juju and openstack reseting secgroups automatically overnight
Kapil Thangavelu
kapilt at gmail.com
Thu Feb 12 12:22:02 UTC 2015
in some sense this is expected behavior, juju syncs the iaas resource it
creates to its internal state for them. Re workarounds.. At least for
openstack (or ec2 vpc) if you want manually created security rules, you
should ideally create a separate group + rules and attach to the relevant
instances. The other option is for services that are exposed, you can use
'juju run' on either a service/unit/all machines to open-port 22.
hth,
-kapil
On Thu, Feb 12, 2015 at 6:52 AM, Caio Begotti <caio1982 at gmail.com> wrote:
> Thanks, Michael. I see you filed the bug last night (I went away after
> posting my message) but I just added some findings and my scenario to the
> report. In case others want to check it out:
> https://bugs.launchpad.net/juju-core/+bug/1420996
>
>
> — Caio Begotti [ˈka.jo | be.ˈgɔ.t͡ʃi]
>
> On Wed, Feb 11, 2015 at 6:39 PM, Michael Nelson <
> michael.nelson at canonical.com> wrote:
>
>> On Thu, Feb 12, 2015 at 5:39 AM, Caio Begotti <caio1982 at gmail.com> wrote:
>> > Hi folks,
>> >
>> > I wonder if any of you have had this problem before but Juju and
>> Openstack
>> > are resetting my secgroup rules every night. I hope this is
>> comprehensible
>> > without much details as it involves private deployment info... I know
>> this
>> > is not strictly speaking 100% Juju but anyway...
>>
>> I've just checked my ec2 test deployments, and I'm seeing the same
>> behaviour on the secgroups there. Definitely worth a bug Caio (I'll do
>> it if you don't get around to it, I don't see one at
>> https://bugs.launchpad.net/juju-core/?field.searchtext=secgroup ).
>>
>> -Michael
>>
>> >
>> > Juju creates the secgroup for Nova, right? I am manually setting a nova
>> > secgroup-add-rule for port 22 like the following:
>> >
>> > nova secgroup-add-rule groupname tcp 22 22 ipaddress/32
>> >
>> > However, my other rules (ICMP etc) are kept between days, but SSH rules
>> for
>> > port 22 are being reset and disappearing overnight. Is it a known issue
>> or
>> > expected behavior with Juju and Openstack?
>> >
>> > I was told Juju or Openstack (no idea who is at faul here, really) might
>> > reset the secgroups from time to time (when exactly?) if the specified
>> port
>> > in the rule is not open in the Juju units.
>> >
>> > Ok, so I have created this charm
>> > https://jujucharms.com/u/caio1982/open-port/ and I confirm that now
>> port 22
>> > is open in all the related units whose IPs are in the secgroup rules.
>> Still,
>> > all SSH rules for port 22 are being reset every single night.
>> >
>> > Does it make sense?
>> >
>> > Right now I have an extra secgroup rule for 0.0.0.0/0 too, just to see
>> what
>> > happens tonight.
>> >
>> > I would really love to understand why Juju and Openstack are not playing
>> > nice together with my secgroup rules :-(
>> >
>> > — Caio Begotti [ˈka.jo | be.ˈgɔ.t͡ʃi]
>> >
>> > --
>> > Juju mailing list
>> > Juju at lists.ubuntu.com
>> > Modify settings or unsubscribe at:
>> > https://lists.ubuntu.com/mailman/listinfo/juju
>> >
>>
>
>
> --
> Juju mailing list
> Juju at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20150212/71bb9ca1/attachment.html>
More information about the Juju
mailing list