pyjuju

juju instances not including the "default" security group

Bug #1129720 reported by Haw Loeung
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
juju-core
Fix Released
High
Ian Booth
juju-core 1.17.1
pyjuju
Won't Fix
Low
Unassigned
juju-core (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Hi,

OpenStack provides a "default" security group. We'd like to apply specific rules such as allowing of ICMP echo reply/request, TCP and UDP connections from our monitoring hosts (NRPE and SNMP) but in order to do that, we'd have to apply these rules to the service groups for each environment.

Would it be possible to have instances started by juju also include the "default" security group?

Thanks,

Haw

Related branches

lp:~wallyworld/juju-core/instance-default-secgroup
Juju Engineering: Pending requested
Diff: 236 lines (+104/-23)
6 files modified
cmd/juju/help_topics.go (+3/-0)
dependencies.tsv (+1/-1)
provider/openstack/config.go (+26/-20)
provider/openstack/config_test.go (+12/-0)
provider/openstack/live_test.go (+44/-0)
provider/openstack/provider.go (+18/-2)
lp:ubuntu/trusty/juju-core
lp:~smoser/ubuntu/precise/juju-core/cloud-tools
lp:~ubuntu-cloud-archive/ubuntu/precise/juju-core/precise-ctools
Haw Loeung (hloeung)
tags: added: canonical-webops-juju
Curtis Hovey (sinzui)
Changed in juju:
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Kapil Thangavelu (hazmat) wrote : Re: [Bug 1129720] Re: juju instances not including the "default" security group

not quite the same, but juju environments also have a default group that
this these rules can be applied to once per env.

On Tue, Nov 19, 2013 at 10:43 PM, Haw Loeung <email address hidden>wrote:

> ** Also affects: juju-core
> Importance: Undecided
> Status: New
>
> ** Also affects: juju-core (Ubuntu)
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to pyjuju.
> https://bugs.launchpad.net/bugs/1129720
>
> Title:
> juju instances not including the "default" security group
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju/+bug/1129720/+subscriptions
>

Curtis Hovey (sinzui)
Changed in juju-core:
status: New → Triaged
importance: Undecided → High
tags: added: canonical-webops openstack security
Curtis Hovey (sinzui)
tags: added: openstack-provider
removed: openstack
Serge Hallyn (serge-hallyn)
Changed in juju-core (Ubuntu):
importance: Undecided → High
status: New → Triaged
Ian Booth (wallyworld)
Changed in juju-core:
milestone: none → 1.17.1
assignee: nobody → Ian Booth (wallyworld)
status: Triaged → In Progress
Changed in juju:
status: Triaged → Won't Fix
Revision history for this message
Martin Packman (gz) wrote :

I'm not sure adding the default group is the right fix for wanting ad-hoc per environment rules. I'd prefer if juju started tolerating external tampering with the environment-specific juju group it adds to all machines it creates. We could potentially report via status any addition ports opened.

There are arguments in all directions depending on the exact use-case though. In cases where you have more than one environment on the same cloud account (for instance, a staging and a live deployment), the fact the default group applies to both could cause issues, would be impossible to monitor/alter one without affecting the other. If the account is also used for non-juju work, sharing rules via the default group could be either a convenience or a hole.

Revision history for this message
Ian Booth (wallyworld) wrote :

Since some deployments will want the global default group added to Juju machines and others not, we've decided to make it configurable - the default is false so existing behaviour is preserved. But deployments that want to use the default group can do so but changing the config option to true.

Ian Booth (wallyworld)
Changed in juju-core:
status: In Progress → Fix Committed
Curtis Hovey (sinzui)
Changed in juju-core:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package juju-core - 1.17.6-0ubuntu1

---------------
juju-core (1.17.6-0ubuntu1) trusty; urgency=medium

  * New upstream point release, including fixes for:
    - br0 not bought up by cloud-init with MAAS provider (LP: #1271144).
    - ppc64el enablement for juju/lxc (LP: #1273769).
    - juju userdata should not restart networking (LP: #1248283).
    - error detecting hardware characteristics (LP: #1276909).
    - juju instances not including the default security group (LP: #1129720).
    - juju bootstrap does not honor https_proxy (LP: #1240260).
  * d/control,rules: Drop BD on bash-completion, install bash-completion
    direct from upstream source code.
  * d/rules: Set HOME prior to generating man pages.
  * d/control: Drop alternative dependency on mongodb-server; juju now only
    works on trusty with juju-mongodb.
 -- James Page <email address hidden> Mon, 24 Mar 2014 16:05:44 +0000

Changed in juju-core (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.