Juju adds any RFC1918 address it finds on any state servers to the apiaddresses list in agent.conf
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Won't Fix
|
Low
|
Unassigned | ||
juju-core |
Won't Fix
|
Low
|
Unassigned |
Bug Description
When deciding which IP addresses to use as API addresses, Juju appears to assume to use all RFC1918 addresses it finds bound to an interface on a state server. The exception may be addresses bound to lxcbr0 (or 10.0.3.0/24). This can include addresses to which other Juju units have no route.
We've seen this behaviour recently with 1.24.7, at least.
This causes us two problems today in production:
1. Our OpenStack private clouds often use an RFC1918 range for their 'External' networks. With the exception of neutron-gateway units, service units deployed to LXC containers have no route to the External network
2. Juju state servers may also be hosting KVM machines. When libvirt-bin is installed, the default virsh net is created with 192.168.122.1 bound to virbr0 on the host. Some Juju agent may find this address locally if they too have the default virsh net, but it won't be a Juju API address. Others won't have a route to the address at all
We see an amount of Juju error logging for failed network connections, with units attempting to connect to rsyslogd on state servers on these bad addresses, as well as a number of these failing network connections in SYN_SENT state.
There is a work-around to remove the erroneous addresses from each agent.conf and restart the Juju agents. Of course, the erroneous addresses are re-added on agent restart and on subsequent restarts the bug is evident again.
I suggest, as with api-port, Juju could use an api-cidr option.
Changed in juju-core: | |
milestone: | 1.25.5 → 1.25.6 |
Changed in juju-core: | |
milestone: | 1.25.6 → 1.25.7 |
Changed in juju: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → 2.1.0 |
Changed in juju-core: | |
status: | Triaged → Won't Fix |
milestone: | 1.25.7 → none |
It is known behavior that juju will list all IPs (except lxc bridge IPs) as possible addresses for state servers. There is work in 2.0 to improve things, but I don't believe there are any plans to address this in 1.25. Will double check.