To confirm, isn't this that we allow access to all machines in the same security group, not external machines?
So it's not all the internet or even all instances in the cloud. Only the instances within the same model.
John =:->
On Fri, Nov 8, 2019, 09:35 Jeff Hillman <email address hidden> wrote:
> Public bug reported: > > juju 2.6.10 > > On customer cloud, juju was bootstrapped using PCE, and subsequent model > was deployed. > > Upon customer security scans, it was found that the security groups > being created by juju was open to ALL ingress. > > On canonistack I recreated this issue. Bootstrapped juju 2.6.10 into > openstack, enabled HA, and on the controller model the following ingress > rules are allowed. > > --- > > created_at='2019-11-08T17:13:15Z', direction='ingress', ethertype='IPv6', > id='271a56b2-5347-4f4f-b566-73e10423e999', port_range_max='65535', > port_range_min='1', protocol='tcp', > remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', > updated_at='2019-11-08T17:13:15Z' > created_at='2019-11-08T17:20:49Z', direction='ingress', ethertype='IPv4', > id='2e5d5365-7faa-472a-b112-9dc4a1a51401', port_range_max='65535', > port_range_min='1', protocol='udp', > remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', > updated_at='2019-11-08T17:20:49Z' > created_at='2019-11-08T17:20:50Z', direction='ingress', ethertype='IPv4', > id='6c0a9381-0f7d-48fd-84cf-3a7bf6d17808', port_range_max='65535', > port_range_min='1', protocol='tcp', > remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', > updated_at='2019-11-08T17:20:50Z > created_at='2019-11-08T17:13:14Z', direction='ingress', ethertype='IPv6', > id='c091dcb6-01b6-4bb5-a949-3a6e48154be5', port_range_max='65535', > port_range_min='1', protocol='udp', > remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', > updated_at='2019-11-08T17:13:14Z > > --- > > this is just for the controller model. Still deploying in Canonistack. > > The individual controller nodes also have a security group, but it > appears to only have egress rules. > > The full list of security rules in the controller model is as follows: > > --- > > created_at='2019-11-08T17:13:14Z', direction='ingress', ethertype='IPv6', > id='1aed259b-82fc-4a29-8bc4-e51ef1d87fc6', port_range_max='17070', > port_range_min='17070', protocol='tcp', remote_ip_prefix='::/0', > updated_at='2019-11-08T17:13:14Z' > created_at='2019-11-08T17:20:50Z', direction='ingress', ethertype='IPv4', > id='2608e1dc-2519-4841-8316-ea63f63866a7', protocol='icmp', > remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', > updated_at='2019-11-08T17:20:50Z' > created_at='2019-11-08T17:13:15Z', direction='ingress', ethertype='IPv6', > id='271a56b2-5347-4f4f-b566-73e10423e999', port_range_max='65535', > port_range_min='1', protocol='tcp', > remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', > updated_at='2019-11-08T17:13:15Z' > created_at='2019-11-08T17:20:49Z', direction='ingress', ethertype='IPv4', > id='2e5d5365-7faa-472a-b112-9dc4a1a51401', port_range_max='65535', > port_range_min='1', protocol='udp', > remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', > updated_at='2019-11-08T17:20:49Z' > created_at='2019-11-08T17:13:13Z', direction='egress', ethertype='IPv6', > id='30706ca0-4def-4fba-9b24-b0ca19336759', > updated_at='2019-11-08T17:13:13Z' > > created_at='2019-11-08T17:20:49Z', direction='ingress', ethertype='IPv4', > id='3b65d404-b11f-4583-b741-5707fc7d6059', port_range_max='17070', > port_range_min='17070', protocol='tcp', remote_ip_prefix='0.0.0.0/0', > updated_at='2019-11-08T17:20:49Z' > created_at='2019-11-08T17:13:15Z', direction='ingress', ethertype='IPv6', > id='4d622d41-d475-4a56-810b-9c3be35bb801', protocol='icmp', > remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', > updated_at='2019-11-08T17:13:15Z' > created_at='2019-11-08T17:13:13Z', direction='egress', ethertype='IPv4', > id='6a990ca8-e71d-4ff0-92d1-97102907356a', > updated_at='2019-11-08T17:13:13Z' > > created_at='2019-11-08T17:20:50Z', direction='ingress', ethertype='IPv4', > id='6c0a9381-0f7d-48fd-84cf-3a7bf6d17808', port_range_max='65535', > port_range_min='1', protocol='tcp', > remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', > updated_at='2019-11-08T17:20:50Z' > created_at='2019-11-08T17:13:16Z', direction='ingress', ethertype='IPv6', > id='aa8e23fc-5aef-4704-9ed2-d3112f6ca7f8', port_range_max='22', > port_range_min='22', protocol='tcp', remote_ip_prefix='::/0', > updated_at='2019-11-08T17:13:16Z' > created_at='2019-11-08T17:13:14Z', direction='ingress', ethertype='IPv6', > id='c091dcb6-01b6-4bb5-a949-3a6e48154be5', port_range_max='65535', > port_range_min='1', protocol='udp', > remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d', > updated_at='2019-11-08T17:13:14Z' > created_at='2019-11-08T17:20:50Z', direction='ingress', ethertype='IPv4', > id='eb3368d2-4dcf-4fad-b2c9-76640dd8ee4e', port_range_max='22', > port_range_min='22', protocol='tcp', remote_ip_prefix='0.0.0.0/0', > updated_at='2019-11-08T17:20:50Z' > > --- > > As can be seen above, ports 17070 and 22 are already allowed. I don't > see the need for there to be a wide open ingress rule for the controller > model. > > ** Affects: juju > Importance: Undecided > Status: New > > > ** Tags: cpe-onsite > > ** Summary changed: > > - juju creates insecure openstack security grups > + juju creates insecure openstack security groups > > -- > You received this bug notification because you are subscribed to juju. > Matching subscriptions: juju bugs > https://bugs.launchpad.net/bugs/1851866 > > Title: > juju creates insecure openstack security groups > > To manage notifications about this bug go to: > https://bugs.launchpad.net/juju/+bug/1851866/+subscriptions >
To confirm, isn't this that we allow access to all machines in the same
security group, not external machines?
So it's not all the internet or even all instances in the cloud. Only the
instances within the same model.
John
=:->
On Fri, Nov 8, 2019, 09:35 Jeff Hillman <email address hidden> wrote:
> Public bug reported: at='2019- 11-08T17: 13:15Z' , direction= 'ingress' , ethertype='IPv6', 5347-4f4f- b566-73e10423e9 99', port_range_ max='65535' , group_id= '5ce386dd- 641d-4e7a- 8b02-384f22aaa4 6d', at='2019- 11-08T17: 13:15Z' at='2019- 11-08T17: 20:49Z' , direction= 'ingress' , ethertype='IPv4', 7faa-472a- b112-9dc4a1a514 01', port_range_ max='65535' , group_id= '5ce386dd- 641d-4e7a- 8b02-384f22aaa4 6d', at='2019- 11-08T17: 20:49Z' at='2019- 11-08T17: 20:50Z' , direction= 'ingress' , ethertype='IPv4', 0f7d-48fd- 84cf-3a7bf6d178 08', port_range_ max='65535' , group_id= '5ce386dd- 641d-4e7a- 8b02-384f22aaa4 6d', at='2019- 11-08T17: 20:50Z at='2019- 11-08T17: 13:14Z' , direction= 'ingress' , ethertype='IPv6', 01b6-4bb5- a949-3a6e48154b e5', port_range_ max='65535' , group_id= '5ce386dd- 641d-4e7a- 8b02-384f22aaa4 6d', at='2019- 11-08T17: 13:14Z at='2019- 11-08T17: 13:14Z' , direction= 'ingress' , ethertype='IPv6', 82fc-4a29- 8bc4-e51ef1d87f c6', port_range_ max='17070' , min='17070' , protocol='tcp', remote_ ip_prefix= '::/0', at='2019- 11-08T17: 13:14Z' at='2019- 11-08T17: 20:50Z' , direction= 'ingress' , ethertype='IPv4', 2519-4841- 8316-ea63f63866 a7', protocol='icmp', group_id= '5ce386dd- 641d-4e7a- 8b02-384f22aaa4 6d', at='2019- 11-08T17: 20:50Z' at='2019- 11-08T17: 13:15Z' , direction= 'ingress' , ethertype='IPv6', 5347-4f4f- b566-73e10423e9 99', port_range_ max='65535' , group_id= '5ce386dd- 641d-4e7a- 8b02-384f22aaa4 6d', at='2019- 11-08T17: 13:15Z' at='2019- 11-08T17: 20:49Z' , direction= 'ingress' , ethertype='IPv4', 7faa-472a- b112-9dc4a1a514 01', port_range_ max='65535' , group_id= '5ce386dd- 641d-4e7a- 8b02-384f22aaa4 6d', at='2019- 11-08T17: 20:49Z' at='2019- 11-08T17: 13:13Z' , direction='egress', ethertype='IPv6', 4def-4fba- 9b24-b0ca193367 59', at='2019- 11-08T17: 13:13Z' at='2019- 11-08T17: 20:49Z' , direction= 'ingress' , ethertype='IPv4', b11f-4583- b741-5707fc7d60 59', port_range_ max='17070' , min='17070' , protocol='tcp', remote_ ip_prefix= '0.0.0. 0/0', at='2019- 11-08T17: 20:49Z' at='2019- 11-08T17: 13:15Z' , direction= 'ingress' , ethertype='IPv6', d475-4a56- 810b-9c3be35bb8 01', protocol='icmp', group_id= '5ce386dd- 641d-4e7a- 8b02-384f22aaa4 6d', at='2019- 11-08T17: 13:15Z' at='2019- 11-08T17: 13:13Z' , direction='egress', ethertype='IPv4', e71d-4ff0- 92d1-9710290735 6a', at='2019- 11-08T17: 13:13Z' at='2019- 11-08T17: 20:50Z' , direction= 'ingress' , ethertype='IPv4', 0f7d-48fd- 84cf-3a7bf6d178 08', port_range_ max='65535' , group_id= '5ce386dd- 641d-4e7a- 8b02-384f22aaa4 6d', at='2019- 11-08T17: 20:50Z' at='2019- 11-08T17: 13:16Z' , direction= 'ingress' , ethertype='IPv6', 5aef-4704- 9ed2-d3112f6ca7 f8', port_range_ max='22' , min='22' , protocol='tcp', remote_ ip_prefix= '::/0', at='2019- 11-08T17: 13:16Z' at='2019- 11-08T17: 13:14Z' , direction= 'ingress' , ethertype='IPv6', 01b6-4bb5- a949-3a6e48154b e5', port_range_ max='65535' , group_id= '5ce386dd- 641d-4e7a- 8b02-384f22aaa4 6d', at='2019- 11-08T17: 13:14Z' at='2019- 11-08T17: 20:50Z' , direction= 'ingress' , ethertype='IPv4', 4dcf-4fad- b2c9-76640dd8ee 4e', port_range_ max='22' , min='22' , protocol='tcp', remote_ ip_prefix= '0.0.0. 0/0', at='2019- 11-08T17: 20:50Z' /bugs.launchpad .net/bugs/ 1851866 /bugs.launchpad .net/juju/ +bug/1851866/ +subscriptions
>
> juju 2.6.10
>
> On customer cloud, juju was bootstrapped using PCE, and subsequent model
> was deployed.
>
> Upon customer security scans, it was found that the security groups
> being created by juju was open to ALL ingress.
>
> On canonistack I recreated this issue. Bootstrapped juju 2.6.10 into
> openstack, enabled HA, and on the controller model the following ingress
> rules are allowed.
>
> ---
>
> created_
> id='271a56b2-
> port_range_min='1', protocol='tcp',
> remote_
> updated_
> created_
> id='2e5d5365-
> port_range_min='1', protocol='udp',
> remote_
> updated_
> created_
> id='6c0a9381-
> port_range_min='1', protocol='tcp',
> remote_
> updated_
> created_
> id='c091dcb6-
> port_range_min='1', protocol='udp',
> remote_
> updated_
>
> ---
>
> this is just for the controller model. Still deploying in Canonistack.
>
> The individual controller nodes also have a security group, but it
> appears to only have egress rules.
>
> The full list of security rules in the controller model is as follows:
>
> ---
>
> created_
> id='1aed259b-
> port_range_
> updated_
> created_
> id='2608e1dc-
> remote_
> updated_
> created_
> id='271a56b2-
> port_range_min='1', protocol='tcp',
> remote_
> updated_
> created_
> id='2e5d5365-
> port_range_min='1', protocol='udp',
> remote_
> updated_
> created_
> id='30706ca0-
> updated_
>
> created_
> id='3b65d404-
> port_range_
> updated_
> created_
> id='4d622d41-
> remote_
> updated_
> created_
> id='6a990ca8-
> updated_
>
> created_
> id='6c0a9381-
> port_range_min='1', protocol='tcp',
> remote_
> updated_
> created_
> id='aa8e23fc-
> port_range_
> updated_
> created_
> id='c091dcb6-
> port_range_min='1', protocol='udp',
> remote_
> updated_
> created_
> id='eb3368d2-
> port_range_
> updated_
>
> ---
>
> As can be seen above, ports 17070 and 22 are already allowed. I don't
> see the need for there to be a wide open ingress rule for the controller
> model.
>
> ** Affects: juju
> Importance: Undecided
> Status: New
>
>
> ** Tags: cpe-onsite
>
> ** Summary changed:
>
> - juju creates insecure openstack security grups
> + juju creates insecure openstack security groups
>
> --
> You received this bug notification because you are subscribed to juju.
> Matching subscriptions: juju bugs
> https:/
>
> Title:
> juju creates insecure openstack security groups
>
> To manage notifications about this bug go to:
> https:/
>