All machines have all ports exposed to entire environment

Bug #1321408 reported by Nate Finch on 2014-05-20
This bug affects 4 people
Affects Status Importance Assigned to Milestone

Bug Description

Machines should be firewalled from each other so that if one is compromised, they don't all then get compromised, while allowing select ports to be opened to other machines in the environment.

Joey Stanford (joey) on 2014-05-20
tags: added: production
Curtis Hovey (sinzui) on 2014-05-20
Changed in juju-core:
status: New → Triaged
importance: Undecided → Medium

There are two blockers for this:
1) relations are not connections, though often they are. However, consider
the Openstack charm where everything gets related to Keystone, and then
*keystone* tells everything where its friends are.
So we need some way for a charm to be able to "allow-access: SERVICE/UNIT
Where at least one of those units has to be related to this service
(possibly both?).
2) Charms themselves don't indicate what private ports they have open. So
this needs metadata in the charm itself to say "if someone wants to talk to
me privately, I'm available on ports X-Z". Then when we also have (1) we
can restrict at the port level (rather than just the IP level).

So it is a fair chunk of work, which is why it is likely to be out of scope
for this cycle. (we will likely model it that relating A to B implies a
connection, unless the charms indicate there isn't a connection.)

Also, we may end up with only service level security, since it is probably
roughly equivalent, and lets us move to one security group per service,
rather than one per machine. (It is possible that you would want to allow
only some of the units of as service to talk to some of the other units of
another service, but it adds a lot of complexity and really limits the
ability to scale to lots of units.)

On Wed, May 21, 2014 at 12:23 AM, Curtis Hovey <email address hidden> wrote:

> ** Changed in: juju-core
> Status: New => Triaged
> ** Changed in: juju-core
> Importance: Undecided => Medium
> --
> You received this bug notification because you are subscribed to juju-
> core.
> Title:
> All machines have all ports exposed to entire environment
> To manage notifications about this bug go to:

Anastasia (anastasia-macmood) wrote :

Re-targeting for Juju 2.x

Changed in juju:
status: New → Triaged
importance: Undecided → Wishlist
Changed in juju-core:
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers