 | Webserver Security Group | 5a42c10c439944eb8cc2065832314326 |

Ports tied to those security groups are:

b6d80a31-2395-4d9d-9f2b-52a937a3279a
| port_security_enabled | False                                |
| security_group_ids    | 6a634cd8-1037-4c0a-8892-7366262a41cc |
da913a76-e1ca-4e0b-ad84-838fef6b6cf3
| port_security_enabled | False                                |
| security_group_ids    | 16cde707-e25c-4025-aad9-856d92e1d817 |

When i try to remove security group from port, openstack client receives an error

$ openstack port unset --security-group 6a634cd8-1037-4c0a-8892-7366262a41cc b6d80a31-2395-4d9d-9f2b-52a937a3279a
BadRequestException: Unknown error

$ openstack port unset --security-group 16cde707-e25c-4025-aad9-856d92e1d817 da913a76-e1ca-4e0b-ad84-838fef6b6cf3
BadRequestException: Unknown error

$ openstack port set --no-security-group da913a76-e1ca-4e0b-ad84-838fef6b6cf3
BadRequestException: Unknown error

$ openstack port set b6d80a31-2395-4d9d-9f2b-52a937a3279a --no-security-group
BadRequestException: Unknown error

[mvasilenko]

Also, about terraform - what i'm looking for is a template for managing, say 10-20 VMs with my app, which consist of, say 10 containers, now i'm using bare metal with haproxy + docker-compose for that, any advice would help. I've tried example at the top of the page, but hit an issue, which forces to re-create VMs at each apply.

[gtema]

I would probably still use Ansible or use OpenStackSDK to have a full control for VMs. When (if) Heat is finally stable in OpenShift SDK/CLI you can switch to that. I haven't tried it yet, but support for Ansible/Heat is there, so theoretically you can try this directly.

Managing containers is actually more of a Kubernetes/Openshift/Cloud foundry/DockerSwarm task.

Regards, Artem

On Wed, 28 Feb 2018, 07:34 Mikhail Vasilenko, notifications@github.com wrote:

Also, about terraform - what i'm looking for is a template for managing, say 10-20 VMs with my app, which consist of, say 10 containers, now i'm using bare metal with haproxy + docker-compose for that, any advice would help. I've tried example at the top of the page, but hit an issue, which forces to re-create VMs at each apply.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OpenTelekomCloud/otc-tools/issues/43#issuecomment-369136489, or mute the thread https://github.com/notifications/unsubscribe-auth/APswPFO2PZ_HVzj5oNlDdM-_3R1sQk5uks5tZPNsgaJpZM4STfcN .

[mvasilenko]

Just a quick follow up - if you want to delete security group, which is bind to port, you need to delete port first, so, i've removed the ports, and then, security group. Closing this.