Juju should open up required ports on LXC deployments
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| pyjuju |
Triaged
|
Low
|
Unassigned | ||
Bug Description
When using LXC local deployments with an active iptables configuration, Juju starts a local Zookeeper process and makes use of the default bridge 'virbr0' started by libvirt. Libvirt adds iptables rules to allow DNS and BOOTP queries from guests to host, as shown by my iptables rules:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
The first four rules are added by libvirt, the last three are my own general purpose rules. With this setup, any juju LXC unit is unable to contact the Zookeeper host instance (it will continue to try until it succeeds). I have to add my own rule to allow traffic from the bridge:
iptables -A INPUT -i virbr0 -j ACCEPT
However, Juju should probably only add rules for the specific ports it needs.
| Changed in juju: | |
| importance: | Undecided → Low |
| status: | New → Triaged |
