Juju newbie questions
Kapil Thangavelu
kapil.thangavelu at canonical.com
Sat Jun 23 02:19:29 UTC 2012
True, that is also an issue for host based attacks against the local
provider. zk is listening on the bridge address so its not accessible
remotely but the randomized open port provides no protection against a
malicious local attacker. i agree the reality check is local provider isn't
safe for a multi-user host if there is malicious intent.
cheers,
Kapil
On Fri, Jun 22, 2012 at 3:32 PM, Clint Byrum <clint at ubuntu.com> wrote:
> Excerpts from Kapil Thangavelu's message of 2012-06-22 10:20:55 -0700:
> > On Fri, Jun 22, 2012 at 10:53 AM, Robbie Williamson <robbie at ubuntu.com
> >wrote:
> >
> > > (cross-posting to main juju list)
> > >
> > > On 06/22/2012 03:44 AM, Thomas Leonard wrote:
> > > > Hi all,
> > > >
> > > > I'm evaluating Juju as a way to deploy and manage some of our
> services.
> > > > From the About page, it sounds like just what we're looking for. I
> read
> > > > quite a bit of the documentation and made a test installation, but I
> > > > have a few questions:
> > > >
> > > > - I deployed using the "local" LXC type (using Juju from 12.04). This
> > > > uses virbr0, which means the services aren't accessible from other
> > > > machines. Is there a way to change this? I had a look at the code,
> but
> > > > it was also hard-coding 192.168.122 in various places.
> > > >
> > > > - Juju doesn't say much about security. I found an interesting issue.
> > > > Can security bugs be discussed here on the list, or should they be
> > > > reported privately?
> > > We prefer you report them via our launchpad tool. Assuming you are
> > > running 12.04 (Precise Pangolin), you can open a bug here:
> > > https://bugs.launchpad.net/ubuntu/precise/+source/juju/+filebug
> > > After filling in the description, there is a section where you can
> > > change the bug from "Public" to "Embargoed Security" (right above the
> > > Submit button). This will keep the info open to only you and our juju
> > > development and security teams.
> >
> >
> > Thanks for reporting the issue. Its been fixed on trunk and packages are
> > rolling out to respective releases over the next few days. Its specific
> to
> > the local provider and not remotely accessible. The only applicable
> > scenario where its a problem is a multi-user system using local provider.
>
> Which isn't really a problem at all because these systems are also
> vulnerable to attack via the Zookeeper port which, while randomized,
> has no authentication.
>
> --
> Juju-dev mailing list
> Juju-dev at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju-dev/attachments/20120622/4ba1064b/attachment-0001.html>
More information about the Juju-dev
mailing list