Deployed applications are implicitly exposed on Equinix metal
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Fix Released
|
Medium
|
Marques Johansson |
Bug Description
Each provisioned machine on Equinix metal is assigned both a private and a public IP address. Due to substrate limitations (no support for the equivalent of security groups / firewall control), all machines, and therefore any ports opened by units, are reachable from the Internet via their public address. However, if the workloads are deployed as LXD containers then this is a non-issue as containers are always (by default) assigned FAN addresses.
One potential solution for this problem is as follows: during the machine provisioning step where we execute additional scripts (at cloudinit time) to correct the routing table entries, we can install iptable rules that prevent ingress traffic from public IP addresses but allow egress traffic so that charms can still download their dependencies (apt packages, snaps etc.).
Then, the provider can implement the (instance) Firewaller interface and manipulate the iptable rules as needed to support 'juju expose' using the existing ssh-based iptable mutator helpers (e.g. as we do for the rackspace provider https:/
Changed in juju: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in juju: | |
milestone: | 2.9.12 → 2.9.13 |
Changed in juju: | |
milestone: | 2.9.13 → 2.9.14 |
Changed in juju: | |
milestone: | 2.9.14 → 2.9.15 |
Changed in juju: | |
milestone: | 2.9.15 → 2.9.16 |
Changed in juju: | |
milestone: | 2.9.16 → 2.9.17 |
Changed in juju: | |
milestone: | 2.9.17 → 2.9.18 |
Changed in juju: | |
milestone: | 2.9.18 → 2.9.19 |
Changed in juju: | |
milestone: | 2.9.19 → 2.9.20 |
Changed in juju: | |
milestone: | 2.9.20 → 2.9.21 |
Changed in juju: | |
milestone: | 2.9.21 → 2.9.22 |
Changed in juju: | |
milestone: | 2.9.22 → 2.9.23 |
Changed in juju: | |
milestone: | 2.9.23 → 2.9.24 |
Changed in juju: | |
milestone: | 2.9.24 → 2.9.25 |
Changed in juju: | |
milestone: | 2.9.25 → 2.9.26 |
Changed in juju: | |
milestone: | 2.9.26 → 2.9.27 |
Changed in juju: | |
milestone: | 2.9.27 → 2.9.28 |
Changed in juju: | |
milestone: | 2.9.28 → 2.9.29 |
Changed in juju: | |
milestone: | 2.9.29 → 2.9.30 |
Changed in juju: | |
milestone: | 2.9.30 → 2.9.31 |
Changed in juju: | |
milestone: | 2.9.31 → 2.9.32 |
Changed in juju: | |
milestone: | 2.9.32 → 2.9.33 |
Changed in juju: | |
status: | In Progress → Fix Committed |
Changed in juju: | |
status: | Fix Committed → Fix Released |
PR https:/ /github. com/juju/ juju/pull/ 13695 tracks the work for resolving this issue.