Juju expects a public address for all machines maybe insecure

Bug #1364037 reported by pootow
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Canonical Juju
Triaged
Low
Unassigned
juju-core (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Why [Juju expects a public address for all machines][1]? I think this is unnecessary and insecure.

[1]: http://juju-docs.readthedocs.org/en/latest/provider-configuration-openstack.html#openstack-configuration

Revision history for this message
Anastasia (anastasia-macmood) wrote :

From Dimiter:
We still assume to have public IPs in most providers and have no way of not using them if the user doesn't want to (except for the use-floating-ips setting for openstack)

Changed in juju:
status: New → Triaged
importance: Undecided → High
milestone: none → 2.1.0
Revision history for this message
Anastasia (anastasia-macmood) wrote :

Removing 2.1 milestone as we will not addressing this issue in 2.1.

Changed in juju:
milestone: 2.1.0 → none
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in juju-core (Ubuntu):
status: New → Confirmed
Revision history for this message
santhosh (santhoshb2610) wrote :

Hi this is santhosh,

ran into same kind of issue. when i specify a particular vpc-id ( it is not default so i did vpc-id-force). it bootstraps controller in that vpc and was loosing/cannot connect to the api after that. BELOW IS THE BOOTSTRAP COMMAND I GAVE:

ubuntu@x86inst-1a:~$ juju bootstrap --config "vpc-id=vpc-08b1e3735cf3" --config "vpc-id-force=true" aws test

it gives the error as below:

ERROR unable to contact api server after 1 attempts: unable to connect to API: dial tcp 172.86.1.14:17070: connect: connection refused

*IF IT CAN REACH THE VPC AND CAN BOOTSTRAP CONTROLLER IN PARTICULAR VPC, WHY IS IT UNABLE TO REACH OR RUNNING INTO API ERROR(17070) AFTER BOOTSTRAP.
*WHY DID JUJU EXPECT IT TO BE PUBLIC, IF I GIVE VPC AS PARAMETER WHY CAN'T IT ACCEPT WHAT SHOULD I DO TO MAKE IT ACCEPT BUT NEED IT TO BE PRIVATE AS FOR THE SECURITY CONCERNS.

Revision history for this message
Richard Harding (rharding) wrote :

The main issue is that Juju controllers need to retrieve the binaries it runs from streams.canonical.com and that the client (typically running on an operator laptop outside the cloud) needs to be able to reach the controller API endpoints.

If you're getting an error during bootstrap about reaching port 17070 this is the Juju client you're running attempting to reach the controller machine that's come up. If it's a locked down VPC with no ingress from your client you'll get this issue.

Revision history for this message
John A Meinel (jameinel) wrote :

I don't believe Juju expects public addresses for all machines. It *does* expect a public address for the controller, because you need external access to be able to connect for things like "juju status" from your machine.

I don't know how you would have been able to bootstrap and 'ssh' into the machine, but not be able to connect to port 17070. That sounds like you have a firewall in your own network that doesn't let you connect to remote hosts on ports that aren't SSH (22) or HTTP(s) (80/443).

For machines other than controllers, the requirement is that they be able to reach the controller, but not that they are accessible externally, or even accesible from the controller (all agents initiate the connection to the controller, the controller doesn't initiate to the agents).

Obviously if you want to "juju ssh unit/3" you need to have a route to that unit (either a VPN into the VPC or a public address on that machine).

Revision history for this message
Canonical Juju QA Bot (juju-qa-bot) wrote :

This bug has not been updated in 2 years, so we're marking it Low importance. If you believe this is incorrect, please update the importance.

Changed in juju:
importance: High → Low
tags: added: expirebugs-bot
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.