Services no longer publicly exposed by default
Jim Baker
jim.baker at canonical.com
Thu Aug 11 01:56:19 UTC 2011
Deployed services no longer have a wide-open firewall for the EC2
provider as of r309 of Ensemble trunk. For many formulas, this new
functionality doesn't matter - they should not have the firewall
open anyway. However, for other formulas, here's what you can do to respond
to the change.
Change your formulas
====================
For example, this is the only change necessary for the WordPress/MySQL
example, in example/wordpress/hooks/db-relation-changed:
# Make it publicly visible, once the wordpress service is exposed
open-port 80/tcp
It is important that formulas open ports only when ready. So in the
WordPress example, you wouldn't want to do this port opening until
Apache has been successfully configured and restarted. Otherwise,
there's a chance that users might see "It works!" before the desired
page is available.
Firewall changes also are a two-step dance. The hooks for a service
unit need to open ports (and they can also close ports), but the
Ensemble administrator **must** also expose the service. For the
WordPress example, you can expose it any time after the service has
been deployed with the following:
ensemble expose wordpress
Just expose the services you're interested in exposing, possibly as
soon as immediately after deployment. Again, it's the formula author's
responsibility to ensure that port opening is done at the right time.
The service can be subsequently unexposed with
ensemble unexpose wordpress
You can see if a service is exposed with ensemble status. This would
result in output similar to the following:
$ ensemble status
2011-08-09 17:59:29,704 INFO Connecting to environment.
machines:
0: {dns-name: ec2-50-18-5-80.us-west-1.compute.amazonaws.com,
instance-id: i-1119e556}
1: {dns-name: ec2-50-18-73-159.us-west-1.compute.amazonaws.com,
instance-id: i-531ae614}
2: {dns-name: ec2-50-18-139-254.us-west-1.compute.amazonaws.com,
instance-id: i-671ae620}
services:
mysql:
formula: local:mysql-11
relations: {db: wordpress}
units:
mysql/0:
machine: 1
relations:
db: {state: up}
state: started
wordpress:
exposed: true
formula: local:wordpress-30
relations: {db: mysql}
units:
wordpress/0:
machine: 2
open-ports: [80/tcp]
relations:
db: {state: up}
state: started
2011-08-09 17:59:36,031 INFO 'status' command finished successfully
Manually administer security groups
===================================
This is just a workaround, of course, until the formulas you use are
changed.
Each machine is now placed in its own security group. If your
environment is named "sample", then for machine 0, this security group
is "ensemble-sample-0". Using the tool of your choice (AWS, CLI, etc),
authorize the desired ports on each security group corresponding to
the machines (and the corresponding service units) you need to expose.
Known issues
============
Security groups are not yet deleted at shutdown
(https://bugs.launchpad.net/ensemble/+bug/824219). The possibly good
impact of this during the transition is that any existing security
groups are currently wide open. This means that your deployments
should work the same. You can delete the security group, or just wait
for this bug to be fixed.
Related to this, attempting to bootstrap too soon after shutdown may
result in this problem: Error Message: There are active instances
using security group
'ensemble-sample-0'. (https://bugs.launchpad.net/ensemble/+bug/824222)
Docs are being updated. For trunk, the draft version is essentially
accurate in terms of usage
(https://code.launchpad.net/~jimbaker/ensemble/expose-docs/+merge/71122)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/juju/attachments/20110810/7c95276d/attachment-0002.pgp>
More information about the Ensemble
mailing list