/srv/irclogs.ubuntu.com/2017/11/15/#juju.txt

=== frankban|afk is now known as frankban
=== freyes__ is now known as freyes
=== freyes__ is now known as freyes
=== frankban is now known as frankban|afk
=== TikTok is now known as michealb
bdxcory_fu: ran into this yet http://paste.ubuntu.com/25969059/ ?18:34
cory_fubdx: I have not.18:36
cory_fubdx: Do you have the latest copy of that PR?  The line numbers from your stack trace don't match up.18:38
bdxoooh18:38
bdxI may not in that case18:38
cory_fubdx: Though, I'm guessing it's still an issue.  I think we need to check for a None result from relation_factory18:38
cory_fubdx: Is there anything in the log file that syas "Unable to determine role and interface for relation" or "No RelationFactory found in ..."?18:39
bdxcory_fu: totally is  http://paste.ubuntu.com/25969142/18:42
bdxor something to that effect 2017-11-15 18:22:24 ERROR juju-log Unable to find implementation for relation: requires of juju-info18:43
bdxoh I think I see it18:43
bdxthe juju-info relation is defined in the beats-base layer18:43
cory_fubdx: Ok, easy fix.  That just means that you're not pulling in the juju-info interface layer, but I could see not really needing it, so we should handle that case gracefully18:43
cory_fuDoes the beats-base layer not pull the interface layer in for it, then?  Maybe it just handles it manually.  juju-info is a trivial relation anyway18:44
bdxcory_fu: https://github.com/jamesbeedy/layer-beats-base/blob/master/metadata.yaml#L618:44
bdxI'm wondering if I pull juju-info into the top layer if it would make a difference18:45
bdxright18:45
cory_fubdx: Yeah, it's because it's missing the interface:juju-info in https://github.com/jamesbeedy/layer-beats-base/blob/master/layer.yaml18:46
cory_fuBut I can't really claim that that's wrong, given how trivial juju-info is18:46
bdxright18:46
bdxcory_fu: adding juju-info fixed18:54
bdxthanks18:54
bdxI should have caught that18:54
cory_fubdx: NP, I appreciate you bringing it up, because I think it's an issue in the PR that needs to be fixed18:58
bdxnp, I filed a bug for you18:58
R_P_Shi, I created a juju controller on a temporary machine.  I'd like to be able to login as admin/superuser on another machine.  How do I find the registration string for the superuser to register the controller on the 2nd machine?19:58
rick_hR_P_S: there isn't one. You have to add a new user and grant them admin rights and login as that new user.20:08
* rick_h wonders if we got working the juju login to an ip address20:09
R_P_Sso the superuser can be removed then once this alternate user is added?20:09
rick_hR_P_S: hmmm, honestly I've never tried. You might need to give the new user superuser access so you've got one superuser in the system...but not sure20:10
R_P_Syeah, that's precisely what I'm worried about losing... superuser access20:10
R_P_Strying to remove single point of failure, but I can't assume the instance I used to create the controller will survive forever20:10
rick_hR_P_S: so I wonder if you can do this, the admin's password is written out in one of the cache files, you can do `juju login -u admin $ipofcontroller` I think20:11
rick_hR_P_S: well that's what the HA is for and yea, add additional users, give them superuser, etc.20:11
rick_hR_P_S: to be honest, back up .local/share/juju and you're ok20:11
rick_hR_P_S: so .local/share/juju/credentials.yaml has the auto generated admin credentials for the controller20:13
R_P_Sok...20:15
R_P_Show does HA of the controller (not gotten there yet) save the credentials on a completely arbitrary machine?20:15
rick_hR_P_S: sorry, I just meant as far as being resilient. ha controllers is good stuff, but yea doesn't effect the client end20:16
rick_hso summary: 1) create new users, register them so you can login with them as username/password's you know20:16
R_P_Sok, got it... message just lost in translation :)20:16
rick_h2) you might be able to login as admin on another machine using the generated password20:16
rick_h3) ignore me, HA doesn't effect clients at all and I got confused mid-stream :)20:17
R_P_Slooks like I can create another superuser20:20
rick_hdefinitely https://jujucharms.com/docs/stable/users20:20
R_P_Shum, so the admin user never gets logged out?  just tried a manual logout and for an error "preventing account loss" due to no password20:23
R_P_Sso each registration string is just password setting, along with configuration of the controller?20:25
rick_hR_P_S: hmm, so the password should be the generated one. It's auto used generally20:25
rick_hR_P_S: yea, it sets up a new account so you can give them a unique password and get the controller info cached20:25
R_P_Sweird, so I tried creating a 2nd user account, and going through the registration flow I needed to enter in a different controller name20:27
rick_hR_P_S: right, because it's on the same machine. There's a single controller cache20:28
R_P_Sbut then it said secret key for user "abc" not found20:28
rick_hhmm, hmm, not sure on that bit20:29
R_P_Sso to create a 2nd user, say for testing permissions and using logout/login between the users, how would I complete the registration for the 2nd user?  wipe .cache?20:29
rick_hR_P_S: well I'd just create a lxd container or something to setup a second home basically20:30
rick_hR_P_S: you could probably do it by changing the $JUJU_DATA path or something to keep them separate20:30
rick_hor actually, given that just another user on the local system so there's two $HOME or something20:30
R_P_Syeah, I was thinking just a different user on the linux box itself... but that seems... clumsy20:31
R_P_Shum, so I remove-user the 2nd dummy account, and now it cannot be recreated.  does the controller seriously permanently blacklist that username?20:34
rick_hyes, due to the auditing effects usernames are use once20:36
R_P_Sthat seems strange then to have both remove-user and disable-user when the functionality is the same, but the former also "blacklists" the user.20:38
R_P_Sbit of a tangent, but it seems that any company would want to delete users after turnover to keep the list from growing unwieldly, but then a rehire would be forced to get a new username20:39
rick_hwell but if they were auditing who did what when, especially around the turn over time it's best to keep them split. It's reasonable the new person is unlikely to have the same name. If the same person is rehired, well then I grant you20:41
R_P_Sso, it turns out there's an extra permissions level - owner.  tried to disable the admin account, but the error just states "cannot disable controller model owner"20:41
rick_hah, right. I'm working on defining some work to get rid of that20:42
rick_hit's something that's outlived it's usefulness as things scale long term, it's on the todo list to clean up but only defining the work at this point20:42
R_P_Sis it safe to "lose" the admin account once other superusers have been created?20:43
rick_hyes, there's nothing the admin can do that a user with superuser permissions cannot20:44
R_P_Sor should the .local/share/juju be permanently backed up for the admin user20:44
R_P_Sah, ok20:44
rick_hit's why I started with "add new accounts" as it's usually the best path long term to give users proper accounts with permissions and manage them vs continue to use the special "admin" account20:44
R_P_SI'm still working with a conjure-up demo... I'm about to wipe the last of it and try to build it properly20:45
rick_hcool stuff20:45
R_P_SI was surprised by the lax security of conjure-up though, didn't request VPC info.... it'd been so long since I'd created an instance in ec2-classic I'd forgotten it was there and trying to figure out why the VPC wasn't specified on the isntance20:46
R_P_Sactually, while I have you here... after creating instances via juju, can I modify the security groups?  seeing 0.0.0.0/0 ingress ssh makes me want to cry20:47
rick_hso you can specify the vpc details during bootstrap with --vpc-id20:47
rick_has far as that goes, it's a feature folks have requested but to do things like juju run and juju ssh/scp clients outside need ssh access so it's not currently able to be blocked out20:48
R_P_Syeah, I'd found vpc specification in the docs since conjure-up20:48
rick_hI think you can leverage a vpc to help lock that down somewhat, bdx might have more details around that20:48
R_P_Sjuju ssh uses external IPs?20:49
rick_hyes, because a controller can host many models, and the client is not on the same network, it tries to use external addresses to help map to the machines20:49
R_P_Soh dear20:49
rick_hyou can have model access but no controller access so you can't ssh through/onto the controllers themselves as a user on a model20:49
R_P_Sthat completely breaks the idea of bastion hosts, VPCs and even AWS security group <-> security group references20:51
rick_hit's not going and sticking elastic ips on all the instances or anything20:52
R_P_SI'd like to both assume and enforce the client being on the same network (VPC+peering) as any instance created by juju, including the controller itself.20:54
R_P_Snow, this scope is for kubernetes...20:55
R_P_Sit sounds like I should be putting absolutely everything except the load balancer in the public subnet...20:56
R_P_Smaster, workers, etcd,easyrsa all in private subnet?  then they wouldn't have a publuic IP and juju ssh would work off the internal IP?20:57
R_P_Sdoh... logic inverted 2 lines up.  everything except load balance in private subnet20:57
R_P_SI think I may just need to try this out now... rebuild controller in VPC and see what happens20:58
R_P_Sbut I believe the question technically still stands.  If the client (bastion host) has ACLd to the SG containing all the juju instances for private subnet instances, that can be changed and juju won't complain?20:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!