Can we use security tools with juju?


#1

hello ,

i’m new to Juju and I have to use security tools with it such as : Nmap and Masscan but I couldn’t find any using Juju gui.

please advice me , is juju support these kind of tools ?

thanks you


#2

Interesting question!

The trivial answer is yes. But there is no explicit support or extra tooling available for these tools. So a more nuanced answer is “it depends”.

To experiment with Juju’s capabilities in this area, you start by “bootstrapping”. To bootstrap into a cloud. You’ll need to add credentials.

juju autoload-credentials # required to access AWS, OpenStack, ...
juju bootstrap localhost learning

The “localhost” argument specifies that you wish to deploy to local containers. The “learning” argument is the name of the model that you’re creating.

After a few minutes, the root Juju container will be created. In Juju terminology, this is known as “the controller machine”. The controller is a software agent that’s actively monitoring the rest of the system. (Juju’s architecture requires an active agent, like Puppet, because it enables systems administration tasks as well just handling provisioning)

Let’s now create 2 blank containers:

juju deploy -n3 ubuntu
Located charm "cs:ubuntu-12".
Deploying charm "cs:ubuntu-12".

We now have asked Juju to provision 3 more containers on our system. Each one believes that it is an independent machine. Juju has managed the firewall rules to prevent access, but now you wish to verify that and probe the (virtual) cluster with nmap.

The juju machines command will provide you with the private IP addresses of the instances that you’ve created:

juju machines
Machine  State    DNS             Inst id        Series  AZ  Message
0        pending  10.129.244.114  juju-d86839-0  bionic      Running
1        pending  10.129.244.198  juju-d86839-1  bionic      Running
2        pending                  pending        bionic

Juju’s told us that machine 0 is at port 10.129.244.114. Let’s see what it’s listening to.

nmap -v 10.129.244.114 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-27 11:05  NZST
Initiating Ping Scan at 11:05
Scanning 10.129.244.114 [2 ports]
Completed Ping Scan at 11:05, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:05
Completed Parallel DNS resolution of 1 host. at 11:05, 0.04s elapsed
Initiating Connect Scan at 11:05
Scanning 10.129.244.114 [1000 ports]
Discovered open port 22/tcp on 10.129.244.114
Completed Connect Scan at 11:05, 0.02s elapsed (1000 total ports)
Nmap scan report for 10.129.244.114
Host is up (0.00012s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Read data files from: /snap/nmap/249/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

Tip

Use sudo snap install nmap if you need to install nmap on your machine

Tip

Take a look at this tutorial on closing icmp if you wish to disable ping.

Juju makes it easy to test this from the inside of any of our hosts. For that, we can use juju ssh to log in. To start, we’ll install nmap on machine 1.

juju ssh 1
ubuntu@juju-d86839-1:~$ sudo snap install nmap
ubuntu@juju-d86839-1:~$ exit

Another command that’s useful is juju run.

Juju makes it simple to run the same nmap command as before, but from the point of view of machine 1 trying to port scan machine 0.

juju run --machine 1 nmap -v 10.129.244.114

The Juju Show #50 - June 5th 17:00GMT - Trust in bundles