juju-1.23beta3 breaks glance <-> mysql relation when glance is hosted in a container
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
juju-core |
Invalid
|
High
|
James Tunnicliffe | ||
1.23 |
Fix Released
|
Critical
|
James Tunnicliffe |
Bug Description
In previous versions of juju, containers were bridged to the host's network and used it directly for networking without any NAT occurring.
In juju-1.23beta3, connections originating from LXC containers seem to be getting NAT'd so that to other services, their source IP appears to be the host's IP instead of the LXC container's IP. This is happening even though the LXC has an IP address on the same subnet as the host, so the NAT'ing doesn't really make any sense.
This breaks mysql <-> glance relation when glance is in a container, because MySQL uses source IP address based access controls and expects the inbound connections to come from the glance container's IP address, not the host's IP address.
OperationalError: (OperationalError) (1130, "Host '10.245.0.168' is not allowed to connect to this MySQL server") None None
More traceback:
http://
juju status yaml:
http://
all-machines.log:
https:/
description: | updated |
Changed in juju-core: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → 1.23-beta4 |
milestone: | 1.23-beta4 → 1.24-alpha1 |
tags: | added: charms network |
Changed in juju-core: | |
assignee: | nobody → James Tunnicliffe (dooferlad) |
Changed in juju-core: | |
status: | Triaged → In Progress |
tags: | added: regression |
Changed in juju-core: | |
milestone: | 1.24-alpha1 → none |
Can't you add the container's host IP to the MySQL list of allowed addresses (or even the whole internal range) ?
Yes, using NAT for the new addressable containers feature is by design in both AWS and MAAS.
Since there's no juju-br0 (or any bridge using a host interface), the containers are behind their host, which in turn uses NAT and routing / forwarding to provide the containers access to the same subnet as their host. Using *any* host interface in a bridge for the sake of containers being addressable was proven flaky and inefficient on numerous occasions (e.g. we don't even have proper MAAS APIs to discover a node's NICs, *and* we can have biosdevname on or some extra preseed scripts configuring bonding, etc.).
So while I'm open to suggestions on how to solve this in general, rather than hot-fixing a specific case and possibly breaking others, I don't think this can be solved effectively only by Juju, and without/despite the lack of support from the MAAS API.
I've retriaged it for 1.23, as I don't want to block the tomorrow's 1.23-beta4 release, but there's no beta5 milestone to use.