Merge lp:~wallyworld/juju-core/instance-default-secgroup into lp:~go-bot/juju-core/trunk
- instance-default-secgroup
- Merge into trunk
Status: | Merged |
---|---|
Approved by: | Ian Booth |
Approved revision: | no longer in the source branch. |
Merged at revision: | 2194 |
Proposed branch: | lp:~wallyworld/juju-core/instance-default-secgroup |
Merge into: | lp:~go-bot/juju-core/trunk |
Diff against target: |
236 lines (+104/-23) 6 files modified
cmd/juju/help_topics.go (+3/-0) dependencies.tsv (+1/-1) provider/openstack/config.go (+26/-20) provider/openstack/config_test.go (+12/-0) provider/openstack/live_test.go (+44/-0) provider/openstack/provider.go (+18/-2) |
To merge this branch: | bzr merge lp:~wallyworld/juju-core/instance-default-secgroup |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Juju Engineering | Pending | ||
Review via email: mp+199929@code.launchpad.net |
Commit message
New openstack use-default-
Openstack environments can be configured to start
instances with the "default" security group assigned.
The new use-default-
is used to enable this behaviour.
Description of the change
New openstack use-default-
Openstack environments can be configured to start
instances with the "default" security group assigned.
The new use-default-
is used to enable this behaviour.
Ian Booth (wallyworld) wrote : | # |
William Reade (fwereade) wrote : | # |
I'm just ignorant, I'm sure, but I don't see what we gain by making this
configurable. What do we lose by just *always* adding the default
security group?
https:/
File cmd/juju/
https:/
cmd/juju/
Thanks for documenting this, but I feel little the wiser.
Martin Packman (gz) wrote : | # |
I added a comment to bug 1129720 about the general approach.
I agree with William that adding more config here isn't really
desirable, but just putting the default group on all machines juju
creates is a step back in our general isolation level. The
per-environment security group is a much cleaner place to add custom
rules, even if we don't supply a juju command for doing that (though we
could).
Code itself looks fine.
William Reade (fwereade) wrote : | # |
On 2014/01/09 12:56:35, gz wrote:
> I added a comment to bug 1129720 about the general approach.
> I agree with William that adding more config here isn't really
desirable, but
> just putting the default group on all machines juju creates is a step
back in
> our general isolation level. The per-environment security group is a
much
> cleaner place to add custom rules, even if we don't supply a juju
command for
> doing that (though we could).
> Code itself looks fine.
I dunno, I think there's quite a neat separation between the default
security group -- with whatever cloud-specific rules, considered
appropriate by the administrator, that are kinda outside our purview --
and our own config. What's the use case for *not* including the default
security group? Nobody's needed it before, sure; but the default
behaviour doesn't look harmful, and if that's been changed it seems
reasonable to assume it's been done for a reason. Right?
Sorry for the delay, Ian, I had an all-day power cut -- can we chat
about this tomorrow morning? I'm fine with the code, indeed, but I feel
like including that security group is the correct default, and I'd be
happiest of all if we just skipped the config, but I'll accept pretty
much any plausible use case that requires its falsity as justification
for including the setting.
William Reade (fwereade) wrote : | # |
On 2014/01/09 19:48:46, fwereade wrote:
> On 2014/01/09 12:56:35, gz wrote:
> > I added a comment to bug 1129720 about the general approach.
> >
> > I agree with William that adding more config here isn't really
desirable, but
> > just putting the default group on all machines juju creates is a
step back in
> > our general isolation level. The per-environment security group is a
much
> > cleaner place to add custom rules, even if we don't supply a juju
command for
> > doing that (though we could).
> >
> > Code itself looks fine.
> I dunno, I think there's quite a neat separation between the default
security
> group -- with whatever cloud-specific rules, considered appropriate by
the
> administrator, that are kinda outside our purview -- and our own
config. What's
> the use case for *not* including the default security group? Nobody's
needed it
> before, sure; but the default behaviour doesn't look harmful, and if
that's been
> changed it seems reasonable to assume it's been done for a reason.
Right?
> Sorry for the delay, Ian, I had an all-day power cut -- can we chat
about this
> tomorrow morning? I'm fine with the code, indeed, but I feel like
including that
> security group is the correct default, and I'd be happiest of all if
we just
> skipped the config, but I'll accept pretty much any plausible use case
that
> requires its falsity as justification for including the setting.
LGTM after discussion -- we've been fine without it so far, so let's
stick with the existing default. Thanks for bearing with me.
Go Bot (go-bot) wrote : | # |
The attempt to merge lp:~wallyworld/juju-core/instance-default-secgroup into lp:juju-core failed. Below is the output from the failed tests.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
? launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
? launchpad.
? launchpad.
? launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
? launchpad.
Go Bot (go-bot) wrote : | # |
The attempt to merge lp:~wallyworld/juju-core/instance-default-secgroup into lp:juju-core failed. Below is the output from the failed tests.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
? launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
? launchpad.
? launchpad.
? launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
ok launchpad.
? launchpad.
ok launchpad.
ok launchpad.
ok launchpad.
? launchpad.
? launchpad.
Preview Diff
1 | === modified file 'cmd/juju/help_topics.go' |
2 | --- cmd/juju/help_topics.go 2013-10-25 22:24:35 +0000 |
3 | +++ cmd/juju/help_topics.go 2013-12-23 00:50:44 +0000 |
4 | @@ -94,6 +94,9 @@ |
5 | # give the nodes a public IP address. Some installations assign public |
6 | # IP addresses by default without requiring a floating IP address. |
7 | # use-floating-ip: false |
8 | + # Specifies whether new machine instances should have the "default" |
9 | + # Openstack security group assigned. |
10 | + # use-default-secgroup: false |
11 | admin-secret: 13850d1b9786065cadd0f477e8c97cd3 |
12 | # Globally unique swift bucket name |
13 | control-bucket: juju-fd6ab8d02393af742bfbe8b9629707ee |
14 | |
15 | === modified file 'dependencies.tsv' |
16 | --- dependencies.tsv 2013-12-04 15:34:47 +0000 |
17 | +++ dependencies.tsv 2013-12-23 00:50:44 +0000 |
18 | @@ -6,7 +6,7 @@ |
19 | launchpad.net/gocheck bzr gustavo@niemeyer.net-20130302024745-6ikofwq2c03h7giu 85 |
20 | launchpad.net/golxc bzr frank.mueller@canonical.com-20130617094614-jelomk87defuetol 5 |
21 | launchpad.net/gomaasapi bzr ian.booth@canonical.com-20131017011445-m1hmr0ap14osd7li 47 |
22 | -launchpad.net/goose bzr tarmac-20131101034733-zbirap24k6k8wjlg 110 |
23 | +launchpad.net/goose bzr tarmac-20131223000240-y2igxjt3kznam7vi 114 |
24 | launchpad.net/goyaml bzr gustavo@niemeyer.net-20131114120802-abe042syx64z2m7s 50 |
25 | launchpad.net/gwacl bzr tarmac-20131031081035-b33m6fyrrdiuf408 229 |
26 | launchpad.net/loggo bzr tim.penhey@canonical.com-20130729043644-ym0cscir1cist4sm 39 |
27 | |
28 | === modified file 'provider/openstack/config.go' |
29 | --- provider/openstack/config.go 2013-10-24 00:20:59 +0000 |
30 | +++ provider/openstack/config.go 2013-12-23 00:50:44 +0000 |
31 | @@ -14,28 +14,30 @@ |
32 | ) |
33 | |
34 | var configFields = schema.Fields{ |
35 | - "username": schema.String(), |
36 | - "password": schema.String(), |
37 | - "tenant-name": schema.String(), |
38 | - "auth-url": schema.String(), |
39 | - "auth-mode": schema.String(), |
40 | - "access-key": schema.String(), |
41 | - "secret-key": schema.String(), |
42 | - "region": schema.String(), |
43 | - "control-bucket": schema.String(), |
44 | - "use-floating-ip": schema.Bool(), |
45 | + "username": schema.String(), |
46 | + "password": schema.String(), |
47 | + "tenant-name": schema.String(), |
48 | + "auth-url": schema.String(), |
49 | + "auth-mode": schema.String(), |
50 | + "access-key": schema.String(), |
51 | + "secret-key": schema.String(), |
52 | + "region": schema.String(), |
53 | + "control-bucket": schema.String(), |
54 | + "use-floating-ip": schema.Bool(), |
55 | + "use-default-secgroup": schema.Bool(), |
56 | } |
57 | var configDefaults = schema.Defaults{ |
58 | - "username": "", |
59 | - "password": "", |
60 | - "tenant-name": "", |
61 | - "auth-url": "", |
62 | - "auth-mode": string(AuthUserPass), |
63 | - "access-key": "", |
64 | - "secret-key": "", |
65 | - "region": "", |
66 | - "control-bucket": "", |
67 | - "use-floating-ip": false, |
68 | + "username": "", |
69 | + "password": "", |
70 | + "tenant-name": "", |
71 | + "auth-url": "", |
72 | + "auth-mode": string(AuthUserPass), |
73 | + "access-key": "", |
74 | + "secret-key": "", |
75 | + "region": "", |
76 | + "control-bucket": "", |
77 | + "use-floating-ip": false, |
78 | + "use-default-secgroup": false, |
79 | } |
80 | |
81 | type environConfig struct { |
82 | @@ -83,6 +85,10 @@ |
83 | return c.attrs["use-floating-ip"].(bool) |
84 | } |
85 | |
86 | +func (c *environConfig) useDefaultSecurityGroup() bool { |
87 | + return c.attrs["use-default-secgroup"].(bool) |
88 | +} |
89 | + |
90 | func (p environProvider) newConfig(cfg *config.Config) (*environConfig, error) { |
91 | valid, err := p.Validate(cfg, nil) |
92 | if err != nil { |
93 | |
94 | === modified file 'provider/openstack/config_test.go' |
95 | --- provider/openstack/config_test.go 2013-10-24 00:20:59 +0000 |
96 | +++ provider/openstack/config_test.go 2013-12-23 00:50:44 +0000 |
97 | @@ -57,6 +57,7 @@ |
98 | controlBucket string |
99 | toolsURL string |
100 | useFloatingIP bool |
101 | + useDefaultSecurityGroup bool |
102 | username string |
103 | password string |
104 | tenantName string |
105 | @@ -159,6 +160,7 @@ |
106 | c.Assert(ecfg.FirewallMode(), gc.Equals, t.firewallMode) |
107 | } |
108 | c.Assert(ecfg.useFloatingIP(), gc.Equals, t.useFloatingIP) |
109 | + c.Assert(ecfg.useDefaultSecurityGroup(), gc.Equals, t.useDefaultSecurityGroup) |
110 | // Default should be true |
111 | expectedHostnameVerification := true |
112 | if t.sslHostnameSet { |
113 | @@ -372,6 +374,16 @@ |
114 | }, |
115 | useFloatingIP: true, |
116 | }, { |
117 | + summary: "default use default security group", |
118 | + // Do not use default security group by default. |
119 | + useDefaultSecurityGroup: false, |
120 | + }, { |
121 | + summary: "use default security group", |
122 | + config: attrs{ |
123 | + "use-default-secgroup": true, |
124 | + }, |
125 | + useDefaultSecurityGroup: true, |
126 | + }, { |
127 | summary: "admin-secret given", |
128 | config: attrs{ |
129 | "admin-secret": "Futumpsh", |
130 | |
131 | === modified file 'provider/openstack/live_test.go' |
132 | --- provider/openstack/live_test.go 2013-11-04 02:01:19 +0000 |
133 | +++ provider/openstack/live_test.go 2013-12-23 00:50:44 +0000 |
134 | @@ -15,9 +15,14 @@ |
135 | "launchpad.net/goose/identity" |
136 | "launchpad.net/goose/nova" |
137 | |
138 | + "launchpad.net/juju-core/constraints" |
139 | + "launchpad.net/juju-core/environs" |
140 | + "launchpad.net/juju-core/environs/bootstrap" |
141 | + "launchpad.net/juju-core/environs/config" |
142 | "launchpad.net/juju-core/environs/jujutest" |
143 | "launchpad.net/juju-core/environs/storage" |
144 | envtesting "launchpad.net/juju-core/environs/testing" |
145 | + jujutesting "launchpad.net/juju-core/juju/testing" |
146 | "launchpad.net/juju-core/provider/openstack" |
147 | coretesting "launchpad.net/juju-core/testing" |
148 | "launchpad.net/juju-core/testing/testbase" |
149 | @@ -211,3 +216,42 @@ |
150 | sort.Strings(expectedRules) |
151 | c.Check(stringRules, gc.DeepEquals, expectedRules) |
152 | } |
153 | + |
154 | +func (s *LiveTests) assertStartInstanceDefaultSecurityGroup(c *gc.C, useDefault bool) { |
155 | + attrs := s.TestConfig.Merge(coretesting.Attrs{ |
156 | + "name": "sample-" + randomName(), |
157 | + "control-bucket": "juju-test-" + randomName(), |
158 | + "use-default-secgroup": useDefault, |
159 | + }) |
160 | + cfg, err := config.New(config.NoDefaults, attrs) |
161 | + c.Assert(err, gc.IsNil) |
162 | + // Set up a test environment. |
163 | + env, err := environs.New(cfg) |
164 | + c.Assert(err, gc.IsNil) |
165 | + c.Assert(env, gc.NotNil) |
166 | + defer env.Destroy() |
167 | + // Bootstrap and start an instance. |
168 | + err = bootstrap.Bootstrap(bootstrapContext(c), env, constraints.Value{}) |
169 | + c.Assert(err, gc.IsNil) |
170 | + inst, _ := jujutesting.AssertStartInstance(c, env, "100") |
171 | + // Check whether the instance has the default security group assigned. |
172 | + novaClient := openstack.GetNovaClient(env) |
173 | + groups, err := novaClient.GetServerSecurityGroups(string(inst.Id())) |
174 | + c.Assert(err, gc.IsNil) |
175 | + defaultGroupFound := false |
176 | + for _, group := range groups { |
177 | + if group.Name == "default" { |
178 | + defaultGroupFound = true |
179 | + break |
180 | + } |
181 | + } |
182 | + c.Assert(defaultGroupFound, gc.Equals, useDefault) |
183 | +} |
184 | + |
185 | +func (s *LiveTests) TestStartInstanceWithDefaultSecurityGroup(c *gc.C) { |
186 | + s.assertStartInstanceDefaultSecurityGroup(c, true) |
187 | +} |
188 | + |
189 | +func (s *LiveTests) TestStartInstanceWithoutDefaultSecurityGroup(c *gc.C) { |
190 | + s.assertStartInstanceDefaultSecurityGroup(c, false) |
191 | +} |
192 | |
193 | === modified file 'provider/openstack/provider.go' |
194 | --- provider/openstack/provider.go 2013-12-19 09:15:40 +0000 |
195 | +++ provider/openstack/provider.go 2013-12-23 00:50:44 +0000 |
196 | @@ -71,6 +71,10 @@ |
197 | # addresses by default without requiring a floating IP address. |
198 | # use-floating-ip: false |
199 | |
200 | + # use-default-secgroup specifies whether new machine instances should have the "default" |
201 | + # Openstack security group assigned. |
202 | + # use-default-secgroup: false |
203 | + |
204 | # tools-metadata-url specifies the location of the Juju tools and metadata. It defaults to the |
205 | # global public tools metadata location https://streams.canonical.com/tools. |
206 | # tools-metadata-url: https://you-tools-metadata-url |
207 | @@ -119,7 +123,11 @@ |
208 | # to give the nodes a public IP address. Some installations assign public IP |
209 | # addresses by default without requiring a floating IP address. |
210 | # use-floating-ip: false |
211 | - |
212 | + |
213 | + # use-default-secgroup specifies whether new machine instances should have the "default" |
214 | + # Openstack security group assigned. |
215 | + # use-default-secgroup: false |
216 | + |
217 | # tenant-name holds the openstack tenant name. In HPCloud, this is |
218 | # synonymous with the project-name It defaults to |
219 | # the environment variable OS_TENANT_NAME. |
220 | @@ -1058,7 +1066,15 @@ |
221 | if err != nil { |
222 | return nil, err |
223 | } |
224 | - return []nova.SecurityGroup{jujuGroup, machineGroup}, nil |
225 | + groups := []nova.SecurityGroup{jujuGroup, machineGroup} |
226 | + if e.ecfg().useDefaultSecurityGroup() { |
227 | + defaultGroup, err := e.nova().SecurityGroupByName("default") |
228 | + if err != nil { |
229 | + return nil, fmt.Errorf("loading default security group: %v", err) |
230 | + } |
231 | + groups = append(groups, *defaultGroup) |
232 | + } |
233 | + return groups, nil |
234 | } |
235 | |
236 | // zeroGroup holds the zero security group. |
Reviewers: mp+199929_ code.launchpad. net,
Message:
Please take a look.
Description: secgroup option
New openstack use-default-
Openstack environments can be configured to start secgroup config option (default false)
instances with the "default" security group assigned.
The new use-default-
is used to enable this behaviour.
https:/ /code.launchpad .net/~wallyworl d/juju- core/instance- default- secgroup/ +merge/ 199929
(do not edit description out of merge proposal)
Please review this at https:/ /codereview. appspot. com/44770044/
Affected files (+106, -23 lines): help_topics. go openstack/ config. go openstack/ config_ test.go openstack/ live_test. go openstack/ provider. go
A [revision details]
M cmd/juju/
M dependencies.tsv
M provider/
M provider/
M provider/
M provider/