Canonical Juju

  1. Bug #1851866
  2. Comment #6

Comment 6 for bug 1851866

Revision history for this message
John A Meinel (jameinel) wrote : Re: [Bug 1851866] [NEW] juju creates insecure openstack security groups

To confirm, isn't this that we allow access to all machines in the same
security group, not external machines?

So it's not all the internet or even all instances in the cloud. Only the
instances within the same model.

John
=:->

On Fri, Nov 8, 2019, 09:35 Jeff Hillman <email address hidden> wrote:

> Public bug reported:
>
> juju 2.6.10
>
> On customer cloud, juju was bootstrapped using PCE, and subsequent model
> was deployed.
>
> Upon customer security scans, it was found that the security groups
> being created by juju was open to ALL ingress.
>
> On canonistack I recreated this issue. Bootstrapped juju 2.6.10 into
> openstack, enabled HA, and on the controller model the following ingress
> rules are allowed.
>
> ---
>
> created_at='2019-11-08T17:13:15Z', direction='ingress', ethertype='IPv6',
> id='271a56b2-5347-4f4f-b566-73e10423e999', port_range_max='65535',
> port_range_min='1', protocol='tcp',
> remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d',
> updated_at='2019-11-08T17:13:15Z'
> created_at='2019-11-08T17:20:49Z', direction='ingress', ethertype='IPv4',
> id='2e5d5365-7faa-472a-b112-9dc4a1a51401', port_range_max='65535',
> port_range_min='1', protocol='udp',
> remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d',
> updated_at='2019-11-08T17:20:49Z'
> created_at='2019-11-08T17:20:50Z', direction='ingress', ethertype='IPv4',
> id='6c0a9381-0f7d-48fd-84cf-3a7bf6d17808', port_range_max='65535',
> port_range_min='1', protocol='tcp',
> remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d',
> updated_at='2019-11-08T17:20:50Z
> created_at='2019-11-08T17:13:14Z', direction='ingress', ethertype='IPv6',
> id='c091dcb6-01b6-4bb5-a949-3a6e48154be5', port_range_max='65535',
> port_range_min='1', protocol='udp',
> remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d',
> updated_at='2019-11-08T17:13:14Z
>
> ---
>
> this is just for the controller model. Still deploying in Canonistack.
>
> The individual controller nodes also have a security group, but it
> appears to only have egress rules.
>
> The full list of security rules in the controller model is as follows:
>
> ---
>
> created_at='2019-11-08T17:13:14Z', direction='ingress', ethertype='IPv6',
> id='1aed259b-82fc-4a29-8bc4-e51ef1d87fc6', port_range_max='17070',
> port_range_min='17070', protocol='tcp', remote_ip_prefix='::/0',
> updated_at='2019-11-08T17:13:14Z'
> created_at='2019-11-08T17:20:50Z', direction='ingress', ethertype='IPv4',
> id='2608e1dc-2519-4841-8316-ea63f63866a7', protocol='icmp',
> remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d',
> updated_at='2019-11-08T17:20:50Z'
> created_at='2019-11-08T17:13:15Z', direction='ingress', ethertype='IPv6',
> id='271a56b2-5347-4f4f-b566-73e10423e999', port_range_max='65535',
> port_range_min='1', protocol='tcp',
> remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d',
> updated_at='2019-11-08T17:13:15Z'
> created_at='2019-11-08T17:20:49Z', direction='ingress', ethertype='IPv4',
> id='2e5d5365-7faa-472a-b112-9dc4a1a51401', port_range_max='65535',
> port_range_min='1', protocol='udp',
> remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d',
> updated_at='2019-11-08T17:20:49Z'
> created_at='2019-11-08T17:13:13Z', direction='egress', ethertype='IPv6',
> id='30706ca0-4def-4fba-9b24-b0ca19336759',
> updated_at='2019-11-08T17:13:13Z'
>
> created_at='2019-11-08T17:20:49Z', direction='ingress', ethertype='IPv4',
> id='3b65d404-b11f-4583-b741-5707fc7d6059', port_range_max='17070',
> port_range_min='17070', protocol='tcp', remote_ip_prefix='0.0.0.0/0',
> updated_at='2019-11-08T17:20:49Z'
> created_at='2019-11-08T17:13:15Z', direction='ingress', ethertype='IPv6',
> id='4d622d41-d475-4a56-810b-9c3be35bb801', protocol='icmp',
> remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d',
> updated_at='2019-11-08T17:13:15Z'
> created_at='2019-11-08T17:13:13Z', direction='egress', ethertype='IPv4',
> id='6a990ca8-e71d-4ff0-92d1-97102907356a',
> updated_at='2019-11-08T17:13:13Z'
>
> created_at='2019-11-08T17:20:50Z', direction='ingress', ethertype='IPv4',
> id='6c0a9381-0f7d-48fd-84cf-3a7bf6d17808', port_range_max='65535',
> port_range_min='1', protocol='tcp',
> remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d',
> updated_at='2019-11-08T17:20:50Z'
> created_at='2019-11-08T17:13:16Z', direction='ingress', ethertype='IPv6',
> id='aa8e23fc-5aef-4704-9ed2-d3112f6ca7f8', port_range_max='22',
> port_range_min='22', protocol='tcp', remote_ip_prefix='::/0',
> updated_at='2019-11-08T17:13:16Z'
> created_at='2019-11-08T17:13:14Z', direction='ingress', ethertype='IPv6',
> id='c091dcb6-01b6-4bb5-a949-3a6e48154be5', port_range_max='65535',
> port_range_min='1', protocol='udp',
> remote_group_id='5ce386dd-641d-4e7a-8b02-384f22aaa46d',
> updated_at='2019-11-08T17:13:14Z'
> created_at='2019-11-08T17:20:50Z', direction='ingress', ethertype='IPv4',
> id='eb3368d2-4dcf-4fad-b2c9-76640dd8ee4e', port_range_max='22',
> port_range_min='22', protocol='tcp', remote_ip_prefix='0.0.0.0/0',
> updated_at='2019-11-08T17:20:50Z'
>
> ---
>
> As can be seen above, ports 17070 and 22 are already allowed. I don't
> see the need for there to be a wide open ingress rule for the controller
> model.
>
> ** Affects: juju
> Importance: Undecided
> Status: New
>
>
> ** Tags: cpe-onsite
>
> ** Summary changed:
>
> - juju creates insecure openstack security grups
> + juju creates insecure openstack security groups
>
> --
> You received this bug notification because you are subscribed to juju.
> Matching subscriptions: juju bugs
> https://bugs.launchpad.net/bugs/1851866
>
> Title:
> juju creates insecure openstack security groups
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju/+bug/1851866/+subscriptions
>