Canonical Juju

Bug #1619812
Comment #7

Comment 7 for bug 1619812

Revision history for this message

John A Meinel (jameinel) wrote on 2017-03-09:

external-network is not about configuring what vswitch you want to connect to (at least from what I can debug reading the code). It is specifically more about "if I expose an application on this VM what subnet do I ask for IP addresses from".

Specifically, this is what I see:
if ecfg.externalNetwork() != "" {
  ip, err := vm.WaitForIP(context.TODO())
  if err != nil {
   return nil, errors.Trace(err)
  }
  client := common.NewSshInstanceConfigurator(ip)
  err = client.ConfigureExternalIpAddress(spec.apiPort)
  if err != nil {
   return nil, errors.Trace(err)
  }
}

and ConfigureExternalIpAddress is doing:
func (c *sshInstanceConfigurator) ConfigureExternalIpAddress(apiPort int) error {
cmd := `printf 'auto eth1\niface eth1 inet dhcp' | sudo tee -a /etc/network/interfaces.d/eth1.cfg
sudo ifup eth1
sudo iptables -i eth1 -I INPUT -m state --state NEW -j DROP`

if apiPort > 0 {
cmd += fmt.Sprintf("\nsudo iptables -I INPUT -p tcp --dport %d -j ACCEPT", apiPort)
}

Which means that if 'external-network' is supplied, it waits for the instance to start, and then SSH's to the instance, and creates a new 'eth1' device that is setup to listed to DHCP and creates a firewall to drop everything but API Port traffic.

It does appear that we might be setting up an interface from the outside to be using that device:
  s.DeviceChange = append(s.DeviceChange, &types.VirtualDeviceConfigSpec{
   Operation: types.VirtualDeviceConfigSpecOperationAdd,
   Device: &types.VirtualE1000{
    VirtualEthernetCard: types.VirtualEthernetCard{
     VirtualDevice: types.VirtualDevice{
      Backing: &types.VirtualEthernetCardNetworkBackingInfo{
       VirtualDeviceDeviceBackingInfo: types.VirtualDeviceDeviceBackingInfo{
        DeviceName: ecfg.externalNetwork(),
       },
      },
      Connectable: &types.VirtualDeviceConnectInfo{
       StartConnected: true,
       AllowGuestControl: true,
      },
     },
    },
   },
  })

Anyway, none of this has anything to do with selecting a particular vswitch to interact with. It is a very hackish hard-wired way of getting a machine that can run a Juju controller inside of vsphere.

It may also be that it munges IP tables to expose ports etc for eth1, but a lot of that code is quite hard coded to things like 'eth1' which also means it won't work for Xenial machines, only Trusty.

Specifically, this is what I see:
	if ecfg.externalNetwork() != "" {
		ip, err := vm.WaitForIP(context.TODO())
		if err != nil {
			return nil, errors.Trace(err)
		}
		client := common.NewSshInstanceConfigurator(ip)
		err = client.ConfigureExternalIpAddress(spec.apiPort)
		if err != nil {
			return nil, errors.Trace(err)
		}
	}

and ConfigureExternalIpAddress is doing:
func (c *sshInstanceConfigurator) ConfigureExternalIpAddress(apiPort int) error {
	cmd := `printf 'auto eth1\niface eth1 inet dhcp' | sudo tee -a /etc/network/interfaces.d/eth1.cfg
sudo ifup eth1
sudo iptables -i eth1 -I INPUT -m state --state NEW -j DROP`

if apiPort > 0 {
		cmd += fmt.Sprintf("\nsudo iptables -I INPUT -p tcp --dport %d -j ACCEPT", apiPort)
	}

It does appear that we might be setting up an interface from the outside to be using that device:
		s.DeviceChange = append(s.DeviceChange, &types.VirtualDeviceConfigSpec{
			Operation: types.VirtualDeviceConfigSpecOperationAdd,
			Device: &types.VirtualE1000{
				VirtualEthernetCard: types.VirtualEthernetCard{
					VirtualDevice: types.VirtualDevice{
						Backing: &types.VirtualEthernetCardNetworkBackingInfo{
							VirtualDeviceDeviceBackingInfo: types.VirtualDeviceDeviceBackingInfo{
								DeviceName: ecfg.externalNetwork(),
							},
						},
						Connectable: &types.VirtualDeviceConnectInfo{
							StartConnected:    true,
							AllowGuestControl: true,
						},
					},
				},
			},
		})

It may also be that it munges IP tables to expose ports etc for eth1, but a lot of that code is quite hard coded to things like 'eth1' which also means it won't work for Xenial machines, only Trusty.