Canonical Juju

Support encrypted EBS volumes for bootstrapping controllers on AWS

Bug #1931139 reported by Syed Mohammad Adnan Karim on 2021-06-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Fix Released	High	Harry Pidcock	Canonical Juju 2.9.7

Bug Description

juju bootstrap aws \
  --storage-pool name=ebs-encrypted \
  --storage-pool type=ebs \
  --storage-pool encrypted=true \
  --bootstrap-constraints="root-disk-source=ebs-encrypted"

I just tried running the above to bootstrap a juju controller with and encrypted EBS volume and I checked on my AWS console and it looks like the controler machine still uses a non-encrypted EBS volume.

It looks like the bootstrap-constraint of root-disk-source is only supported on vSphere and OpenStack providers according to https://discourse.charmhub.io/t/juju-constraints/1160

This feature is important because make the adoption of Juju easier and smoother since organizations wont have to justify the existence of non encrypted EBS volumes to their security teams every review period.

Ian Booth (wallyworld) on 2021-06-09

Changed in juju:
milestone:	none → 2.9.5
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Ian Booth (wallyworld) wrote on 2021-06-09:

The doc is not quite correct.

If root disk source refers to a storage pool, then it is supposed to be supported on any provider that can provision block device storage which can be mounted as the root disk of an instance.

The doc is referring to the case where root disk source is not a storage pool name but rather a provider specific datastore or such.

Revision history for this message

Ian Booth (wallyworld) wrote on 2021-06-09:

Looking closer, it turns out that only the azure provider seems to use the bootstrap root disk constraint as a storage pool option. It is not currently used by the aws provider so that will need to be enabled.

Revision history for this message

Ian Booth (wallyworld) wrote on 2021-06-09:

This would be a fairly simple change, except for the fact that juju currently uses a 10 year old AWS api library to manage instances, and this library does not support specifying ebs root disk config. We will have to migrate to a new official AWS library to do what's needed.

Ian Booth (wallyworld) on 2021-06-09

Changed in juju:
assignee:	nobody → Ian Booth (wallyworld)
status:	Triaged → In Progress
summary:	- Support encrypted EBS volumes for bootstrapping controllers on AWS and - other public clouds + Support encrypted EBS volumes for bootstrapping controllers on AWS

Canonical Juju QA Bot (juju-qa-bot) on 2021-06-16

Changed in juju:
milestone:	2.9.5 → 2.9.6

Canonical Juju QA Bot (juju-qa-bot) on 2021-06-21

Changed in juju:
milestone:	2.9.6 → 2.9.7

Harry Pidcock (hpidcock) on 2021-06-23

Changed in juju:
assignee:	Ian Booth (wallyworld) → Harry Pidcock (hpidcock)

Revision history for this message

Harry Pidcock (hpidcock) wrote on 2021-06-23:

https://github.com/juju/juju/pull/13101

Harry Pidcock (hpidcock) on 2021-06-23

Changed in juju:
status:	In Progress → Fix Committed

Canonical Juju QA Bot (juju-qa-bot) on 2021-06-30

Changed in juju:
status:	Fix Committed → Fix Released

Revision history for this message

Syed Mohammad Adnan Karim (karimsye) wrote on 2021-07-06:

Thanks, I am now able to bootstrap juju controllers on AWS with encrypted EBS volumes.
However I found that I was unable to create other machines with encrypted EBS volumes.
I attempted the following:

# Successfully create a controller with encrypted EBS volumes
juju bootstrap aws \
  --storage-pool name=ebs-encrypted \
  --storage-pool type=ebs \
  --storage-pool encrypted=true \
  --bootstrap-constraints="root-disk-source=ebs-encrypted"

# Create an ecrypted EBS storage pool
juju create-storage-pool encrypted-ebs ebs encrypted=true

# Set the storage-default-block-source to encrypted-ebs
juju model-config storage-default-block-source="encrypted-ebs"

# Deploy a bundle
juju deploy cs:bundle/landscape-scalable-8

I checked my EC2 instances in the dashboard and found that the non-controller machines did not have encryption. The juju version is 2.9.7-ubuntu-amd64 from latest/candidate channel.

Revision history for this message

Harry Pidcock (hpidcock) wrote on 2021-07-07:

I think storage-default-block-source is for attached storage. Root disks should be done via constraints like in bootstrap.

Revision history for this message

Harry Pidcock (hpidcock) wrote on 2021-07-07:

The following should work:

juju set-model-constraints root-disk-source="encrypted-ebs"

For all other storage you want to probably set this as well:

juju model-config storage-default-block-source="encrypted-ebs"

Revision history for this message

Syed Mohammad Adnan Karim (karimsye) wrote on 2021-07-08:

Thanks, it works!

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.