Default secgroup reset periodically to allow 0.0.0.0/0 for 22, 17070, 37017
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Triaged
|
Medium
|
Unassigned | ||
juju-core |
Won't Fix
|
Medium
|
Unassigned | ||
1.25 |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
Steps to reproduce:
1) bootstrap an ec2 environmet *
2) Edit the secgroup which juju creates for the specific environment, changing the inbound rules for 22, 17070, 37017 from "Anywhere" (0.0.0.0/0) to "Custom IP" (123.456.
3) Verify shortly after that the ports are only accessible to the custom ip address
Expected result next day:
4) View the secgroup and verify it's still set to the custom ip.
Actual result next day (or some time thereafter - haven't timed)
4) secgroup has been reset to 0.0.0.0/0, and so ports are accessible from anywhere.
* I've only seen this on ec2, but reports on the mailing list of seeing this with openstack too: https:/
Changed in juju-core: | |
importance: | Undecided → Medium |
status: | New → Triaged |
tags: | added: canonical-is |
Changed in juju-core: | |
status: | Incomplete → Triaged |
importance: | Undecided → High |
importance: | High → Medium |
status: | Triaged → New |
Changed in juju-core: | |
status: | New → Triaged |
Changed in juju-core: | |
status: | Triaged → Won't Fix |
Changed in juju: | |
status: | New → Triaged |
importance: | Undecided → Medium |
milestone: | none → 2.1.0 |
Changed in juju: | |
assignee: | nobody → Roufique hossain (rtatours) |
Changed in juju-core: | |
assignee: | nobody → Roufique hossain (rtatours) |
Changed in juju: | |
assignee: | Roufique hossain (rtatours) → nobody |
Changed in juju-core: | |
assignee: | Roufique hossain (rtatours) → nobody |
Changed in juju: | |
milestone: | 2.1.0 → none |
It will be useful to see some logs (machine-0.log with logging-config: <root>=DEBUG) to understand better what's the reason for this behaviour.
For one, I know the firewaller is eager to close ports that it thinks shouldn't be open. Depending on the firewall-mode setting, firewaller diffs the current set of ports to the changed ports coming from the environment (with FwGlobal mode) or the instance (FwInstance mode), and the opens or closes ports as needed.
Another thing I noticed in both EC2 and OpenStack providers is that we ignore the CIDRs when fetching security group rules from the cloud API (i.e. we assume all of them are 0.0.0.0/0), and also set CIDRs to 0.0.0.0/0 unconditionally when opening ports (adding rules). Combine this with the equality checks inside the OpenStack provider which ignore CIDRs and the "revoke- non-existing- rule-is- ok" AWS behavior used by the EC2 provider, this definitely needs more investigation.
As for why secgroup rules are changed after some time, this is because the firewaller attempts to reconcile opened/closed ports on *every* machine, unit, or openedPorts change, as well as service exposing. If you manually change secgroup rules to open 22/tcp, juju will most likely treat this as "oops, I see an opened port which is not marked as opened, better fix that!"