Machine: selecting an existing AWS security group does not work

Created on 18 Jul 2016  路  7Comments  路  Source: docker/machine

tested with 0.7.0 and 0.8.0-rc2.

problem 1;

env variable AWS_SECURITY_GROUP gets ignored.
When this is set to an alternative security group, docker-machine still uses security group 'docker-machine'.

problem 2;

when specifying a --amazonec2-security-group, i get the following error;

Error creating machine: Error in driver during machine creation: InvalidPermission.Duplicate: the specified rule "peer: 0.0.0.0/0, TCP, from port: 2376, to port: 2376, ALLOW" already exists

picture jalbstmeijer
😕1 👍1

Most helpful comment

Specifying --amazonec2-security-group and passing in an id of a SG that has 22 and 2376 open but not to 0.0.0.0/0 results in DM creating a new security group.

picture jurajseffer on 13 Jan 2017
👎2 👍2

All 7 comments

Would be great (amazing) if some of these actions could be a bit more idempotent, like checking if that security group permission existed before attempting to create a rule.

Some of this is unfortunate circumstances with AWS's API, and puts the onus on docker-machine to improve on. (e.g., the AWS API would ideally see that the rule already exists and just ignore the update, rather than returning an error).

@jalbstmeijer You may need to delete the inbound rule created by docker-machine on that security group and then try again. (Altho since this is 17 days later, you probably figured that out)

fideloper picture fideloper on 4 Aug 2016

Deleting the previously created SG entry and re-running the 'create' results in the same duplicate error.

Is there a way to tell the driver to leave the SGs be? If so, I'll just setup the required rules in another provisioning stage.

nrvale0 picture nrvale0 on 30 Sep 2016

As it turns out, the easiest thing to do without sending a PR is to make sure your SG already has rules for tcp/22 and tcp/2376 before spinning the machine:

https://github.com/docker/machine/blob/master/drivers/amazonec2/amazonec2.go#L1075

nrvale0 picture nrvale0 on 30 Sep 2016

I ran into this same problem. It looks like the amazonec2 driver was updated to support multiple security groups a while back and that's likely what broke the environment variable option.

dwilson6 picture dwilson6 on 21 Oct 2016

Specifying --amazonec2-security-group and passing in an id of a SG that has 22 and 2376 open but not to 0.0.0.0/0 results in DM creating a new security group.

jurajseffer picture jurajseffer on 13 Jan 2017
👎2 👍2

Specifying --amazonec2-security-group and passing in an id of a SG that has 22 and 2376 open but not to 0.0.0.0/0 results in DM creating a new security group.

For anyone coming here in 2018, check that you are passing in the correct amazonec2-vpc-id and amazonec2-subnet-id. I just ran into this myself and realized it was duplicating the security group because it was using my default VPC and Subnet/

kevinheins picture kevinheins on 29 Nov 2018

Also small side note here. If you specify the security group by id, it tries to recreate it. If you specify it by the name, it works. dm tries to find the security group by name and not by id.

f3lang picture f3lang on 28 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

perj picture perj  路  5Comments
pc-mreeves picture pc-mreeves  路  4Comments
hananeglit picture hananeglit  路  3Comments
Mayur-Sapre2 picture Mayur-Sapre2  路  4Comments
masaeedu picture masaeedu  路  4Comments