All machines have all ports exposed to entire environment

There are two blockers for this:
1) relations are not connections, though often they are. However, consider
the Openstack charm where everything gets related to Keystone, and then
*keystone* tells everything where its friends are.
So we need some way for a charm to be able to "allow-access: SERVICE/UNIT
OTHERSERVICE/UNIT"
Where at least one of those units has to be related to this service
(possibly both?).
2) Charms themselves don't indicate what private ports they have open. So
this needs metadata in the charm itself to say "if someone wants to talk to
me privately, I'm available on ports X-Z". Then when we also have (1) we
can restrict at the port level (rather than just the IP level).

So it is a fair chunk of work, which is why it is likely to be out of scope
for this cycle. (we will likely model it that relating A to B implies a
connection, unless the charms indicate there isn't a connection.)

Also, we may end up with only service level security, since it is probably
roughly equivalent, and lets us move to one security group per service,
rather than one per machine. (It is possible that you would want to allow
only some of the units of as service to talk to some of the other units of
another service, but it adds a lot of complexity and really limits the
ability to scale to lots of units.)

On Wed, May 21, 2014 at 12:23 AM, Curtis Hovey <email address hidden> wrote:

> ** Changed in: juju-core
> Status: New => Triaged
>
> ** Changed in: juju-core
> Importance: Undecided => Medium
>
> --
> You received this bug notification because you are subscribed to juju-
> core.
> https://bugs.launchpad.net/bugs/1321408
>
> Title:
> All machines have all ports exposed to entire environment
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju-core/+bug/1321408/+subscriptions
>

Re-targeting for Juju 2.x

This bug has not been updated in 5 years, so we're marking it Expired. If you believe this is incorrect, please update the status.