Default Model SG Rules

Tue Jan 31 11:46:45 UTC 2017

As part of the cross model relations work, the provider interface is being
reworked such that Open/Close Port() API calls can now take as parameters
ingress rules, ie a collection of port ranges and allowed source CIDRs.

With the above work, it will be possible to use that new provider
capability to implement something like ssh-allow as an optional model parameter.

Bigger picture though - we want to move to a model where Juju controllers
are simply applications, by default with a single deployed unit, and with HA we
effectively add-unit -n 3 for example. So in that sense, bug 1420996 which asks
for juju expose to gain the ability to limit the subnets to which an application
is exposed seems like something useful to look at too.

But, we also have the concept of spaces - a set of subnets with the same
ingress/egress rules. Talking to John who has been doing much of the work in
this area, we could consider the fact that there should be a way to provide ssh
access to all machines in an environment; maybe we have Juju model this to allow
an ssh endpoint for machines to be have a binding into a specific space.

Having said that, the above work to improve how Juju controllers are
modeled is not scheduled for the Juju 2.2 cycle. Maybe "ssh-allow" is a tasteful
enough compromise for a quick win for Juju 2.2? it would be easy enough to
upgrade that later to support a better modelled solution.

On 30/01/17 08:11, Michael Nelson wrote:
> On Sat, Jan 28, 2017 at 4:34 AM James Beedy <jamesbeedy at gmail.com> wrote:
> 
>> A default SG rule generated for every model allows 22 from 0.0.0.0/0, I'm
>> guessing this is because we are trying to facilitate the use case for juju
>> deployed on a public cloud, and instances being ssh accessed from the
>> internet and not from behind VPN in the same address space.
>>
>> A functionality which would allow users who don't want ssh open to the
>> world to close it, either completely, or limit to a private address space,
>> would be very helpful (especially because Juju reverts any changes made to
>> the SG,
>>
> 
> I created a bug about that a while back:
> 
> https://bugs.launchpad.net/juju-core/+bug/1420996
> 
> As per the last change there, it was targeted for 2.1.0 until just recently.
> 
> 
> 
>> so I couldn't even lock down port 22 if I wanted to).
>>
>> Is it possible to introduce a model config param that we could use to tell
>> juju where to allow ssh traffic from?
>>
> 
> Again, an older bug, but I'd be keen to see that not just for 22/ssh, but
> in general when exposing services:
> 
> https://bugs.launchpad.net/bugs/1401358
> 
> but that may not fit the new juju2 models since the bug was written.
> 
> 
>>
>> Quick fix: Introduce an 'ssh-allow' param that could be used to open and
>> close port 22 on the SG generated for the model?
>>
>> Better fix: Introduce a config param 'ssh-access', where default value is
>> 0.0.0.0/0, which could then be modified to an address space that fits the
>> users security needs.
>>
>> How do others feel about this?
>> --
>> Juju mailing list
>> Juju at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/juju
>>
> 
> 
> 