Default Model SG Rules
James Beedy
jamesbeedy at gmail.com
Thu Feb 2 15:20:14 UTC 2017
Thanks for creating/sharing those bugs, it looks like the milestone got
changed to "None" though ...
I've created a new one here: https://bugs.launchpad.net/juju/+bug/1661275
Possibly you could link those in, and put some heat on it for me?
On Sun, Jan 29, 2017 at 2:11 PM, Michael Nelson <
michael.nelson at canonical.com> wrote:
> On Sat, Jan 28, 2017 at 4:34 AM James Beedy <jamesbeedy at gmail.com> wrote:
>
>> A default SG rule generated for every model allows 22 from 0.0.0.0/0,
>> I'm guessing this is because we are trying to facilitate the use case for
>> juju deployed on a public cloud, and instances being ssh accessed from the
>> internet and not from behind VPN in the same address space.
>>
>> A functionality which would allow users who don't want ssh open to the
>> world to close it, either completely, or limit to a private address space,
>> would be very helpful (especially because Juju reverts any changes made to
>> the SG,
>>
>
> I created a bug about that a while back:
>
> https://bugs.launchpad.net/juju-core/+bug/1420996
>
> As per the last change there, it was targeted for 2.1.0 until just
> recently.
>
>
>
>> so I couldn't even lock down port 22 if I wanted to).
>>
>> Is it possible to introduce a model config param that we could use to
>> tell juju where to allow ssh traffic from?
>>
>
> Again, an older bug, but I'd be keen to see that not just for 22/ssh, but
> in general when exposing services:
>
> https://bugs.launchpad.net/bugs/1401358
>
> but that may not fit the new juju2 models since the bug was written.
>
>
>>
>> Quick fix: Introduce an 'ssh-allow' param that could be used to open and
>> close port 22 on the SG generated for the model?
>>
>> Better fix: Introduce a config param 'ssh-access', where default value is
>> 0.0.0.0/0, which could then be modified to an address space that fits
>> the users security needs.
>>
>> How do others feel about this?
>> --
>> Juju mailing list
>> Juju at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/
>> mailman/listinfo/juju
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20170202/c470ae00/attachment.html>
More information about the Juju
mailing list