Use juju-mongodb and juju-apiserver for connections to respective services. #7803

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
5 participants
Contributor

Pekkari commented Aug 28, 2017

This pull request depends on PR: juju/utils#285

It starts using the right names instead of localhosts to connect to mongo and api server
in the core code, however, it requires some tool to append hostnames to /etc/hosts to
resolv connectivity during bootstrap, hence I added it in utils/network.go.

lp:1710886.

Signed-off-by: José Pekkarinen jose.pekkarinen@canonical.com

Use juju-mongodb and juju-apiserver for connections to respective
services.

Signed-off-by: José Pekkarinen <jose.pekkarinen@canonical.com>
Member

axw commented Aug 29, 2017

Why is this needed? Why are juju-mongodb and juju-apiserver the "right" names? When #7755 is merged, isn't localhost valid?

Contributor

Pekkari commented Aug 29, 2017

Sorry, I forgot to add the lp bug. Please, feel free to correct me, but what I got from the comment #1 in the bug is that it's believed juju uses these names to connect to the database and apiserver. From the certificate point of view, it would be nice to use a non-generic name to reference, though it isn't obviously a must have.

Member

axw commented Aug 29, 2017

@Pekkari thanks for the additional context. I think @jameinel needs to weigh in then, since it was his comment. IMO, it's fine to connect to localhost.

FWIW, I've idly been considering changing our mongod configuration to use "--sslMode=preferSSL", and have the controller jujud processes connect to mongo on localhost without TLS. Should be a little less overhead, but perhaps in the noise.

Contributor

Pekkari commented Aug 29, 2017

That is fine, if PR needs to be dropped or taken is up to the team. In the worse, it brings discussion
and let people knows what we have now.

That possibility sounds nice though I see some trade offs in HA, as if you happen not to have localhost
db available you'd like to enforce the ssl connection, and knowing when to connect in plain, or crypted
may become blurry.

Owner

jameinel commented Aug 30, 2017

I believe 'localhost' is the correct address to connect to, but we want to be overriding the name that we compare in certificates. We do this because we won't always be connecting to exactly 'localhost' when connecting to Mongo. Namely once we've connected to the local mongo, in an HA deployment, we then redirect and connect to whoever the Master mongo is, which may or may not be on the local machine.

I'll have to caveat a little bit that sometimes we connect to mongo "Direct" and we expect that the connection won't be redirected. But I do think connecting to 'localhost' is clearer to developers in that case. And at other times, when we want to connect to the apiserver/mongo and it isn't local, then having it connect to 'juju-apiserver' might be ok, but it would need to be a hostname that we keep up to date, because the set of IPs that match change over time. We already track those in agent.conf, so we could also try to keep /etc/hostnames up to date, but I'm not sure if it's actually worth that overhead.

Owner

nskaggs commented Sep 6, 2017

!!build!!

Owner

nskaggs commented Sep 27, 2017

!!build!!

Contributor

jujubot commented Sep 27, 2017

Can one of the admins verify this patch?

@axw axw closed this Nov 23, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment