Juju newbie questions

[Clint Byrum]

Excerpts from Kapil Thangavelu's message of 2012-06-22 10:20:55 -0700:
> On Fri, Jun 22, 2012 at 10:53 AM, Robbie Williamson <robbie at ubuntu.com>wrote:
> 
> > (cross-posting to main juju list)
> >
> > On 06/22/2012 03:44 AM, Thomas Leonard wrote:
> > > Hi all,
> > >
> > > I'm evaluating Juju as a way to deploy and manage some of our services.
> > > From the About page, it sounds like just what we're looking for. I read
> > > quite a bit of the documentation and made a test installation, but I
> > > have a few questions:
> > >
> > > - I deployed using the "local" LXC type (using Juju from 12.04). This
> > > uses virbr0, which means the services aren't accessible from other
> > > machines. Is there a way to change this? I had a look at the code, but
> > > it was also hard-coding 192.168.122 in various places.
> > >
> > > - Juju doesn't say much about security. I found an interesting issue.
> > > Can security bugs be discussed here on the list, or should they be
> > > reported privately?
> > We prefer you report them via our launchpad tool. Assuming you are
> > running 12.04 (Precise Pangolin), you can open a bug here:
> >  https://bugs.launchpad.net/ubuntu/precise/+source/juju/+filebug
> > After filling in the description, there is a section where you can
> > change the bug from "Public" to "Embargoed Security" (right above the
> > Submit button).  This will keep the info open to only you and our juju
> > development and security teams.
> 
> 
> Thanks for reporting the issue. Its been fixed on trunk and packages are
> rolling out to respective releases over the next few days. Its specific to
> the local provider and not remotely accessible. The only applicable
> scenario where its a problem is a multi-user system using local provider.

Which isn't really a problem at all because these systems are also
vulnerable to attack via the Zookeeper port which, while randomized,
has no authentication.