Open ports cannot be restricted to an IP or domain
Bug #1321407 reported by
Nate Finch
on 2014-05-20
This bug affects 5 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | juju |
Wishlist
|
Unassigned | ||
Bug Description
Right now, if you open a port on a node to the outside network, it's open to the entire network - there's no way to just expose it to a limited audience.
Reported here: http://
Nate Finch (natefinch)
on 2014-05-20
| tags: | added: security |
Joey Stanford (joey)
on 2014-05-20
| tags: | added: production |
Curtis Hovey (sinzui)
on 2014-05-20
| Changed in juju-core: | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| William Grant (wgrant) wrote : | #1 |
| Anastasia (anastasia-macmood) wrote : | #2 |
Re-targeting for Juju 2.
| Changed in juju: | |
| status: | New → Triaged |
| importance: | Undecided → Wishlist |
| Changed in juju-core: | |
| status: | Triaged → Won't Fix |
Richard Harding (rharding)
on 2019-12-11
| Changed in juju: | |
| milestone: | none → 2.8-beta1 |
Ian Booth (wallyworld)
on 2020-04-02
| Changed in juju: | |
| milestone: | 2.8-beta1 → 2.9-beta1 |
Canonical Juju QA Bot (juju-qa-bot)
on 2020-10-16
| Changed in juju: | |
| milestone: | 2.9-beta1 → 2.9-rc1 |
| Ian Booth (wallyworld) wrote : | #3 |
The work to enable ports to be exposed to a CIDR range or a network space landed in 2.9
| no longer affects: | juju-core |
| Changed in juju: | |
| status: | Triaged → Fix Committed |
To post a comment you must log in.
This is pretty inconvenient when combined with the lack of intra-environment isolation. If you have some slightly untrustworthy services, the free-for-all security groups within an environment mean you need to have them in a separate one. But that requires that you expose some services from the trusted environment, and this bug means you then need to firewall them manually.
Something like "juju expose --to NETWORK/MASK" might work, though in my specific case I need a private API port to be restricted while a webapp port on the same service should be public.