Canonical Juju

Juju "network-get" doesn't allow getting source address of Fan network through relations

Bug #1861277 reported by Nobuto Murata on 2020-01-29

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Triaged	Low	Unassigned

Bug Description

Let's say one wants to monitor services and units with Nagios for a deployment such as kubernetes-core. When LXD containers are used on top of cloud providers other than MAAS, Ubuntu Fan network will be enabled by Juju to assign IP addresses for those containers. In this case, Nagios will have a monitoring error because it will be rejected by nrpe's ACL in LXD containers as the charm doesn't know about the source IP address of Fan through relations.

It might be a charm bug, but it sounds a missing functionality in Juju's network-get if I'm not mistaken.

How to reproduce:

$ juju version
2.7.1-eoan-amd64

[on aws]
$ juju deploy kubernetes-core --overlay ./nagios-nrpe.yaml

Then, open http://<nagios unit address>/nagios3 and login with username=nagiosadmin and the password obtained by the following command:
juju run --unit nagios/leader -- cat /var/lib/juju/nagios.passwd

In "Services" view, you will see the following error only for units in LXD containers (in this case, easyrsa):
CHECK_NRPE: Error - Could not connect to 252.37.48.110: Connection reset by peer

What happened is that the nrpe charm set up ACL using IP addresse(s) passed through relations and wrote it as:

$ grep allowed_hosts /etc/nagios/nrpe.cfg
allowed_hosts=127.0.0.1,172.31.46.155

It doesn't include Nagios' IP address in Fan network (252.46.155.1) which is actually used for connecting to LXD containers because "network-get --*-address" (most of the charms relies on it) doesn't return the IP. "network-get" command only has options with --*-address (singular, not plural) while network-get itself is aware of that Fan IP address.

$ juju run --unit nagios/leader -- network-get monitors --ingress-address
172.31.46.155

$ juju run --unit nagios/leader -- network-get monitors --bind-address
172.31.46.155

$ juju run --unit nagios/leader -- network-get monitors --egress-subnets
172.31.46.155/32

$ juju run --unit nagios/leader -- network-get monitors
bind-addresses:
- macaddress: 06:dd:9b:f3:4c:4c
  interfacename: ens5
  addresses:
  - hostname: ""
    address: 172.31.46.155
    cidr: 172.31.32.0/20
  - hostname: ""
    address: 172.31.46.155
    cidr: 172.31.32.0/20
- macaddress: 1a:03:91:54:c4:2c
  interfacename: fan-252
  addresses:
  - hostname: ""
    address: 252.46.155.1
    cidr: 252.32.0.0/12
egress-subnets:
- 172.31.46.155/32
ingress-addresses:
- 172.31.46.155
- 172.31.46.155
- 252.46.155.1

Tags:

Revision history for this message

Nobuto Murata (nobuto) wrote on 2020-01-29:

nagios-nrpe.yaml Edit (631 bytes, text/plain)

Revision history for this message

Nobuto Murata (nobuto) wrote on 2020-01-29:

A workaround for this specific nrpe is to add 252.46.155.1 (in this example) from the Fan network explicitly through charm option:

$ juju config nrpe nagios_master=252.46.155.1

However, this is a charm-level workaround and not feasible always.

Revision history for this message

John A Meinel (jameinel) wrote on 2020-01-29: Re: [Bug 1861277] Re: Juju "network-get" doesn't allow getting source address of Fan network through relations

nagios is given the fan address in network-get under the
'ingress-addresses' list. However it is not in the single entry returned by
'--ingress-address'. This is because there are multiple possible addresses
that could be given.

John
=:->

On Wed, Jan 29, 2020, 16:35 Nobuto Murata <email address hidden>
wrote:

> A workaround for this specific nrpe is to add 252.46.155.1 (in this
> example) from the Fan network explicitly through charm option:
>
> $ juju config nrpe nagios_master=252.46.155.1
>
> However, this is a charm-level workaround and not feasible always.
>
> --
> You received this bug notification because you are subscribed to juju.
> Matching subscriptions: juju bugs
> https://bugs.launchpad.net/bugs/1861277
>
> Title:
> Juju "network-get" doesn't allow getting source address of Fan network
> through relations
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju/+bug/1861277/+subscriptions
>

Richard Harding (rharding) on 2020-02-03

Changed in juju:
status:	New → Triaged
importance:	Undecided → Medium
tags:	added: network

Revision history for this message

Xav Paice (xavpaice) wrote on 2020-03-05:

Related: https://bugs.launchpad.net/charm-nrpe/+bug/1838638

Revision history for this message

Xav Paice (xavpaice) wrote on 2020-03-05:

This is breaking at least the nrpe charm for fan networking, likely more if they use a similar mechanism:

On the Nagios host:
$ juju run --unit nagios/0 'network-get public'
bind-addresses:
- macaddress: fa:16:3e:01:32:39
  interfacename: ens2
  addresses:
  - hostname: ""
    address: 10.48.131.32
    cidr: 10.48.128.0/17
  - hostname: ""
    address: 10.48.131.32
    cidr: 10.48.128.0/17
- macaddress: ae:81:9a:5c:80:ed
  interfacename: fan-252
  addresses:
  - hostname: ""
    address: 252.6.64.1
    cidr: 252.0.0.0/8
egress-subnets:
- 10.48.131.32/32
ingress-addresses:
- 10.48.131.32
- 10.48.131.32
- 252.6.64.1

Relation data from the nrpe unit:
$ u=nrpe/6; r=monitors ; juju run --unit $u "relation-ids $r| xargs -I_@ sh -c 'relation-list -r _@|xargs -I_U sh -c \"relation-get -r _@ - _U |sed s,^,_U:, 2>&1\"'"
nagios/0:egress-subnets: 10.48.131.32/32
nagios/0:ingress-address: 10.48.131.32
nagios/0:private-address: 10.48.131.32

If the egress-subnets included the fanout address as well, nrpe would pick it up and add it to the config file. Both addresses can be used for egress.

Felipe Reyes (freyes) on 2020-09-30

tags:

added: sts

Revision history for this message

Canonical Juju QA Bot (juju-qa-bot) wrote on 2022-11-03:

This bug has not been updated in 2 years, so we're marking it Low importance. If you believe this is incorrect, please update the importance.