Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Check firewall rules when updating cmr network ingress #7839
Conversation
|
!!build!! |
| + if err != nil && !errors.IsNotFound(err) { | ||
| + return errors.Trace(err) | ||
| + } | ||
| + if err == nil { |
| + | ||
| +// firstLastAddresses returns the first and last addresses of the subnet. | ||
| +func firstLastAddresses(subnet *net.IPNet) (net.IP, net.IP) { | ||
| + firstIP := subnet.IP |
axw
Sep 8, 2017
Member
simpler (set all of the trailing bits):
first, last := subnet.IP, subnet.IP
for i, b := range last {
last[i] = b ^ (^subnet.Mask[i])
}| + | ||
| + // If the requested ingress is not permitted on the offering side, | ||
| + // mark the relation as in error. It's not an error that requires a | ||
| + // worker restart though. |
wallyworld
Sep 8, 2017
Owner
To be thrashed out, but I'm thinking the relation would be marked as in error and the consumer would need to add-relation again with adjusted ingress.
| + // mark the relation as in error. It's not an error that requires a | ||
| + // worker restart though. | ||
| + if params.IsCodeForbidden(err) { | ||
| + return fw.firewallerApi.SetRelationStatus(relData.tag.Id(), relation.Error, err.Error()) |
axw
Sep 8, 2017
Member
it makes me a little uneasy having the firewaller set status on the relation, but I'm not sure what the alternative is. what else sets the status? how do they coordinate?
wallyworld
Sep 8, 2017
Owner
Ostensibly, the other way a relation status can be set is if the user suspends the relation, but in that case, this firewall logic wouldn't be applied. Ingress is only requested when the relation is joined (again). So it hangs together as things stand. Juju sets status to joined, error, or broken. A user can set to suspended (but only if current status is joined, although that's not checked yet). There's a few loose ends to tidy up once we get feedback on this MVP.
|
$$merge$$ |
|
Status: merge request accepted. Url: http://ci.jujucharms.com/job/github-merge-juju |
wallyworld commentedSep 8, 2017
Description of change
The firewaller facade will now check whether the requested ingress satisfies any defined firewall rules in the offering model. If there's an issue, the consuming side will set an error status on the relation. The ingress check will fail if:
QA steps
Deploy mysql, make offer
$ juju set-firewall-rule juju-application-offer --whitelist 1.2.3.4/32
On consuming model, deploy mediawiki and attempt to relate
$ juju relate mediawiki:db somemodel.mysql
Check that status shows the mediawiki-mysql relation is in error with a firewall message