You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jclouds.apache.org by liang cheng <li...@gmail.com> on 2015/01/03 00:07:56 UTC
ec2 security group can't be deleted
Hi,
I'm trying to use "jclouds-examples/compute-basics" to deploy and undeploy
EC2 nodes. The deployment works fine. When I try to undeploy ("destroy")
the node, I found the "security group" created by jclouds can't be deleted.
Below is the log printed.
>> destroying nodes in group liang
- >> destroying nodes
matching(And(Not(TERMINATED),inGroup(liang))) - >>
destroying node(us-east-1/i-f8391506)
- << destroyed node(us-east-1/i-f8391506)
success(false) - << destroyed(1)
- >> deleting
incidentalResources({region=us-east-1, name=liang})
- >> deleting securityGroup(jclouds#liang)
- << inUse
incidentalResources({region=us-east-1, name=liang})
- >> deleting incidentalResources({region=us-east-1, name=liang})
- >> deleting securityGroup(jclouds#liang)
- << inUse
incidentalResources({region=us-east-1, name=liang})
- >> deleting incidentalResources({region=us-east-1, name=liang})
- >> deleting securityGroup(jclouds#liang)
- << inUse
incidentalResources({region=us-east-1, name=liang})
- >> deleting incidentalResources({region=us-east-1, name=liang})
- >> deleting securityGroup(jclouds#liang)
- << inUse
incidentalResources({region=us-east-1, name=liang})
- >> deleting incidentalResources({region=us-east-1, name=liang})
- >> deleting securityGroup(jclouds#liang)
- << inUse
incidentalResources({region=us-east-1, name=liang})
- >> deleting incidentalResources({region=us-east-1, name=liang})
- >> deleting securityGroup(jclouds#liang)
- << inUse
incidentalResources({region=us-east-1, name=liang})
Is this issue expected for jclouds at EC2 ?
Thanks,
-Liang
Re: ec2 security group can't be deleted
Posted by Andrew Phillips <an...@apache.org>.
> The solution (reference [2]) provided by Aled works great - it deleted all
> the jclouds related keypairs and security groups.
Glad to hear...thanks for letting us know!
Regards
ap
Re: ec2 security group can't be deleted
Posted by liang cheng <li...@gmail.com>.
Hi Aled and Andrew,
The solution (reference [2]) provided by Aled works great - it deleted all
the jclouds related keypairs and security groups.
Thanks,
-Liang
On Sat, Jan 3, 2015 at 11:33 PM, liang cheng <li...@gmail.com> wrote:
> Hi Aled,
>
> Thank you so much. I'll give it a try.
>
> -Liang
>
> On Sat, Jan 3, 2015 at 5:55 AM, Aled Sage <al...@gmail.com> wrote:
>
>> Hi Liang,
>>
>> I presume you are just doing a "destroy", with that automatically trying
>> to delete the security group (rather than an explicit deleteSecurityGroup
>> by you)?
>>
>> This bug is reported in [1].
>>
>> There are instructions for how to delete the old security groups and
>> key-pairs at [2].
>>
>> ---
>> There seems to be eventual consistency within EC2 for when the security
>> group is no longer in use. After terminating the VM, it can take anywhere
>> from immediate to several minutes before an attempted deletion of the
>> security group will succeed (it fails if it thinks there is still a VM
>> using the security group). jclouds does a retry 3 times to delete it, but
>> it doesn't wait for several minutes.
>>
>> An alternative could be: on delete, query EC2 to find the VMs using the
>> security group, and then query those VMs' states to see if they are not
>> termianted (or short-cut that if we know we currently deleting the only VM
>> in that list) - we could then keep trying for 5 or 10 minutes. But that
>> doesn't sound ideal either.
>>
>> Aled
>>
>> [1] https://issues.apache.org/jira/browse/JCLOUDS-207
>> [2] http://www.cloudsoftcorp.com/blog/2013/03/tidying-up-after-jclouds/
>>
>>
>>
>> On 03/01/2015 11:19, Andrew Phillips wrote:
>>
>>> Hi Liang
>>>
>>> Is this behaviour reproducible, i.e. does it happen every time you run
>>> the example? If you add some wait time to the example code between the
>>> moment it destroys the node and tries to delete the security group, do you
>>> get the same result?
>>>
>>> Regards
>>>
>>> ap
>>>
>>
>>
>
Re: ec2 security group can't be deleted
Posted by liang cheng <li...@gmail.com>.
Hi Aled,
Thank you so much. I'll give it a try.
-Liang
On Sat, Jan 3, 2015 at 5:55 AM, Aled Sage <al...@gmail.com> wrote:
> Hi Liang,
>
> I presume you are just doing a "destroy", with that automatically trying
> to delete the security group (rather than an explicit deleteSecurityGroup
> by you)?
>
> This bug is reported in [1].
>
> There are instructions for how to delete the old security groups and
> key-pairs at [2].
>
> ---
> There seems to be eventual consistency within EC2 for when the security
> group is no longer in use. After terminating the VM, it can take anywhere
> from immediate to several minutes before an attempted deletion of the
> security group will succeed (it fails if it thinks there is still a VM
> using the security group). jclouds does a retry 3 times to delete it, but
> it doesn't wait for several minutes.
>
> An alternative could be: on delete, query EC2 to find the VMs using the
> security group, and then query those VMs' states to see if they are not
> termianted (or short-cut that if we know we currently deleting the only VM
> in that list) - we could then keep trying for 5 or 10 minutes. But that
> doesn't sound ideal either.
>
> Aled
>
> [1] https://issues.apache.org/jira/browse/JCLOUDS-207
> [2] http://www.cloudsoftcorp.com/blog/2013/03/tidying-up-after-jclouds/
>
>
>
> On 03/01/2015 11:19, Andrew Phillips wrote:
>
>> Hi Liang
>>
>> Is this behaviour reproducible, i.e. does it happen every time you run
>> the example? If you add some wait time to the example code between the
>> moment it destroys the node and tries to delete the security group, do you
>> get the same result?
>>
>> Regards
>>
>> ap
>>
>
>
Re: ec2 security group can't be deleted
Posted by Aled Sage <al...@gmail.com>.
Hi Liang,
I presume you are just doing a "destroy", with that automatically trying
to delete the security group (rather than an explicit
deleteSecurityGroup by you)?
This bug is reported in [1].
There are instructions for how to delete the old security groups and
key-pairs at [2].
---
There seems to be eventual consistency within EC2 for when the security
group is no longer in use. After terminating the VM, it can take
anywhere from immediate to several minutes before an attempted deletion
of the security group will succeed (it fails if it thinks there is still
a VM using the security group). jclouds does a retry 3 times to delete
it, but it doesn't wait for several minutes.
An alternative could be: on delete, query EC2 to find the VMs using the
security group, and then query those VMs' states to see if they are not
termianted (or short-cut that if we know we currently deleting the only
VM in that list) - we could then keep trying for 5 or 10 minutes. But
that doesn't sound ideal either.
Aled
[1] https://issues.apache.org/jira/browse/JCLOUDS-207
[2] http://www.cloudsoftcorp.com/blog/2013/03/tidying-up-after-jclouds/
On 03/01/2015 11:19, Andrew Phillips wrote:
> Hi Liang
>
> Is this behaviour reproducible, i.e. does it happen every time you run
> the example? If you add some wait time to the example code between the
> moment it destroys the node and tries to delete the security group, do
> you get the same result?
>
> Regards
>
> ap
Re: ec2 security group can't be deleted
Posted by liang cheng <li...@gmail.com>.
Hi Andrew,
Thanks for the message. Yes the behavior is reproducible. Waiting some time
doesn't solve it. I did some investigation and found the security group is
using itself as the source rule. That means you have to delete the source
rule from that security group and then you can delete the security group
itself.
Aled gave a solution that I will try tomorrow.
Thanks,
-Liang
On Sat, Jan 3, 2015 at 3:19 AM, Andrew Phillips <an...@apache.org> wrote:
> Hi Liang
>
> Is this behaviour reproducible, i.e. does it happen every time you run the
> example? If you add some wait time to the example code between the moment
> it destroys the node and tries to delete the security group, do you get the
> same result?
>
> Regards
>
> ap
>
Re: ec2 security group can't be deleted
Posted by Andrew Phillips <an...@apache.org>.
Hi Liang
Is this behaviour reproducible, i.e. does it happen every time you run
the example? If you add some wait time to the example code between the
moment it destroys the node and tries to delete the security group, do
you get the same result?
Regards
ap