As part of the cross model relations work, the provider interface is being reworked such that Open/Close Port() API calls can now take as parameters ingress rules, ie a collection of port ranges and allowed source CIDRs.
With the above work, it will be possible to use that new provider capability to implement something like ssh-allow as an optional model parameter. Bigger picture though - we want to move to a model where Juju controllers are simply applications, by default with a single deployed unit, and with HA we effectively add-unit -n 3 for example. So in that sense, bug 1420996 which asks for juju expose to gain the ability to limit the subnets to which an application is exposed seems like something useful to look at too. But, we also have the concept of spaces - a set of subnets with the same ingress/egress rules. Talking to John who has been doing much of the work in this area, we could consider the fact that there should be a way to provide ssh access to all machines in an environment; maybe we have Juju model this to allow an ssh endpoint for machines to be have a binding into a specific space. Having said that, the above work to improve how Juju controllers are modeled is not scheduled for the Juju 2.2 cycle. Maybe "ssh-allow" is a tasteful enough compromise for a quick win for Juju 2.2? it would be easy enough to upgrade that later to support a better modelled solution. On 30/01/17 08:11, Michael Nelson wrote: > On Sat, Jan 28, 2017 at 4:34 AM James Beedy <[email protected]> wrote: > >> A default SG rule generated for every model allows 22 from 0.0.0.0/0, I'm >> guessing this is because we are trying to facilitate the use case for juju >> deployed on a public cloud, and instances being ssh accessed from the >> internet and not from behind VPN in the same address space. >> >> A functionality which would allow users who don't want ssh open to the >> world to close it, either completely, or limit to a private address space, >> would be very helpful (especially because Juju reverts any changes made to >> the SG, >> > > I created a bug about that a while back: > > https://bugs.launchpad.net/juju-core/+bug/1420996 > > As per the last change there, it was targeted for 2.1.0 until just recently. > > > >> so I couldn't even lock down port 22 if I wanted to). >> >> Is it possible to introduce a model config param that we could use to tell >> juju where to allow ssh traffic from? >> > > Again, an older bug, but I'd be keen to see that not just for 22/ssh, but > in general when exposing services: > > https://bugs.launchpad.net/bugs/1401358 > > but that may not fit the new juju2 models since the bug was written. > > >> >> Quick fix: Introduce an 'ssh-allow' param that could be used to open and >> close port 22 on the SG generated for the model? >> >> Better fix: Introduce a config param 'ssh-access', where default value is >> 0.0.0.0/0, which could then be modified to an address space that fits the >> users security needs. >> >> How do others feel about this? >> -- >> Juju mailing list >> [email protected] >> Modify settings or unsubscribe at: >> https://lists.ubuntu.com/mailman/listinfo/juju >> > > > -- Juju mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
