juju-core

Merge lp:~wallyworld/juju-core/instance-default-secgroup into lp:~go-bot/juju-core/trunk

  1. instance-default-secgroup
  2. Merge into trunk
Proposed by Ian Booth
Status: Merged
Approved by: Ian Booth
Approved revision: no longer in the source branch.
Merged at revision: 2194
Proposed branch: lp:~wallyworld/juju-core/instance-default-secgroup
Merge into: lp:~go-bot/juju-core/trunk
Diff against target: 236 lines (+104/-23)
6 files modified
cmd/juju/help_topics.go (+3/-0)
dependencies.tsv (+1/-1)
provider/openstack/config.go (+26/-20)
provider/openstack/config_test.go (+12/-0)
provider/openstack/live_test.go (+44/-0)
provider/openstack/provider.go (+18/-2)
To merge this branch: bzr merge lp:~wallyworld/juju-core/instance-default-secgroup
Reviewer Review Type Date Requested Status
Juju Engineering Pending
Review via email: mp+199929@code.launchpad.net

Commit message

New openstack use-default-secgroup option

Openstack environments can be configured to start
instances with the "default" security group assigned.
The new use-default-secgroup config option (default false)
is used to enable this behaviour.

https://codereview.appspot.com/44770044/

Description of the change

New openstack use-default-secgroup option

Openstack environments can be configured to start
instances with the "default" security group assigned.
The new use-default-secgroup config option (default false)
is used to enable this behaviour.

https://codereview.appspot.com/44770044/

To post a comment you must log in.
Revision history for this message
Ian Booth (wallyworld) wrote :

Reviewers: mp+199929_code.launchpad.net,

Message:
Please take a look.

Description:
New openstack use-default-secgroup option

Openstack environments can be configured to start
instances with the "default" security group assigned.
The new use-default-secgroup config option (default false)
is used to enable this behaviour.

https://code.launchpad.net/~wallyworld/juju-core/instance-default-secgroup/+merge/199929

(do not edit description out of merge proposal)

Please review this at https://codereview.appspot.com/44770044/

Affected files (+106, -23 lines):
   A [revision details]
   M cmd/juju/help_topics.go
   M dependencies.tsv
   M provider/openstack/config.go
   M provider/openstack/config_test.go
   M provider/openstack/live_test.go
   M provider/openstack/provider.go

Revision history for this message
William Reade (fwereade) wrote :

I'm just ignorant, I'm sure, but I don't see what we gain by making this
configurable. What do we lose by just *always* adding the default
security group?

https://codereview.appspot.com/44770044/diff/1/cmd/juju/help_topics.go
File cmd/juju/help_topics.go (right):

https://codereview.appspot.com/44770044/diff/1/cmd/juju/help_topics.go#newcode99
cmd/juju/help_topics.go:99: # use-default-secgroup: false
Thanks for documenting this, but I feel little the wiser.

https://codereview.appspot.com/44770044/

Revision history for this message
Martin Packman (gz) wrote :

I added a comment to bug 1129720 about the general approach.

I agree with William that adding more config here isn't really
desirable, but just putting the default group on all machines juju
creates is a step back in our general isolation level. The
per-environment security group is a much cleaner place to add custom
rules, even if we don't supply a juju command for doing that (though we
could).

Code itself looks fine.

https://codereview.appspot.com/44770044/

Revision history for this message
William Reade (fwereade) wrote :

On 2014/01/09 12:56:35, gz wrote:
> I added a comment to bug 1129720 about the general approach.

> I agree with William that adding more config here isn't really
desirable, but
> just putting the default group on all machines juju creates is a step
back in
> our general isolation level. The per-environment security group is a
much
> cleaner place to add custom rules, even if we don't supply a juju
command for
> doing that (though we could).

> Code itself looks fine.

I dunno, I think there's quite a neat separation between the default
security group -- with whatever cloud-specific rules, considered
appropriate by the administrator, that are kinda outside our purview --
and our own config. What's the use case for *not* including the default
security group? Nobody's needed it before, sure; but the default
behaviour doesn't look harmful, and if that's been changed it seems
reasonable to assume it's been done for a reason. Right?

Sorry for the delay, Ian, I had an all-day power cut -- can we chat
about this tomorrow morning? I'm fine with the code, indeed, but I feel
like including that security group is the correct default, and I'd be
happiest of all if we just skipped the config, but I'll accept pretty
much any plausible use case that requires its falsity as justification
for including the setting.

https://codereview.appspot.com/44770044/

Revision history for this message
William Reade (fwereade) wrote :

On 2014/01/09 19:48:46, fwereade wrote:
> On 2014/01/09 12:56:35, gz wrote:
> > I added a comment to bug 1129720 about the general approach.
> >
> > I agree with William that adding more config here isn't really
 desirable, but
> > just putting the default group on all machines juju creates is a
 step back in
> > our general isolation level. The per-environment security group is a
 much
> > cleaner place to add custom rules, even if we don't supply a juju
 command for
> > doing that (though we could).
> >
> > Code itself looks fine.

> I dunno, I think there's quite a neat separation between the default
security
> group -- with whatever cloud-specific rules, considered appropriate by
the
> administrator, that are kinda outside our purview -- and our own
config. What's
> the use case for *not* including the default security group? Nobody's
needed it
> before, sure; but the default behaviour doesn't look harmful, and if
that's been
> changed it seems reasonable to assume it's been done for a reason.
Right?

> Sorry for the delay, Ian, I had an all-day power cut -- can we chat
about this
> tomorrow morning? I'm fine with the code, indeed, but I feel like
including that
> security group is the correct default, and I'd be happiest of all if
we just
> skipped the config, but I'll accept pretty much any plausible use case
that
> requires its falsity as justification for including the setting.

LGTM after discussion -- we've been fine without it so far, so let's
stick with the existing default. Thanks for bearing with me.

https://codereview.appspot.com/44770044/

Revision history for this message
Go Bot (go-bot) wrote :
Download full text (171.0 KiB)

The attempt to merge lp:~wallyworld/juju-core/instance-default-secgroup into lp:juju-core failed. Below is the output from the failed tests.

ok launchpad.net/juju-core/agent 1.212s
ok launchpad.net/juju-core/agent/tools 0.258s
ok launchpad.net/juju-core/bzr 7.119s
ok launchpad.net/juju-core/cert 3.131s
ok launchpad.net/juju-core/charm 0.550s
? launchpad.net/juju-core/charm/hooks [no test files]
ok launchpad.net/juju-core/cloudinit 0.032s
ok launchpad.net/juju-core/cloudinit/sshinit 1.181s
ok launchpad.net/juju-core/cmd 0.209s
ok launchpad.net/juju-core/cmd/charm-admin 0.840s
? launchpad.net/juju-core/cmd/charmd [no test files]
? launchpad.net/juju-core/cmd/charmload [no test files]
ok launchpad.net/juju-core/cmd/juju 176.230s
ok launchpad.net/juju-core/cmd/jujud 56.073s
ok launchpad.net/juju-core/cmd/plugins/juju-metadata 2.879s
? launchpad.net/juju-core/cmd/plugins/juju-restore [no test files]
ok launchpad.net/juju-core/constraints 0.028s
ok launchpad.net/juju-core/container 0.036s
ok launchpad.net/juju-core/container/factory 0.050s
ok launchpad.net/juju-core/container/kvm 0.277s
ok launchpad.net/juju-core/container/kvm/mock 0.050s
? launchpad.net/juju-core/container/kvm/testing [no test files]
ok launchpad.net/juju-core/container/lxc 0.296s
? launchpad.net/juju-core/container/lxc/mock [no test files]
? launchpad.net/juju-core/container/lxc/testing [no test files]
? launchpad.net/juju-core/container/testing [no test files]
ok launchpad.net/juju-core/downloader 5.335s
ok launchpad.net/juju-core/environs 3.171s
ok launchpad.net/juju-core/environs/bootstrap 4.567s
ok launchpad.net/juju-core/environs/cloudinit 0.534s
ok launchpad.net/juju-core/environs/config 1.111s
ok launchpad.net/juju-core/environs/configstore 0.041s
ok launchpad.net/juju-core/environs/filestorage 0.032s
ok launchpad.net/juju-core/environs/httpstorage 0.942s
ok launchpad.net/juju-core/environs/imagemetadata 0.593s
? launchpad.net/juju-core/environs/imagemetadata/testing [no test files]
ok launchpad.net/juju-core/environs/instances 0.057s
ok launchpad.net/juju-core/environs/jujutest 0.260s
ok launchpad.net/juju-core/environs/manual 11.019s
ok launchpad.net/juju-core/environs/simplestreams 0.362s
? launchpad.net/juju-core/environs/simplestreams/testing [no test files]
ok launchpad.net/juju-core/environs/sshstorage 1.188s
ok launchpad.net/juju-core/environs/storage 1.195s
ok launchpad.net/juju-core/environs/sync 30.984s
ok launchpad.net/juju-core/environs/testing 0.199s
ok launchpad.net/juju-core/environs/tools 6.719s
? launchpad.net/juju-core/environs/tools/testing [no test files]
ok launchpad.net/juju-core/errors 0.016s
ok launchpad.net/juju-core/instance 0.023s
? launchpad.net/juju-core/instance/testing [no test files]
ok launchpad.net/juju-core/juju 16.000s
ok launchpad.net/juju-core/juju/osenv 0.018s
? launchpad.net/juju-core/juju/testing [no test files]
ok launchpad.net/juju-core/log 0.027s
ok launchpad.net/juju-core/log/syslog 0.022s
ok launchpad.net/juju-core/names 0.033s
? launchpad.net/juju-core/provider [no test files]
? launchpad.net/juj...

Revision history for this message
Go Bot (go-bot) wrote :
Download full text (22.3 KiB)

The attempt to merge lp:~wallyworld/juju-core/instance-default-secgroup into lp:juju-core failed. Below is the output from the failed tests.

ok launchpad.net/juju-core/agent 1.229s
ok launchpad.net/juju-core/agent/tools 0.284s
ok launchpad.net/juju-core/bzr 7.167s
ok launchpad.net/juju-core/cert 3.144s
ok launchpad.net/juju-core/charm 0.595s
? launchpad.net/juju-core/charm/hooks [no test files]
ok launchpad.net/juju-core/cloudinit 0.038s
ok launchpad.net/juju-core/cloudinit/sshinit 1.090s
ok launchpad.net/juju-core/cmd 0.249s
ok launchpad.net/juju-core/cmd/charm-admin 0.834s
? launchpad.net/juju-core/cmd/charmd [no test files]
? launchpad.net/juju-core/cmd/charmload [no test files]
ok launchpad.net/juju-core/cmd/juju 175.648s
ok launchpad.net/juju-core/cmd/jujud 55.463s
ok launchpad.net/juju-core/cmd/plugins/juju-metadata 2.734s
? launchpad.net/juju-core/cmd/plugins/juju-restore [no test files]
ok launchpad.net/juju-core/constraints 0.040s
ok launchpad.net/juju-core/container 0.040s
ok launchpad.net/juju-core/container/factory 0.049s
ok launchpad.net/juju-core/container/kvm 0.257s
ok launchpad.net/juju-core/container/kvm/mock 0.036s
? launchpad.net/juju-core/container/kvm/testing [no test files]
ok launchpad.net/juju-core/container/lxc 0.471s
? launchpad.net/juju-core/container/lxc/mock [no test files]
? launchpad.net/juju-core/container/lxc/testing [no test files]
? launchpad.net/juju-core/container/testing [no test files]
ok launchpad.net/juju-core/downloader 5.284s
ok launchpad.net/juju-core/environs 3.059s
ok launchpad.net/juju-core/environs/bootstrap 4.566s
ok launchpad.net/juju-core/environs/cloudinit 0.572s
ok launchpad.net/juju-core/environs/config 1.084s
ok launchpad.net/juju-core/environs/configstore 0.042s
ok launchpad.net/juju-core/environs/filestorage 0.033s
ok launchpad.net/juju-core/environs/httpstorage 1.026s
ok launchpad.net/juju-core/environs/imagemetadata 0.544s
? launchpad.net/juju-core/environs/imagemetadata/testing [no test files]
ok launchpad.net/juju-core/environs/instances 0.061s
ok launchpad.net/juju-core/environs/jujutest 0.256s
ok launchpad.net/juju-core/environs/manual 9.481s
ok launchpad.net/juju-core/environs/simplestreams 0.353s
? launchpad.net/juju-core/environs/simplestreams/testing [no test files]
ok launchpad.net/juju-core/environs/sshstorage 1.225s
ok launchpad.net/juju-core/environs/storage 1.205s
ok launchpad.net/juju-core/environs/sync 30.806s
ok launchpad.net/juju-core/environs/testing 0.236s
ok launchpad.net/juju-core/environs/tools 6.802s
? launchpad.net/juju-core/environs/tools/testing [no test files]
ok launchpad.net/juju-core/errors 0.016s
ok launchpad.net/juju-core/instance 0.023s
? launchpad.net/juju-core/instance/testing [no test files]
ok launchpad.net/juju-core/juju 15.854s
ok launchpad.net/juju-core/juju/osenv 0.018s
? launchpad.net/juju-core/juju/testing [no test files]
ok launchpad.net/juju-core/log 0.015s
ok launchpad.net/juju-core/log/syslog 0.024s
ok launchpad.net/juju-core/names 0.026s
? launchpad.net/juju-core/provider [no test files]
? launchpad.net/juju...

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'cmd/juju/help_topics.go'
2--- cmd/juju/help_topics.go 2013-10-25 22:24:35 +0000
3+++ cmd/juju/help_topics.go 2013-12-23 00:50:44 +0000
4@@ -94,6 +94,9 @@
5 # give the nodes a public IP address. Some installations assign public
6 # IP addresses by default without requiring a floating IP address.
7 # use-floating-ip: false
8+ # Specifies whether new machine instances should have the "default"
9+ # Openstack security group assigned.
10+ # use-default-secgroup: false
11 admin-secret: 13850d1b9786065cadd0f477e8c97cd3
12 # Globally unique swift bucket name
13 control-bucket: juju-fd6ab8d02393af742bfbe8b9629707ee
14
15=== modified file 'dependencies.tsv'
16--- dependencies.tsv 2013-12-04 15:34:47 +0000
17+++ dependencies.tsv 2013-12-23 00:50:44 +0000
18@@ -6,7 +6,7 @@
19 launchpad.net/gocheck bzr gustavo@niemeyer.net-20130302024745-6ikofwq2c03h7giu 85
20 launchpad.net/golxc bzr frank.mueller@canonical.com-20130617094614-jelomk87defuetol 5
21 launchpad.net/gomaasapi bzr ian.booth@canonical.com-20131017011445-m1hmr0ap14osd7li 47
22-launchpad.net/goose bzr tarmac-20131101034733-zbirap24k6k8wjlg 110
23+launchpad.net/goose bzr tarmac-20131223000240-y2igxjt3kznam7vi 114
24 launchpad.net/goyaml bzr gustavo@niemeyer.net-20131114120802-abe042syx64z2m7s 50
25 launchpad.net/gwacl bzr tarmac-20131031081035-b33m6fyrrdiuf408 229
26 launchpad.net/loggo bzr tim.penhey@canonical.com-20130729043644-ym0cscir1cist4sm 39
27
28=== modified file 'provider/openstack/config.go'
29--- provider/openstack/config.go 2013-10-24 00:20:59 +0000
30+++ provider/openstack/config.go 2013-12-23 00:50:44 +0000
31@@ -14,28 +14,30 @@
32 )
33
34 var configFields = schema.Fields{
35- "username": schema.String(),
36- "password": schema.String(),
37- "tenant-name": schema.String(),
38- "auth-url": schema.String(),
39- "auth-mode": schema.String(),
40- "access-key": schema.String(),
41- "secret-key": schema.String(),
42- "region": schema.String(),
43- "control-bucket": schema.String(),
44- "use-floating-ip": schema.Bool(),
45+ "username": schema.String(),
46+ "password": schema.String(),
47+ "tenant-name": schema.String(),
48+ "auth-url": schema.String(),
49+ "auth-mode": schema.String(),
50+ "access-key": schema.String(),
51+ "secret-key": schema.String(),
52+ "region": schema.String(),
53+ "control-bucket": schema.String(),
54+ "use-floating-ip": schema.Bool(),
55+ "use-default-secgroup": schema.Bool(),
56 }
57 var configDefaults = schema.Defaults{
58- "username": "",
59- "password": "",
60- "tenant-name": "",
61- "auth-url": "",
62- "auth-mode": string(AuthUserPass),
63- "access-key": "",
64- "secret-key": "",
65- "region": "",
66- "control-bucket": "",
67- "use-floating-ip": false,
68+ "username": "",
69+ "password": "",
70+ "tenant-name": "",
71+ "auth-url": "",
72+ "auth-mode": string(AuthUserPass),
73+ "access-key": "",
74+ "secret-key": "",
75+ "region": "",
76+ "control-bucket": "",
77+ "use-floating-ip": false,
78+ "use-default-secgroup": false,
79 }
80
81 type environConfig struct {
82@@ -83,6 +85,10 @@
83 return c.attrs["use-floating-ip"].(bool)
84 }
85
86+func (c *environConfig) useDefaultSecurityGroup() bool {
87+ return c.attrs["use-default-secgroup"].(bool)
88+}
89+
90 func (p environProvider) newConfig(cfg *config.Config) (*environConfig, error) {
91 valid, err := p.Validate(cfg, nil)
92 if err != nil {
93
94=== modified file 'provider/openstack/config_test.go'
95--- provider/openstack/config_test.go 2013-10-24 00:20:59 +0000
96+++ provider/openstack/config_test.go 2013-12-23 00:50:44 +0000
97@@ -57,6 +57,7 @@
98 controlBucket string
99 toolsURL string
100 useFloatingIP bool
101+ useDefaultSecurityGroup bool
102 username string
103 password string
104 tenantName string
105@@ -159,6 +160,7 @@
106 c.Assert(ecfg.FirewallMode(), gc.Equals, t.firewallMode)
107 }
108 c.Assert(ecfg.useFloatingIP(), gc.Equals, t.useFloatingIP)
109+ c.Assert(ecfg.useDefaultSecurityGroup(), gc.Equals, t.useDefaultSecurityGroup)
110 // Default should be true
111 expectedHostnameVerification := true
112 if t.sslHostnameSet {
113@@ -372,6 +374,16 @@
114 },
115 useFloatingIP: true,
116 }, {
117+ summary: "default use default security group",
118+ // Do not use default security group by default.
119+ useDefaultSecurityGroup: false,
120+ }, {
121+ summary: "use default security group",
122+ config: attrs{
123+ "use-default-secgroup": true,
124+ },
125+ useDefaultSecurityGroup: true,
126+ }, {
127 summary: "admin-secret given",
128 config: attrs{
129 "admin-secret": "Futumpsh",
130
131=== modified file 'provider/openstack/live_test.go'
132--- provider/openstack/live_test.go 2013-11-04 02:01:19 +0000
133+++ provider/openstack/live_test.go 2013-12-23 00:50:44 +0000
134@@ -15,9 +15,14 @@
135 "launchpad.net/goose/identity"
136 "launchpad.net/goose/nova"
137
138+ "launchpad.net/juju-core/constraints"
139+ "launchpad.net/juju-core/environs"
140+ "launchpad.net/juju-core/environs/bootstrap"
141+ "launchpad.net/juju-core/environs/config"
142 "launchpad.net/juju-core/environs/jujutest"
143 "launchpad.net/juju-core/environs/storage"
144 envtesting "launchpad.net/juju-core/environs/testing"
145+ jujutesting "launchpad.net/juju-core/juju/testing"
146 "launchpad.net/juju-core/provider/openstack"
147 coretesting "launchpad.net/juju-core/testing"
148 "launchpad.net/juju-core/testing/testbase"
149@@ -211,3 +216,42 @@
150 sort.Strings(expectedRules)
151 c.Check(stringRules, gc.DeepEquals, expectedRules)
152 }
153+
154+func (s *LiveTests) assertStartInstanceDefaultSecurityGroup(c *gc.C, useDefault bool) {
155+ attrs := s.TestConfig.Merge(coretesting.Attrs{
156+ "name": "sample-" + randomName(),
157+ "control-bucket": "juju-test-" + randomName(),
158+ "use-default-secgroup": useDefault,
159+ })
160+ cfg, err := config.New(config.NoDefaults, attrs)
161+ c.Assert(err, gc.IsNil)
162+ // Set up a test environment.
163+ env, err := environs.New(cfg)
164+ c.Assert(err, gc.IsNil)
165+ c.Assert(env, gc.NotNil)
166+ defer env.Destroy()
167+ // Bootstrap and start an instance.
168+ err = bootstrap.Bootstrap(bootstrapContext(c), env, constraints.Value{})
169+ c.Assert(err, gc.IsNil)
170+ inst, _ := jujutesting.AssertStartInstance(c, env, "100")
171+ // Check whether the instance has the default security group assigned.
172+ novaClient := openstack.GetNovaClient(env)
173+ groups, err := novaClient.GetServerSecurityGroups(string(inst.Id()))
174+ c.Assert(err, gc.IsNil)
175+ defaultGroupFound := false
176+ for _, group := range groups {
177+ if group.Name == "default" {
178+ defaultGroupFound = true
179+ break
180+ }
181+ }
182+ c.Assert(defaultGroupFound, gc.Equals, useDefault)
183+}
184+
185+func (s *LiveTests) TestStartInstanceWithDefaultSecurityGroup(c *gc.C) {
186+ s.assertStartInstanceDefaultSecurityGroup(c, true)
187+}
188+
189+func (s *LiveTests) TestStartInstanceWithoutDefaultSecurityGroup(c *gc.C) {
190+ s.assertStartInstanceDefaultSecurityGroup(c, false)
191+}
192
193=== modified file 'provider/openstack/provider.go'
194--- provider/openstack/provider.go 2013-12-19 09:15:40 +0000
195+++ provider/openstack/provider.go 2013-12-23 00:50:44 +0000
196@@ -71,6 +71,10 @@
197 # addresses by default without requiring a floating IP address.
198 # use-floating-ip: false
199
200+ # use-default-secgroup specifies whether new machine instances should have the "default"
201+ # Openstack security group assigned.
202+ # use-default-secgroup: false
203+
204 # tools-metadata-url specifies the location of the Juju tools and metadata. It defaults to the
205 # global public tools metadata location https://streams.canonical.com/tools.
206 # tools-metadata-url: https://you-tools-metadata-url
207@@ -119,7 +123,11 @@
208 # to give the nodes a public IP address. Some installations assign public IP
209 # addresses by default without requiring a floating IP address.
210 # use-floating-ip: false
211-
212+
213+ # use-default-secgroup specifies whether new machine instances should have the "default"
214+ # Openstack security group assigned.
215+ # use-default-secgroup: false
216+
217 # tenant-name holds the openstack tenant name. In HPCloud, this is
218 # synonymous with the project-name It defaults to
219 # the environment variable OS_TENANT_NAME.
220@@ -1058,7 +1066,15 @@
221 if err != nil {
222 return nil, err
223 }
224- return []nova.SecurityGroup{jujuGroup, machineGroup}, nil
225+ groups := []nova.SecurityGroup{jujuGroup, machineGroup}
226+ if e.ecfg().useDefaultSecurityGroup() {
227+ defaultGroup, err := e.nova().SecurityGroupByName("default")
228+ if err != nil {
229+ return nil, fmt.Errorf("loading default security group: %v", err)
230+ }
231+ groups = append(groups, *defaultGroup)
232+ }
233+ return groups, nil
234 }
235
236 // zeroGroup holds the zero security group.

Subscribers

People subscribed via source and target branches

to status/vote changes: