Use of ufw circumvents standard juju firewall control mechanism

Bug #1423439 reported by Paul Gear on 2015-02-19
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Charm Helpers
High
Felipe Reyes
memcached (Juju Charms Collection)
High
Felipe Reyes

Bug Description

The memcached charm implements its own firewall outside of the standard juju expose mechanism. It offers no controls over which protocols, ports, or hosts are allowed, or even whether or not the firewall should be enabled at all.

This means that subordinate charms such as nrpe-external-master cannot expose any services without explicit knowledge of the memcached charm's firewall. It also violates the principle of least astonishment - users would normally expect to be able to control access to charmed services through juju expose and/or the cloud platform's usual controls (in this case, nova secgroups).

If there are security concerns regarding memcached's exposure on the local segment which warrant additional firewalling, the charm's firewall should limit access to memcached only, and should not make assumptions about other services on the unit.

Related branches

Paul Gear (paulgear) on 2015-02-19
tags: added: canonical-bootstack
Felipe Reyes (freyes) on 2015-06-30
Changed in memcached (Juju Charms Collection):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Felipe Reyes (freyes)
Changed in charm-helpers:
importance: Undecided → High
assignee: nobody → Felipe Reyes (freyes)
status: New → Fix Released
Changed in memcached (Juju Charms Collection):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers