/juju

Use juju-mongodb and juju-apiserver for connections to respective services. #7803

Closed
wants to merge 1 commit into
from
+11 −7

Conversation

Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@Pekkari @axw @jameinel @nskaggs @jujubot
@Pekkari
Contributor

Pekkari commented Aug 28, 2017
Edited 1 time

This pull request depends on PR: juju/utils#285

It starts using the right names instead of localhosts to connect to mongo and api server
in the core code, however, it requires some tool to append hostnames to /etc/hosts to
resolv connectivity during bootstrap, hence I added it in utils/network.go.

lp:1710886.

Signed-off-by: José Pekkarinen jose.pekkarinen@canonical.com
@Pekkari
Use juju-mongodb and juju-apiserver for connections to respective 
services.

Signed-off-by: José Pekkarinen <jose.pekkarinen@canonical.com>
7d73e83
@axw
Member

axw commented Aug 29, 2017

Why is this needed? Why are juju-mongodb and juju-apiserver the "right" names? When #7755 is merged, isn't localhost valid?
@Pekkari
Contributor

Pekkari commented Aug 29, 2017
Edited 1 time

Sorry, I forgot to add the lp bug. Please, feel free to correct me, but what I got from the comment #1 in the bug is that it's believed juju uses these names to connect to the database and apiserver. From the certificate point of view, it would be nice to use a non-generic name to reference, though it isn't obviously a must have.
@axw
Member

axw commented Aug 29, 2017

@Pekkari thanks for the additional context. I think @jameinel needs to weigh in then, since it was his comment. IMO, it's fine to connect to localhost.

FWIW, I've idly been considering changing our mongod configuration to use "--sslMode=preferSSL", and have the controller jujud processes connect to mongo on localhost without TLS. Should be a little less overhead, but perhaps in the noise.
@Pekkari
Contributor

Pekkari commented Aug 29, 2017

That is fine, if PR needs to be dropped or taken is up to the team. In the worse, it brings discussion
and let people knows what we have now.

That possibility sounds nice though I see some trade offs in HA, as if you happen not to have localhost
db available you'd like to enforce the ssl connection, and knowing when to connect in plain, or crypted
may become blurry.
@jameinel
Owner

jameinel commented Aug 30, 2017

I believe 'localhost' is the correct address to connect to, but we want to be overriding the name that we compare in certificates. We do this because we won't always be connecting to exactly 'localhost' when connecting to Mongo. Namely once we've connected to the local mongo, in an HA deployment, we then redirect and connect to whoever the Master mongo is, which may or may not be on the local machine.

I'll have to caveat a little bit that sometimes we connect to mongo "Direct" and we expect that the connection won't be redirected. But I do think connecting to 'localhost' is clearer to developers in that case. And at other times, when we want to connect to the apiserver/mongo and it isn't local, then having it connect to 'juju-apiserver' might be ok, but it would need to be a hostname that we keep up to date, because the set of IPs that match change over time. We already track those in agent.conf, so we could also try to keep /etc/hostnames up to date, but I'm not sure if it's actually worth that overhead.
@nskaggs
Owner

nskaggs commented Sep 6, 2017

!!build!!
@nskaggs
Owner

nskaggs commented Sep 27, 2017

!!build!!
@jujubot
Contributor

jujubot commented Sep 27, 2017

Can one of the admins verify this patch?

@axw axw closed this Nov 23, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment