[Tutorial] Disable ping on your machines


#1

Some security policies require that the ICMP protocol is disabled. ICMP enables tools such as ping and traceroute.

As a bit of an insider cheat code, we can make use of Juju’s hook-tools to manage firewall rules. They work across clouds and this technique can be especially useful in a hybrid-cloud scenario.

Background knowledge: Introducing juju run

Juju has the ability to execute commands on your behalf via juju run. They can be run in the context of a machine, an application or a unit.

For example, to retrieve the hostname for each of your model’s machines, we can run hostname on each of them:

juju run --all -- hostname

On a model with 4 machines, Juju generates the following YAML-formatted output:

- MachineId: "0"
  Stdout: |
    juju-0c2f53-0
- MachineId: "1"
  Stdout: |
    juju-0c2f53-1
- MachineId: "2"
  Stdout: |
    juju-0c2f53-2
- MachineId: "3"
  Stdout: |
    juju-0c2f53-3

Step 1: List units of the model

We are going to run the close-port hook tool, but we want to be able to run it in the context of a unit, rather than a machine. For reasons internal to Juju, running in the context of the machine does not provide us with access to the close-port hook tool that we’re interested in.

With some wrangling, we can retrieve a list of units from Juju:

juju status --format=short | cut -d' ' -f2  | cut -d':' -f1 -s

For my model, here is the output:

pg-a/0
pg-b/0
pg-b/1
wordpress/0

Step 2: Make use of the close-port hook tool

Let’s start by execute the close-port command for a single unit:

juju run --unit=pg-a/0 -- close-port icmp 

This executes silently when it’s successful.

We can combine the output from the command in step 1 to close the icmp protocol across all of our units with xargs

juju status --format=short \
   | cut -d' ' -f2 \
   | cut -d':' -f1 -s \
   | xargs -I@ juju run --unit @ close-port icmp

Step 3: Verify

Run juju machines to get the public IP addresses of the machines in your model:

juju machines

Your output might look similar to this:

Machine  State    DNS             Inst id        Series  AZ  Message
0        started  10.129.244.130  juju-0c2f53-0  trusty      Running
1        started  10.129.244.235  juju-0c2f53-1  bionic      Running
2        started  10.129.244.32   juju-0c2f53-2  bionic      Running
3        started  10.129.244.44   juju-0c2f53-3  bionic      Running

Now try pinging one of those machines:

ping -w 20 10.129.244.130

The command should eventually timeout after 20 seconds with something like this:

PING 10.129.224.130 (10.129.224.130) 56(84) bytes of data.
--- 10.129.224.130 ping statistics ---
20 packets transmitted, 0 received, 100% packet loss, time 543ms

Can we use security tools with juju?
#2

This is excellent! Basic, useful scenario, covering one specific tool.

This is very useful material. @xinyuem