gce_net silently fails when fwname already exists on another network #6757
Comments
|
So this seems like a misconception to me. In the above, you issue a statement to open port 22, and in the command below, it says tcp 22 is allowed. Ansible is not designed to just only create resources, but is there to get resources to a desired state. In the example above, you asked for port 22 to be opened up, and then it was opened up. Perhaps I'm misunderstanding, but I don't view this as a failure. Can you explain in more detail? Thanks! |
|
The failure is that the firewall rule is applied to the wrong network! I suppose the real fault is with the GCE API, which puts firewall rules into a project namespace so that network-a and network-b can't both have a rule named "my-fw". But there's also a flaw in the gce_net abstraction, which treats fwname as an incidental attribute of the network such that "network-b exists with no firewall rule my-fw" is considered a success condition of "gce_net name=network-b fwname=my-fw ...". (I can assure you that creating a network with port 22 blocked is very much a failure state for my playbook!) |
|
Hi! Thanks very much for your interest in Ansible. It sincerely means a lot to us. On September 26, 2014, due to enormous levels of contribution to the project Ansible decided to reorganize module repos, making it easier We split modules from the main project off into two repos, http://github.com/ansible/ansible-modules-core and http://github.com/ansible/ansible-modules-extras If you would still like this ticket attended to, we will need your help in having it reopened in one of the two new repos, and instructions are provided below. We apologize that we are not able to make this transition happen seamlessly, though this is a one-time change and your help is greatly appreciated -- Both sets of modules will ship with Ansible, though they'll receive slightly different ticket handling. To locate where a module lives between 'core' and 'extras'
Additionally, should you need more help with this, you can ask questions on:
Thank you very much! |
Issue Type:
Bug report
Ansible Version:
ansible 1.6 (devel 8c7828d) last updated 2014/03/25 10:21:15 (GMT -700)
Environment:
Ubuntu 12.04.1
Summary:
gce_net tasks "succeed" even when the underlying firewall creation request fails.
Steps To Reproduce:
$ ansible localhost -i inventory -m gce_net -a "name=network-a ipv4_range=10.0.0.0/8"
$ ansible localhost -i inventory -m gce_net -a "name=network-a fwname=my-fw allowed=tcp:22"
$ ansible localhost -i inventory -m gce_net -a "name=network-b ipv4_range=10.0.0.0/8"
$ ansible localhost -i inventory -m gce_net -a "name=network-b fwname=my-fw allowed=tcp:22"
Expected Results:
Failure. The resource already exists with different attributes. E.g.,
$ gcutil addfirewall my-fw --network=network-b --allowed=tcp:22
INFO: Waiting for insert of firewall my-fw. Sleeping for 3s.
ERROR: RESOURCE_ALREADY_EXISTS: The resource 'projects/eastern-verbena-523/global/firewalls/my-fw' already exists
Actual Results:
$ ansible localhost -i inventory -m gce_net -a "name=network-b fwname=my-fw allowed=tcp:22"
localhost | success >> {
"allowed": "tcp:22",
"changed": false,
"fwname": "my-fw",
"ipv4_range": "10.0.0.0/8",
"name": "network-b",
"src_range": null,
"src_tags": null,
"state": "present"
}
But the firewall doesn't have the requested attributes:
$ gcutil getfirewall my-fw
+---------------+-------------------------------+
| name | my-fw |
| description | |
| creation-time | 2014-03-29T14:11:42.499-07:00 |
| network | network-a |
| source-ips | 0.0.0.0/0 |
| source-tags | |
| target-tags | |
| allowed | tcp: 22 |
+---------------+-------------------------------+
The text was updated successfully, but these errors were encountered: