1601752 – [ansible-2.6] Failed to create ec2 security group due to the unsupported module port "all"

Bug 1601752 - [ansible-2.6] Failed to create ec2 security group due to the unsupported module port "all"

Summary: [ansible-2.6] Failed to create ec2 security group due to the unsupported mod...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.11.0
Assignee:	Chris Callegari
QA Contact:	sheng.lao
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-07-17 07:51 UTC by sheng.lao
Modified:	2018-10-11 07:22 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: An update to the AWS api disallowed applications from using the 'all' value to security_group rules. Consequence: Downstream applications Boto, Boto3 and Ansible will fail to create a security_group rule when using value 'all' Fix: openshift-installer task has been updated to use port range 1 - 65535 in replacement of the 'all' value. Result: security_group rule is successfully created.
Clone Of:
Environment:
Last Closed:	2018-10-11 07:21:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:2652	0	None	None	None	2018-10-11 07:22:03 UTC

Description sheng.lao 2018-07-17 07:51:01 UTC

Description of problem:
Simliar upstream issue: https://github.com/ansible/ansible/issues/42230

When using the ansible-2.6 to creat Aws scale group, with prerequisites.yml. Installer failed to create ec2 security group due to the unsupported module port "all"

The default port "all" against security group seems not be supported in ansible-2.6 native module ec2_group.

openshift_aws_node_security_groups is defined in the playbook:
roles/openshift_aws/defaults/main.yml
258 openshift_aws_node_security_groups:
259   default:                                
<--snip-->
267     - proto: all
268       from_port: all
269       to_port: all                                   
<--snip-->

and is uesed in roles/openshift_aws/tasks/security_group.yml
  9 - name: create the node group sgs
 10   ec2_group:
 <--snip-->
 16   with_dict: "{{ openshift_aws_node_security_groups }}"

Version-Release number of the following components:
openshift-ansible: git master branch: a7cab9f1218b7

# rpm -qa |grep ansible
ansible-2.6.1-1.el7ae.noarch

# ansible --version
ansible 2.6.1
  config file = /root/openshift-ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Apr 11 2018, 07:36:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]


How reproducible:
always

Steps to Reproduce:
1. ansible-playbook -i inventory.yml playbooks/aws/openshift-cluster/prerequisites.yml -e @provisioning_vars.yml
2.
3.

Actual results:
TASK [openshift_aws : create the node group sgs] *************************************************************************************************task path: /root/openshift-ansible/roles/openshift_aws/tasks/security_group.yml:9
Tuesday 17 July 2018  02:45:00 -0400 (0:00:02.903)       0:00:20.540 ********** 
Using module file /usr/lib/python2.7/site-packages/ansible/modules/cloud/amazon/ec2_group.py
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python2 && sleep 0'
The full traceback is:
Traceback (most recent call last):
  File "/tmp/ansible_TPFk1j/ansible_module_ec2_group.py", line 1021, in <module>
    main() 
  File "/tmp/ansible_TPFk1j/ansible_module_ec2_group.py", line 875, in main
    rules = deduplicate_rules_args(rules_expand_sources(rules_expand_ports(module.params['rules'])))
  File "/tmp/ansible_TPFk1j/ansible_module_ec2_group.py", line 607, in rules_expand_ports
    for rule in rule_expand_ports(rule_complex)]
  File "/tmp/ansible_TPFk1j/ansible_module_ec2_group.py", line 584, in rule_expand_ports
    rule['from_port'] = int(rule.get('from_port'))
ValueError: invalid literal for int() with base 10: 'all'

Expected results:
asnsible job is success

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

Comment 1 Chris Callegari 2018-08-08 14:51:11 UTC

The fix for this issue has been committed and merged via pull/9390

https://github.com/openshift/openshift-ansible/pull/9390/commits/8946f22cc7aa0bfefb73cade49cfaab200116e88#diff-28877217ed3fe1943b811f9f27bcdb6fL268-269

Comment 2 Scott Dodson 2018-08-14 21:24:50 UTC

Should be in openshift-ansible-3.11.0-0.15.0

Comment 3 sheng.lao 2018-08-16 06:38:47 UTC

Fixed at: openshift-ansible-3.11.0-0.15.0

Comment 5 errata-xmlrpc 2018-10-11 07:21:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2652

Note You need to log in before you can comment on or make changes to this bug.