Canonical Juju

Deployed applications are implicitly exposed on Equinix metal

Bug #1940520 reported by Achilleas Anagnostopoulos
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Canonical Juju
Fix Released
Medium
Marques Johansson
Canonical Juju 2.9.33

Bug Description

Each provisioned machine on Equinix metal is assigned both a private and a public IP address. Due to substrate limitations (no support for the equivalent of security groups / firewall control), all machines, and therefore any ports opened by units, are reachable from the Internet via their public address. However, if the workloads are deployed as LXD containers then this is a non-issue as containers are always (by default) assigned FAN addresses.

One potential solution for this problem is as follows: during the machine provisioning step where we execute additional scripts (at cloudinit time) to correct the routing table entries, we can install iptable rules that prevent ingress traffic from public IP addresses but allow egress traffic so that charms can still download their dependencies (apt packages, snaps etc.).

Then, the provider can implement the (instance) Firewaller interface and manipulate the iptable rules as needed to support 'juju expose' using the existing ssh-based iptable mutator helpers (e.g. as we do for the rackspace provider https://github.com/juju/juju/blob/develop/provider/rackspace/firewaller.go).

Achilleas Anagnostopoulos (achilleasa)
Changed in juju:
status: New → Triaged
importance: Undecided → Medium
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.12 → 2.9.13
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.13 → 2.9.14
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.14 → 2.9.15
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.15 → 2.9.16
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.16 → 2.9.17
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.17 → 2.9.18
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.18 → 2.9.19
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.19 → 2.9.20
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.20 → 2.9.21
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.21 → 2.9.22
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.22 → 2.9.23
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.23 → 2.9.24
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.24 → 2.9.25
Revision history for this message
Achilleas Anagnostopoulos (achilleasa) wrote :

PR https://github.com/juju/juju/pull/13695 tracks the work for resolving this issue.

Changed in juju:
status: Triaged → In Progress
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.25 → 2.9.26
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.26 → 2.9.27
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.27 → 2.9.28
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.28 → 2.9.29
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.29 → 2.9.30
Juan M. Tirado (tiradojm)
Changed in juju:
milestone: 2.9.30 → 2.9.31
John A Meinel (jameinel)
Changed in juju:
milestone: 2.9.31 → 2.9.32
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9.32 → 2.9.33
Ian Booth (wallyworld)
Changed in juju:
status: In Progress → Fix Committed
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.