in some sense this is expected behavior, juju syncs the iaas resource it creates to its internal state for them. Re workarounds.. At least for openstack (or ec2 vpc) if you want manually created security rules, you should ideally create a separate group + rules and attach to the relevant instances. The other option is for services that are exposed, you can use 'juju run' on either a service/unit/all machines to open-port 22.
hth, -kapil On Thu, Feb 12, 2015 at 6:52 AM, Caio Begotti <caio1...@gmail.com> wrote: > Thanks, Michael. I see you filed the bug last night (I went away after > posting my message) but I just added some findings and my scenario to the > report. In case others want to check it out: > https://bugs.launchpad.net/juju-core/+bug/1420996 > > > — Caio Begotti [ˈka.jo | be.ˈgɔ.t͡ʃi] > > On Wed, Feb 11, 2015 at 6:39 PM, Michael Nelson < > michael.nel...@canonical.com> wrote: > >> On Thu, Feb 12, 2015 at 5:39 AM, Caio Begotti <caio1...@gmail.com> wrote: >> > Hi folks, >> > >> > I wonder if any of you have had this problem before but Juju and >> Openstack >> > are resetting my secgroup rules every night. I hope this is >> comprehensible >> > without much details as it involves private deployment info... I know >> this >> > is not strictly speaking 100% Juju but anyway... >> >> I've just checked my ec2 test deployments, and I'm seeing the same >> behaviour on the secgroups there. Definitely worth a bug Caio (I'll do >> it if you don't get around to it, I don't see one at >> https://bugs.launchpad.net/juju-core/?field.searchtext=secgroup ). >> >> -Michael >> >> > >> > Juju creates the secgroup for Nova, right? I am manually setting a nova >> > secgroup-add-rule for port 22 like the following: >> > >> > nova secgroup-add-rule groupname tcp 22 22 ipaddress/32 >> > >> > However, my other rules (ICMP etc) are kept between days, but SSH rules >> for >> > port 22 are being reset and disappearing overnight. Is it a known issue >> or >> > expected behavior with Juju and Openstack? >> > >> > I was told Juju or Openstack (no idea who is at faul here, really) might >> > reset the secgroups from time to time (when exactly?) if the specified >> port >> > in the rule is not open in the Juju units. >> > >> > Ok, so I have created this charm >> > https://jujucharms.com/u/caio1982/open-port/ and I confirm that now >> port 22 >> > is open in all the related units whose IPs are in the secgroup rules. >> Still, >> > all SSH rules for port 22 are being reset every single night. >> > >> > Does it make sense? >> > >> > Right now I have an extra secgroup rule for 0.0.0.0/0 too, just to see >> what >> > happens tonight. >> > >> > I would really love to understand why Juju and Openstack are not playing >> > nice together with my secgroup rules :-( >> > >> > — Caio Begotti [ˈka.jo | be.ˈgɔ.t͡ʃi] >> > >> > -- >> > Juju mailing list >> > Juju@lists.ubuntu.com >> > Modify settings or unsubscribe at: >> > https://lists.ubuntu.com/mailman/listinfo/juju >> > >> > > > -- > Juju mailing list > Juju@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/juju > >
-- Juju mailing list Juju@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
