juju-core

SNAT for externally routed traffic should be only for EC2 and for subnets in the VPC

Bug #1443942 reported by James Tunnicliffe
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
juju-core
Won't Fix
Medium
Unassigned

Bug Description

In worker/provisioner/lxc-broker.go we have code that adds iptables rules. One rule is required at the moment for EC2 - all traffic flowing out of the VPC must look like it came from a physical interface. We don't want to apply this to traffic that has a destination inside the VPC. At the moment we have a simple hostIP/16 match to avoid mangling internal traffic, but this should be specific to EC2 (currently it is applied to all providers when deploying an LXC machine) and should be only for subnets inside the VPC.

Curtis Hovey (sinzui)
Changed in juju-core:
milestone: none → 1.24-alpha1
Curtis Hovey (sinzui)
tags: added: ec2-provider network
Curtis Hovey (sinzui)
Changed in juju-core:
milestone: 1.24-alpha1 → 1.25.0
Revision history for this message
Dimiter Naydenov (dimitern) wrote :

I'm retriaging this for post 1.24-alpha1, as the fix we had in place for 1.23 will still work on AWS (hardcoding the /16 VPC super-range which is true for all default VPCs in AWS, in the SNAT rule), but can be improved (explicitly listing each VPC's subnet CIDRs in separate SNAT rules).

Dimiter Naydenov (dimitern)
tags: added: tech-debt
Revision history for this message
Dimiter Naydenov (dimitern) wrote :

The proper way to fix this is to have a state policy so it's up to the provider to decide whether NAT is needed for containers or not (as discussed with William).

Revision history for this message
Dimiter Naydenov (dimitern) wrote :

This PR https://github.com/juju/juju/pull/2190 did not land in time, so the described behavior for 1.24 and 1.25 is not in place and MAAS is still broken when the address-allocation feature flag is enabled. I'll include the changes from #2190 into a PR which forward ports of the fix for bug 1442257. Once it lands, the described behavior (using a state policy instead of the provider type to determine whether to enable NAT, as well as listing all subnets CIDRs in a the default VPC explicitly as separate SNAT rules) still needs improvement. James, please ping me if something is not clear.

James Tunnicliffe (dooferlad)
Changed in juju-core:
status: Triaged → In Progress
James Tunnicliffe (dooferlad)
Changed in juju-core:
status: In Progress → Triaged
Curtis Hovey (sinzui)
tags: added: bug-squad
Curtis Hovey (sinzui)
Changed in juju-core:
milestone: 1.25-alpha1 → 1.25-beta1
Alexis Bruemmer (alexis-bruemmer)
Changed in juju-core:
importance: High → Medium
milestone: 1.25-beta1 → 1.26.0
Cheryl Jennings (cherylj)
no longer affects: juju-core/1.24
Changed in juju-core:
milestone: 1.26.0 → 2.0-alpha2
Cheryl Jennings (cherylj)
Changed in juju-core:
milestone: 2.0-alpha2 → 2.0-alpha3
Cheryl Jennings (cherylj)
Changed in juju-core:
milestone: 2.0-alpha3 → 2.0-beta4
Revision history for this message
Cheryl Jennings (cherylj) wrote :

@dimitern, @dooferlad - It's unclear if this is still an issue. It sounds like this may have been fixed in PR: https://github.com/juju/juju/pull/2392 , but it's not clear from the commit message?

Changed in juju-core:
milestone: 2.0-beta4 → 2.0.1
Richard Harding (rharding)
Changed in juju-core:
assignee: James Tunnicliffe (dooferlad) → Dimiter Naydenov (dimitern)
Revision history for this message
Dimiter Naydenov (dimitern) wrote :

No longer an issue since the legacy AC code is removed in 2.0.

Changed in juju-core:
status: Triaged → Won't Fix
assignee: Dimiter Naydenov (dimitern) → nobody
Curtis Hovey (sinzui)
Changed in juju-core:
milestone: 2.0.1 → none
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.