Disable ping on your machines

timClicks · 21 May 2019 22:32

Overview

Some security policies require that ICMP is disabled. ICMP enables tools such as ping and traceroute.

Here we demonstrate how to achieve this by recruiting Juju’s hook-tools.

Background knowledge: Introducing `juju run`

Juju has the ability to execute commands on your behalf via juju run. They can be run in the context of a machine, an application or a unit.

For example, to retrieve the hostname for each of your model’s machines, we can run hostname on each of them:

juju run --all -- hostname

On a model with 4 machines, Juju generates the following YAML-formatted output:

- MachineId: "0"
  Stdout: |
    juju-0c2f53-0
- MachineId: "1"
  Stdout: |
    juju-0c2f53-1
- MachineId: "2"
  Stdout: |
    juju-0c2f53-2
- MachineId: "3"
  Stdout: |
    juju-0c2f53-3

List units of the model

Duration: 04:00

For our purposes we want to run in the context of a unit rather than a machine. With some bash we can retrieve a list of units from Juju:

juju status --format=short | cut -d' ' -f2  | cut -d':' -f1 -s

For my model, here is the output:

pg-a/0
pg-b/0
pg-b/1
wordpress/0

Make use of the `close-port` hook tool

Duration: 02:00

The close-port hook-tool is used to declare that ports on a unit’s machine should be closed. Juju’s firewaller worker watches for these declarations and makes changes to firewall rules or security groups based on the particular cloud provider implementation.

Let’s start by execute the close-port command for a single unit:

juju run --unit=pg-a/0 -- close-port icmp

This executes silently when it’s successful.

We can combine the output from the command in step 1 to close the icmp protocol across all of our units with xargs

juju status --format=short \
   | cut -d' ' -f2 \
   | cut -d':' -f1 -s \
   | xargs -I@ juju run --unit @ close-port icmp

Verify

Duration: 04:00

Run juju machines to get the public IP addresses of the machines in your model:

juju machines

Your output might look similar to this:

Machine  State    DNS             Inst id        Series  AZ  Message
0        started  10.129.244.130  juju-0c2f53-0  trusty      Running
1        started  10.129.244.235  juju-0c2f53-1  bionic      Running
2        started  10.129.244.32   juju-0c2f53-2  bionic      Running
3        started  10.129.244.44   juju-0c2f53-3  bionic      Running

Now try pinging one of those machines:

ping -w 20 10.129.244.130

The command should eventually timeout after 20 seconds with something like this:

PING 10.129.224.130 (10.129.224.130) 56(84) bytes of data.
--- 10.129.224.130 ping statistics ---
20 packets transmitted, 0 received, 100% packet loss, time 543ms

erik-lonroth · 22 May 2019 04:19

This is excellent! Basic, useful scenario, covering one specific tool.

This is very useful material. @xinyuem

pedroleaoc · 7 April 2022 09:27

pedroleaoc · 14 October 2022 11:33