Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1601752

Summary: [ansible-2.6] Failed to create ec2 security group due to the unsupported module port "all"
Product: OpenShift Container Platform Reporter: sheng.lao <shlao>
Component: InstallerAssignee: Chris Callegari <ccallega>
Status: CLOSED ERRATA QA Contact: sheng.lao <shlao>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.11.0CC: aos-bugs, jokerman, mmccomas, wmeng
Target Milestone: ---   
Target Release: 3.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: An update to the AWS api disallowed applications from using the 'all' value to security_group rules. Consequence: Downstream applications Boto, Boto3 and Ansible will fail to create a security_group rule when using value 'all' Fix: openshift-installer task has been updated to use port range 1 - 65535 in replacement of the 'all' value. Result: security_group rule is successfully created.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-11 07:21:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description sheng.lao 2018-07-17 07:51:01 UTC 
Description of problem:
Simliar upstream issue: https://github.com/ansible/ansible/issues/42230

When using the ansible-2.6 to creat Aws scale group, with prerequisites.yml. Installer failed to create ec2 security group due to the unsupported module port "all"

The default port "all" against security group seems not be supported in ansible-2.6 native module ec2_group.

openshift_aws_node_security_groups is defined in the playbook:
roles/openshift_aws/defaults/main.yml
258 openshift_aws_node_security_groups:
259   default:                                
<--snip-->
267     - proto: all
268       from_port: all
269       to_port: all                                   
<--snip-->

and is uesed in roles/openshift_aws/tasks/security_group.yml
  9 - name: create the node group sgs
 10   ec2_group:
 <--snip-->
 16   with_dict: "{{ openshift_aws_node_security_groups }}"

Version-Release number of the following components:
openshift-ansible: git master branch: a7cab9f1218b7

# rpm -qa |grep ansible
ansible-2.6.1-1.el7ae.noarch

# ansible --version
ansible 2.6.1
  config file = /root/openshift-ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Apr 11 2018, 07:36:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]


How reproducible:
always

Steps to Reproduce:
1. ansible-playbook -i inventory.yml playbooks/aws/openshift-cluster/prerequisites.yml -e @provisioning_vars.yml
2.
3.

Actual results:
TASK [openshift_aws : create the node group sgs] *************************************************************************************************task path: /root/openshift-ansible/roles/openshift_aws/tasks/security_group.yml:9
Tuesday 17 July 2018  02:45:00 -0400 (0:00:02.903)       0:00:20.540 ********** 
Using module file /usr/lib/python2.7/site-packages/ansible/modules/cloud/amazon/ec2_group.py
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python2 && sleep 0'
The full traceback is:
Traceback (most recent call last):
  File "/tmp/ansible_TPFk1j/ansible_module_ec2_group.py", line 1021, in <module>
    main() 
  File "/tmp/ansible_TPFk1j/ansible_module_ec2_group.py", line 875, in main
    rules = deduplicate_rules_args(rules_expand_sources(rules_expand_ports(module.params['rules'])))
  File "/tmp/ansible_TPFk1j/ansible_module_ec2_group.py", line 607, in rules_expand_ports
    for rule in rule_expand_ports(rule_complex)]
  File "/tmp/ansible_TPFk1j/ansible_module_ec2_group.py", line 584, in rule_expand_ports
    rule['from_port'] = int(rule.get('from_port'))
ValueError: invalid literal for int() with base 10: 'all'

Expected results:
asnsible job is success

Additional info:
Please attach logs from ansible-playbook with the -vvv flag
Comment 1 Chris Callegari 2018-08-08 14:51:11 UTC 
The fix for this issue has been committed and merged via pull/9390

https://github.com/openshift/openshift-ansible/pull/9390/commits/8946f22cc7aa0bfefb73cade49cfaab200116e88#diff-28877217ed3fe1943b811f9f27bcdb6fL268-269
Comment 2 Scott Dodson 2018-08-14 21:24:50 UTC 
Should be in openshift-ansible-3.11.0-0.15.0
Comment 3 sheng.lao 2018-08-16 06:38:47 UTC 
Fixed at: openshift-ansible-3.11.0-0.15.0
Comment 5 errata-xmlrpc 2018-10-11 07:21:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2652