In EC2, instances started using different accounts can be network-isolated
from one another. When starting instances in a model that uses different
credentials than the controller, the instances seem to use the private
address to fetch the tools which fails in this case.
This means that a central use case driving multiple models is currently
broken.
This doesn't seem to apply to all regions - us-east-1 isn't affected
but eu-central-1 is.
Example from /var/log/cloud-init-output.log:
+ mkdir -p /var/lib/juju/tools/1.25.4.1-trusty-amd64
+ echo Fetching tools: curl -sSfw 'tools from %{url_effective} downloaded: HTTP %{http_code}; time %{time_total}s; size %{size_download} bytes; speed %{speed_download} bytes/s ' --noproxy "*" --insecure -o $bin/tools.tar.gz <[https://172.31.14.160:17070/tools/1.25.4.1-trusty-amd64]>
Fetching tools: curl -sSfw 'tools from %{url_effective} downloaded: HTTP %{http_code}; time %{time_total}s; size %{size_download} bytes; speed %{speed_download} bytes/s ' --noproxy "*" --insecure -o $bin/tools.tar.gz <[https://172.31.14.160:17070/tools/1.25.4.1-trusty-amd64]>
+ seq 5
+ printf Attempt 1 to download tools from %s...\n https://172.31.14.160:17070/tools/1.25.4.1-trusty-amd64
Attempt 1 to download tools from https://172.31.14.160:17070/tools/1.25.4.1-trusty-amd64...
+ curl -sSfw tools from %{url_effective} downloaded: HTTP %{http_code}; time %{time_total}s; size %{size_download} bytes; speed %{speed_download} bytes/s --noproxy * --insecure -o /var/lib/juju/tools/1.25.4.1-trusty-amd64/tools.tar.gz https://172.31.14.160:17070/tools/1.25.4.1-trusty-amd64
curl: (7) Failed to connect to 172.31.14.160 port 17070: No route to host
tools from https://172.31.14.160:17070/tools/1.25.4.1-trusty-amd64 downloaded: HTTP 000; time 2.202s; size 0 bytes; speed 0.000 bytes/s + [ 1 -lt 5 ]
+ echo Download failed..... wait 15s
Download failed..... wait 15s
+ sleep 15
+ printf Attempt 2 to download tools from %s...\n https://172.31.14.160:17070/tools/1.25.4.1-trusty-amd64
Attempt 2 to download tools from https://172.31.14.160:17070/tools/1.25.4.1-trusty-amd64...
+ curl -sSfw tools from %{url_effective} downloaded: HTTP %{http_code}; time %{time_total}s; size %{size_download} bytes; speed %{speed_download} bytes/s --noproxy * --insecure -o /var/lib/juju/tools/1.25.4.1-trusty-amd64/tools.tar.gz https://172.31.14.160:17070/tools/1.25.4.1-trusty-amd64
curl: (7) Failed to connect to 172.31.14.160 port 17070: No route to host
There was a problem in the joyent provider where hosted models weren't inheriting the region endpoint properly, and were therefore spinning up instances in different regions. The instances couldn't communicate on the private IPs because of this. The fix in that scenario was to force hosted models to use the same region. Bug #1561611
If we plan to allow users to create models in different regions then yeah, we should find a way to use of the public IP to talk to the controller in those cases.