Discussion:
Getting the exposed ports
Tom Barber
2017-12-01 15:51:56 UTC
Permalink
Hello folks

I want to write a firewall charm for those deployments that aren't in
the cloud. The "easy" thing to do is provide a config block and have
admins write in rules and just apply them. I was wondering though, if I
wrote a subordinate charm on juju-info to attach to anything, is there
any mechanism for me to find the exposed port of the parent charm? and
whether its exposed or not?


Ta

Tom
--
Spicule Limited is registered in England & Wales. Company Number: 09954122.
Registered office: First Floor, Telecom House, 125-135 Preston Road,
Brighton, England, BN1 6AF. VAT No. 251478891.


All engagements are subject to Spicule Terms and Conditions of Business.
This email and its contents are intended solely for the individual to whom
it is addressed and may contain information that is confidential,
privileged or otherwise protected from disclosure, distributing or copying.
Any views or opinions presented in this email are solely those of the
author and do not necessarily represent those of Spicule Limited. The
company accepts no liability for any damage caused by any virus transmitted
by this email. If you have received this message in error, please notify us
immediately by reply email before deleting it from your system. Service of
legal notice cannot be effected on Spicule Limited by email.
--
Juju mailing list
***@lists.ubuntu.com
Modify settings or unsubscribe at: https
Merlijn Sebrechts
2017-12-01 16:32:56 UTC
Permalink
Maybe somebody has a better way, I think running `opened-ports` using
`juju-run` might do the trick.
Post by Tom Barber
Hello folks
I want to write a firewall charm for those deployments that aren't in the
cloud. The "easy" thing to do is provide a config block and have admins
write in rules and just apply them. I was wondering though, if I wrote a
subordinate charm on juju-info to attach to anything, is there any
mechanism for me to find the exposed port of the parent charm? and whether
its exposed or not?
Ta
Tom
--
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements are subject to Spicule Terms and Conditions of Business.
This email and its contents are intended solely for the individual to whom
it is addressed and may contain information that is confidential,
privileged or otherwise protected from disclosure, distributing or copying.
Any views or opinions presented in this email are solely those of the
author and do not necessarily represent those of Spicule Limited. The
company accepts no liability for any damage caused by any virus transmitted
by this email. If you have received this message in error, please notify us
immediately by reply email before deleting it from your system. Service of
legal notice cannot be effected on Spicule Limited by email.
--
Juju mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailm
an/listinfo/juju
Michał Ajduk
2017-12-01 16:58:35 UTC
Permalink
Hello,

You can take a look at iptables charm. It does the "easy part", that is
admin defined ruleset.

I was actually thinking of making it also use the open ports. I'm pretty
sure juju-info relation has the open ports data, but I can take a look.

BR,
Michal


01.12.2017 16:52 "Tom Barber" <***@spicule.co.uk> napisał(a):

Hello folks

I want to write a firewall charm for those deployments that aren't in the
cloud. The "easy" thing to do is provide a config block and have admins
write in rules and just apply them. I was wondering though, if I wrote a
subordinate charm on juju-info to attach to anything, is there any
mechanism for me to find the exposed port of the parent charm? and whether
its exposed or not?


Ta

Tom
--
Spicule Limited is registered in England & Wales. Company Number: 09954122.
Registered office: First Floor, Telecom House, 125-135 Preston Road,
Brighton, England, BN1 6AF. VAT No. 251478891.


All engagements are subject to Spicule Terms and Conditions of Business.
This email and its contents are intended solely for the individual to whom
it is addressed and may contain information that is confidential,
privileged or otherwise protected from disclosure, distributing or copying.
Any views or opinions presented in this email are solely those of the
author and do not necessarily represent those of Spicule Limited. The
company accepts no liability for any damage caused by any virus transmitted
by this email. If you have received this message in error, please notify us
immediately by reply email before deleting it from your system. Service of
legal notice cannot be effected on Spicule Limited by email.
--
Juju mailing list
***@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailm
an/listinfo/juju
John Meinel
2017-12-02 03:25:58 UTC
Permalink
I'm pretty sure that opened-ports only reports the ports that Juju had
opened for the charm that is making the request. I don't think we list all
ports opened on the machine for all other applications.

So you might need to have a relation that can report it's opened ports to
the subordinate

John
=:->
Post by Michał Ajduk
Hello,
You can take a look at iptables charm. It does the "easy part", that is
admin defined ruleset.
I was actually thinking of making it also use the open ports. I'm pretty
sure juju-info relation has the open ports data, but I can take a look.
BR,
Michal
Hello folks
I want to write a firewall charm for those deployments that aren't in the
cloud. The "easy" thing to do is provide a config block and have admins
write in rules and just apply them. I was wondering though, if I wrote a
subordinate charm on juju-info to attach to anything, is there any
mechanism for me to find the exposed port of the parent charm? and whether
its exposed or not?
Ta
Tom
--
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements are subject to Spicule Terms and Conditions of Business.
This email and its contents are intended solely for the individual to whom
it is addressed and may contain information that is confidential,
privileged or otherwise protected from disclosure, distributing or copying.
Any views or opinions presented in this email are solely those of the
author and do not necessarily represent those of Spicule Limited. The
company accepts no liability for any damage caused by any virus transmitted
by this email. If you have received this message in error, please notify us
immediately by reply email before deleting it from your system. Service of
legal notice cannot be effected on Spicule Limited by email.
--
Juju mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailm
an/listinfo/juju
--
Juju mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/
mailman/listinfo/juju
Merlijn Sebrechts
2017-12-02 09:30:31 UTC
Permalink
Yes, so with juju-run you could run 'opened-ports' in the hook context of
each unit on that machine, and this get all the opened+ports on the machine.
Post by John Meinel
I'm pretty sure that opened-ports only reports the ports that Juju had
opened for the charm that is making the request. I don't think we list all
ports opened on the machine for all other applications.
So you might need to have a relation that can report it's opened ports to
the subordinate
John
=:->
Post by Michał Ajduk
Hello,
You can take a look at iptables charm. It does the "easy part", that is
admin defined ruleset.
I was actually thinking of making it also use the open ports. I'm pretty
sure juju-info relation has the open ports data, but I can take a look.
BR,
Michal
Hello folks
I want to write a firewall charm for those deployments that aren't in the
cloud. The "easy" thing to do is provide a config block and have admins
write in rules and just apply them. I was wondering though, if I wrote a
subordinate charm on juju-info to attach to anything, is there any
mechanism for me to find the exposed port of the parent charm? and whether
its exposed or not?
Ta
Tom
--
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements are subject to Spicule Terms and Conditions of Business.
This email and its contents are intended solely for the individual to whom
it is addressed and may contain information that is confidential,
privileged or otherwise protected from disclosure, distributing or copying.
Any views or opinions presented in this email are solely those of the
author and do not necessarily represent those of Spicule Limited. The
company accepts no liability for any damage caused by any virus transmitted
by this email. If you have received this message in error, please notify us
immediately by reply email before deleting it from your system. Service of
legal notice cannot be effected on Spicule Limited by email.
--
Juju mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailm
an/listinfo/juju
--
Juju mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailm
an/listinfo/juju
--
Juju mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/
mailman/listinfo/juju
John Meinel
2017-12-02 11:53:26 UTC
Permalink
If it works, great. But I have the feeling we only run in a hook context
for units and so opened-ports isn't available for a machine. (There are no
machine level hooks, as applications are always unit level)

John
=:->
Post by Merlijn Sebrechts
Yes, so with juju-run you could run 'opened-ports' in the hook context of
each unit on that machine, and this get all the opened+ports on the machine.
Post by John Meinel
I'm pretty sure that opened-ports only reports the ports that Juju had
opened for the charm that is making the request. I don't think we list all
ports opened on the machine for all other applications.
So you might need to have a relation that can report it's opened ports to
the subordinate
John
=:->
Post by Michał Ajduk
Hello,
You can take a look at iptables charm. It does the "easy part", that is
admin defined ruleset.
I was actually thinking of making it also use the open ports. I'm pretty
sure juju-info relation has the open ports data, but I can take a look.
BR,
Michal
Hello folks
I want to write a firewall charm for those deployments that aren't in
the cloud. The "easy" thing to do is provide a config block and have admins
write in rules and just apply them. I was wondering though, if I wrote a
subordinate charm on juju-info to attach to anything, is there any
mechanism for me to find the exposed port of the parent charm? and whether
its exposed or not?
Ta
Tom
--
09954122. Registered office: First Floor, Telecom House, 125-135
Preston Road, Brighton, England, BN1 6AF
<https://maps.google.com/?q=125-135+Preston+Road,+Brighton,+England,+BN1+6AF&entry=gmail&source=g>.
VAT No. 251478891.
All engagements are subject to Spicule Terms and Conditions of Business.
This email and its contents are intended solely for the individual to whom
it is addressed and may contain information that is confidential,
privileged or otherwise protected from disclosure, distributing or copying.
Any views or opinions presented in this email are solely those of the
author and do not necessarily represent those of Spicule Limited. The
company accepts no liability for any damage caused by any virus transmitted
by this email. If you have received this message in error, please notify us
immediately by reply email before deleting it from your system. Service of
legal notice cannot be effected on Spicule Limited by email.
--
Juju mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailm
an/listinfo/juju
--
Juju mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailm
an/listinfo/juju
--
Juju mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailm
an/listinfo/juju
Tom Barber
2017-12-02 22:14:44 UTC
Permalink
So I did take a look at the iptables charm

https://api.jujucharms.com/charmstore/v5/~majduk/iptables-3/archive/hooks/relations/peer-discovery/peers.py

is sad on my setup.

unit-iptables-0: 22:08:53 DEBUG unit.iptables/0.install   File
"/var/lib/juju/agents/unit-iptables-0/charm/hooks/relations/peer-discovery/peers.py",
line 8, in <module>
unit-iptables-0: 22:08:53 DEBUG unit.iptables/0.install     from
charms.reactive.bus import State
unit-iptables-0: 22:08:53 DEBUG unit.iptables/0.install ImportError:
cannot import name 'State'

I'm not sure whats changed in charms.reactive but I can't find the
State. Also I dont' know where the upstream source is so if I do figure
it out I can't submit a patch.

Cheers

Tom
Post by Michał Ajduk
Hello,
You can take a look at iptables charm. It does the "easy part", that
is admin defined ruleset.
I was actually thinking of making it also use the open ports. I'm
pretty sure juju-info relation has the open ports data, but I can take
a look.
BR,
Michal
Hello folks
I want to write a firewall charm for those deployments that aren't
in the cloud. The "easy" thing to do is provide a config block and
have admins write in rules and just apply them. I was wondering
though, if I wrote a subordinate charm on juju-info to attach to
anything, is there any mechanism for me to find the exposed port
of the parent charm? and whether its exposed or not?
Ta
Tom
--
09954122. Registered office: First Floor, Telecom House, 125-135
Preston Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements are subject to Spicule Terms and Conditions of
Business. This email and its contents are intended solely for the
individual to whom it is addressed and may contain information
that is confidential, privileged or otherwise protected from
disclosure, distributing or copying. Any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Spicule Limited. The company
accepts no liability for any damage caused by any virus
transmitted by this email. If you have received this message in
error, please notify us immediately by reply email before deleting
it from your system. Service of legal notice cannot be effected on
Spicule Limited by email.
--
Juju mailing list
https://lists.ubuntu.com/mailman/listinfo/juju
<https://lists.ubuntu.com/mailman/listinfo/juju>
--
Spicule Limited is registered in England & Wales. Company Number: 09954122.
Registered office: First Floor, Telecom House, 125-135 Preston Road,
Brighton, England, BN1 6AF. VAT No. 251478891.


All engagements are subject to Spicule Terms and Conditions of Business.
This email and its contents are intended solely for the individual to whom
it is addressed and may contain information that is confidential,
privileged or otherwise protected from disclosure, distributing or copying.
Any views or opinions presented in this email are solely those of the
author and do not necessarily represent those of Spicule Limited. The
company accepts no liability for any damage caused by any virus transmitted
by this email. If you have received this message in error, please notify us
immediately by reply email before deleting it from your system. Service of
legal notice cannot be effected on Spicule Limited by email.
Merlijn Sebrechts
2017-12-04 09:12:07 UTC
Permalink
Hm, I wonder why the iptables charm is doing that.

from charms.reactive.bus import State

class states(StateList):
connected = State('{relation_name}.connected')
joined = State('{relation_name}.joined')
departed = State('{relation_name}.departed')


The internals of charms.reactive have changed quite a bit in the last few
releases. We kept the public API backwards-compatible, but preventing
breakages when charms dig into the charms.reactive internals is hard..
Post by Tom Barber
So I did take a look at the iptables charm
https://api.jujucharms.com/charmstore/v5/~majduk/iptables-3/archive/hooks/
relations/peer-discovery/peers.py
is sad on my setup.
unit-iptables-0: 22:08:53 DEBUG unit.iptables/0.install File
"/var/lib/juju/agents/unit-iptables-0/charm/hooks/
relations/peer-discovery/peers.py", line 8, in <module>
unit-iptables-0: 22:08:53 DEBUG unit.iptables/0.install from
charms.reactive.bus import State
cannot import name 'State'
I'm not sure whats changed in charms.reactive but I can't find the State.
Also I dont' know where the upstream source is so if I do figure it out I
can't submit a patch.
Cheers
Tom
Hello,
You can take a look at iptables charm. It does the "easy part", that is
admin defined ruleset.
I was actually thinking of making it also use the open ports. I'm pretty
sure juju-info relation has the open ports data, but I can take a look.
BR,
Michal
Hello folks
I want to write a firewall charm for those deployments that aren't in the
cloud. The "easy" thing to do is provide a config block and have admins
write in rules and just apply them. I was wondering though, if I wrote a
subordinate charm on juju-info to attach to anything, is there any
mechanism for me to find the exposed port of the parent charm? and whether
its exposed or not?
Ta
Tom
--
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements are subject to Spicule Terms and Conditions of Business.
This email and its contents are intended solely for the individual to whom
it is addressed and may contain information that is confidential,
privileged or otherwise protected from disclosure, distributing or copying.
Any views or opinions presented in this email are solely those of the
author and do not necessarily represent those of Spicule Limited. The
company accepts no liability for any damage caused by any virus transmitted
by this email. If you have received this message in error, please notify us
immediately by reply email before deleting it from your system. Service of
legal notice cannot be effected on Spicule Limited by email.
--
Juju mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailm
an/listinfo/juju
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements are subject to Spicule Terms and Conditions of Business.
This email and its contents are intended solely for the individual to whom
it is addressed and may contain information that is confidential,
privileged or otherwise protected from disclosure, distributing or copying.
Any views or opinions presented in this email are solely those of the
author and do not necessarily represent those of Spicule Limited. The
company accepts no liability for any damage caused by any virus transmitted
by this email. If you have received this message in error, please notify us
immediately by reply email before deleting it from your system. Service of
legal notice cannot be effected on Spicule Limited by email.
--
Juju mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/
mailman/listinfo/juju
Loading...