Merge pull request #576 from voidspace/db-shutoff-2

Shut-off direct database access

No longer expose port 37017 on machines, as direct mongo access is no longer required.

This is a repeat of PR 449 (effectively a revert of the revert).

#449

This was reverted because restore still used direct state access. Once PR 561 has been merged direct DB access can be shutoff (again).

#561

provider/azure/environ.go

@@ -778,10 +778,6 @@ func (env *azureEnviron) newOSDisk(sourceImageName string) *gwacl.OSVirtualHardD
 // getInitialEndpoints returns a slice of the endpoints every instance should have open
 // (ssh port, etc).
 func (env *azureEnviron) getInitialEndpoints(stateServer bool) []gwacl.InputEndpoint {
-	// TODO(axw) either proxy ssh traffic through one of the
-	// randomly chosen VMs to the internal address, or otherwise
-	// don't load balance SSH and provide a way of getting the
-	// local port.
 	cfg := env.Config()
 	endpoints := []gwacl.InputEndpoint{{
 		LocalPort: 22,
@@ -791,11 +787,6 @@ func (env *azureEnviron) getInitialEndpoints(stateServer bool) []gwacl.InputEndp
 	}}
 	if stateServer {
 		endpoints = append(endpoints, []gwacl.InputEndpoint{{
-			LocalPort: cfg.StatePort(),
-			Port:      cfg.StatePort(),
-			Protocol:  "tcp",
-			Name:      "stateport",
-		}, {
 			LocalPort: cfg.APIPort(),
 			Port:      cfg.APIPort(),
 			Protocol:  "tcp",

provider/azure/environ_test.go

@@ -1160,11 +1160,6 @@ func (s *environSuite) TestInitialPorts(c *gc.C) {
 	// Only role2 should report opened state server ports via the Ports method.
 	dummyRole := *role1
 	configSetNetwork(&dummyRole).InputEndpoints = &[]gwacl.InputEndpoint{{
-		LocalPort: env.Config().StatePort(),
-		Protocol:  "tcp",
-		Name:      "stateserver",
-		Port:      env.Config().StatePort(),
-	}, {
 		LocalPort: env.Config().APIPort(),
 		Protocol:  "tcp",
 		Name:      "apiserver",
@@ -1179,17 +1174,12 @@ func (s *environSuite) TestInitialPorts(c *gc.C) {
 		for _, portRange := range ports {
 			portmap[portRange] = true
 		}
-		statePortRange := network.PortRange{
-			Protocol: "tcp",
-			FromPort: env.Config().StatePort(),
-			ToPort:   env.Config().StatePort(),
-		}
 		apiPortRange := network.PortRange{
 			Protocol: "tcp",
 			FromPort: env.Config().APIPort(),
 			ToPort:   env.Config().APIPort(),
 		}
-		return portmap[statePortRange] && portmap[apiPortRange]
+		return portmap[apiPortRange]
 	}
 	c.Check(inst1, gc.Not(jc.Satisfies), reportsStateServerPorts)
 	c.Check(inst2, jc.Satisfies, reportsStateServerPorts)
@@ -1259,13 +1249,7 @@ func (*environSuite) testNewRole(c *gc.C, stateServer bool) {
 	c.Check(sshEndpoint.Protocol, gc.Equals, "tcp")
 
 	if stateServer {
-		// There's also an endpoint for the state (mongodb) port.
-		stateEndpoint, ok := endpoints[env.Config().StatePort()]
-		c.Assert(ok, gc.Equals, true)
-		c.Check(stateEndpoint.LocalPort, gc.Equals, env.Config().StatePort())
-		c.Check(stateEndpoint.Protocol, gc.Equals, "tcp")
-
-		// And one for the API port.
+		// There should be an endpoint for the API port.
 		apiEndpoint, ok := endpoints[env.Config().APIPort()]
 		c.Assert(ok, gc.Equals, true)
 		c.Check(apiEndpoint.LocalPort, gc.Equals, env.Config().APIPort())

provider/azure/instance_test.go

@@ -348,11 +348,6 @@ func (s *instanceSuite) testPorts(c *gc.C, maskStateServerPorts bool) {
 		Protocol:  "tcp",
 		Name:      "test456",
 		Port:      4456,
-	}, {
-		LocalPort: s.env.Config().StatePort(),
-		Protocol:  "tcp",
-		Name:      "stateserver",
-		Port:      s.env.Config().StatePort(),
 	}, {
 		LocalPort: s.env.Config().APIPort(),
 		Protocol:  "tcp",
@@ -375,7 +370,6 @@ func (s *instanceSuite) testPorts(c *gc.C, maskStateServerPorts bool) {
 		{2123, 2123, "udp"},
 	}
 	if !maskStateServerPorts {
-		expected = append(expected, network.PortRange{s.env.Config().StatePort(), s.env.Config().StatePort(), "tcp"})
 		expected = append(expected, network.PortRange{s.env.Config().APIPort(), s.env.Config().APIPort(), "tcp"})
 		network.SortPortRanges(expected)
 	}

provider/ec2/ec2.go

@@ -604,7 +604,7 @@ func (e *environ) StartInstance(args environs.StartInstanceParams) (instance.Ins
 	}
 	logger.Debugf("ec2 user data; %d bytes", len(userData))
 	cfg := e.Config()
-	groups, err := e.setUpGroups(args.MachineConfig.MachineId, cfg.StatePort(), cfg.APIPort())
+	groups, err := e.setUpGroups(args.MachineConfig.MachineId, cfg.APIPort())
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("cannot set up groups: %v", err)
 	}
@@ -1082,7 +1082,7 @@ func (inst *ec2Instance) Ports(machineId string) ([]network.PortRange, error) {
 // other instances that might be running on the same EC2 account.  In
 // addition, a specific machine security group is created for each
 // machine, so that its firewall rules can be configured per machine.
-func (e *environ) setUpGroups(machineId string, statePort, apiPort int) ([]ec2.SecurityGroup, error) {
+func (e *environ) setUpGroups(machineId string, apiPort int) ([]ec2.SecurityGroup, error) {
 	jujuGroup, err := e.ensureGroup(e.jujuGroupName(),
 		[]ec2.IPPerm{
 			{
@@ -1091,12 +1091,6 @@ func (e *environ) setUpGroups(machineId string, statePort, apiPort int) ([]ec2.S
 				ToPort:    22,
 				SourceIPs: []string{"0.0.0.0/0"},
 			},
-			{
-				Protocol:  "tcp",
-				FromPort:  statePort,
-				ToPort:    statePort,
-				SourceIPs: []string{"0.0.0.0/0"},
-			},
 			{
 				Protocol:  "tcp",
 				FromPort:  apiPort,

provider/ec2/live_test.go

@@ -226,9 +226,8 @@ func (t *LiveTests) TestInstanceGroups(c *gc.C) {
 	// that the unneeded permission that we added earlier
 	// has been deleted).
 	perms := info[0].IPPerms
-	c.Assert(perms, gc.HasLen, 6)
+	c.Assert(perms, gc.HasLen, 5)
 	checkPortAllowed(c, perms, 22) // SSH
-	checkPortAllowed(c, perms, coretesting.FakeConfig()["state-port"].(int))
 	checkPortAllowed(c, perms, coretesting.FakeConfig()["api-port"].(int))
 	checkSecurityGroupAllowed(c, perms, groups[0])
 

provider/openstack/export_test.go

@@ -296,8 +296,8 @@ func SetUseFloatingIP(e environs.Environ, val bool) {
 	env.ecfg().attrs["use-floating-ip"] = val
 }
 
-func SetUpGlobalGroup(e environs.Environ, name string, statePort, apiPort int) (nova.SecurityGroup, error) {
-	return e.(*environ).setUpGlobalGroup(name, statePort, apiPort)
+func SetUpGlobalGroup(e environs.Environ, name string, apiPort int) (nova.SecurityGroup, error) {
+	return e.(*environ).setUpGlobalGroup(name, apiPort)
 }
 
 func EnsureGroup(e environs.Environ, name string, rules []nova.RuleInfo) (nova.SecurityGroup, error) {

provider/openstack/live_test.go

@@ -178,17 +178,14 @@ func (t *LiveTests) TestSetupGlobalGroupExposesCorrectPorts(c *gc.C) {
 	}
 	cleanup()
 	defer cleanup()
-	statePort := 12345 // Default 37017
-	apiPort := 34567   // Default 17070
-	group, err := openstack.SetUpGlobalGroup(t.Env, groupName, statePort, apiPort)
+	apiPort := 34567 // Default 17070
+	group, err := openstack.SetUpGlobalGroup(t.Env, groupName, apiPort)
 	c.Assert(err, gc.IsNil)
-	c.Assert(err, gc.IsNil)
-	// We default to exporting 22, statePort, apiPort, and icmp/udp/tcp on
+	// We default to exporting 22, apiPort, and icmp/udp/tcp on
 	// all ports to other machines inside the same group
 	// TODO(jam): 2013-09-18 http://pad.lv/1227142
-	// We shouldn't be exposing the API and State ports on all the machines
-	// that *aren't* hosting the state server. (And once we finish
-	// client-via-API we can disable the State port as well.)
+	// We shouldn't be exposing the API port on all the machines
+	// that *aren't* hosting the state server.
 	stringRules := make([]string, 0, len(group.Rules))
 	for _, rule := range group.Rules {
 		ruleStr := fmt.Sprintf("%s %d %d %q %q",
@@ -203,7 +200,6 @@ func (t *LiveTests) TestSetupGlobalGroupExposesCorrectPorts(c *gc.C) {
 	// We don't care about the ordering, so we sort the result, and compare it.
 	expectedRules := []string{
 		`tcp 22 22 "0.0.0.0/0" ""`,
-		fmt.Sprintf(`tcp %d %d "0.0.0.0/0" ""`, statePort, statePort),
 		fmt.Sprintf(`tcp %d %d "0.0.0.0/0" ""`, apiPort, apiPort),
 		fmt.Sprintf(`tcp 1 65535 "" "%s"`, groupName),
 		fmt.Sprintf(`udp 1 65535 "" "%s"`, groupName),

provider/openstack/provider.go

@@ -975,7 +975,7 @@ func (e *environ) StartInstance(args environs.StartInstanceParams) (instance.Ins
 		}
 	}
 	cfg := e.Config()
-	groups, err := e.setUpGroups(args.MachineConfig.MachineId, cfg.StatePort(), cfg.APIPort())
+	groups, err := e.setUpGroups(args.MachineConfig.MachineId, cfg.APIPort())
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("cannot set up groups: %v", err)
 	}
@@ -1330,7 +1330,7 @@ func (e *environ) Provider() environs.EnvironProvider {
 	return &providerInstance
 }
 
-func (e *environ) setUpGlobalGroup(groupName string, statePort, apiPort int) (nova.SecurityGroup, error) {
+func (e *environ) setUpGlobalGroup(groupName string, apiPort int) (nova.SecurityGroup, error) {
 	return e.ensureGroup(groupName,
 		[]nova.RuleInfo{
 			{
@@ -1339,12 +1339,6 @@ func (e *environ) setUpGlobalGroup(groupName string, statePort, apiPort int) (no
 				ToPort:     22,
 				Cidr:       "0.0.0.0/0",
 			},
-			{
-				IPProtocol: "tcp",
-				FromPort:   statePort,
-				ToPort:     statePort,
-				Cidr:       "0.0.0.0/0",
-			},
 			{
 				IPProtocol: "tcp",
 				FromPort:   apiPort,
@@ -1380,8 +1374,8 @@ func (e *environ) setUpGlobalGroup(groupName string, statePort, apiPort int) (no
 // Note: ideally we'd have a better way to determine group membership so that 2
 // people that happen to share an openstack account and name their environment
 // "openstack" don't end up destroying each other's machines.
-func (e *environ) setUpGroups(machineId string, statePort, apiPort int) ([]nova.SecurityGroup, error) {
-	jujuGroup, err := e.setUpGlobalGroup(e.jujuGroupName(), statePort, apiPort)
+func (e *environ) setUpGroups(machineId string, apiPort int) ([]nova.SecurityGroup, error) {
+	jujuGroup, err := e.setUpGlobalGroup(e.jujuGroupName(), apiPort)
 	if err != nil {
 		return nil, err
 	}