juju and openstack reseting secgroups automatically overnight

[Michael Nelson]

On Thu, Feb 12, 2015 at 5:39 AM, Caio Begotti <caio1982 at gmail.com> wrote:
> Hi folks,
>
> I wonder if any of you have had this problem before but Juju and Openstack
> are resetting my secgroup rules every night. I hope this is comprehensible
> without much details as it involves private deployment info... I know this
> is not strictly speaking 100% Juju but anyway...

I've just checked my ec2 test deployments, and I'm seeing the same
behaviour on the secgroups there. Definitely worth a bug Caio (I'll do
it if you don't get around to it, I don't see one at
https://bugs.launchpad.net/juju-core/?field.searchtext=secgroup ).

-Michael

>
> Juju creates the secgroup for Nova, right? I am manually setting a nova
> secgroup-add-rule for port 22 like the following:
>
> nova secgroup-add-rule groupname tcp 22 22 ipaddress/32
>
> However, my other rules (ICMP etc) are kept between days, but SSH rules for
> port 22 are being reset and disappearing overnight. Is it a known issue or
> expected behavior with Juju and Openstack?
>
> I was told Juju or Openstack (no idea who is at faul here, really) might
> reset the secgroups from time to time (when exactly?) if the specified port
> in the rule is not open in the Juju units.
>
> Ok, so I have created this charm
> https://jujucharms.com/u/caio1982/open-port/ and I confirm that now port 22
> is open in all the related units whose IPs are in the secgroup rules. Still,
> all SSH rules for port 22 are being reset every single night.
>
> Does it make sense?
>
> Right now I have an extra secgroup rule for 0.0.0.0/0 too, just to see what
> happens tonight.
>
> I would really love to understand why Juju and Openstack are not playing
> nice together with my secgroup rules :-(
>
> — Caio Begotti [ˈka.jo | be.ˈgɔ.t͡ʃi]
>
> --
> Juju mailing list
> Juju at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>