In Juju, a hook tool (or ‘hook command’) is a Bash script located in /var/lib/juju/tools/unit-<app name>-<unit ID>
that a charm uses to communicate with its Juju unit agent in response to a hook.
In the charm SDK, in Ops, hook tools are accessed through Ops constructs, specifically, those constructs designed to be used in the definition of the event handlers associated with the Ops events that translate Juju hooks. For example, when your charm calls ops.Unit.is_leader
, in the background this calls ~/hooks/unit-name/leader-get
; its output is wrapped and returned as a Python True/False
value.
In Juju, you can use hook tools for troubleshooting.
Example: Use `relation-get` to change relation data
# Get the relation ID
$ juju show-unit synapse/0
...
- relation-id: 7
endpoint: synapse-peers
related-endpoint: synapse-peers
application-data:
secret-id: secret://1234
local-unit:
in-scope: true
# Check the output:
$ juju exec --unit synapse/0 "relation-get -r 7 --app secret-id synapse/0"
secret://1234
# Change the data:
juju exec --unit synapse/0 "relation-set -r 7 --app secret-id=something-else"
# Check the output again to verify the change.
List of hook tools
This list replicates the output of juju help hook-tool
and of juju help-tool <name of hook tool
.
action-fail
Usage
action-fail ["<failure message>"]
Summary
Set action fail status with message.
Details
action-fail sets the fail state of the action with a given error message. Using action-fail without a failure message will set a default message indicating a problem with the action.
Examples
action-fail 'unable to contact remote service'
action-get
Usage
action-get [options] [<key>[.<key>.<key>...]]
Summary
Get action parameters.
Options
--format (= smart)
Specify output format (json|smart|yaml)
-o, --output (= "")
Specify an output file
Details
action-get will print the value of the parameter at the given key, serialized as YAML. If multiple keys are passed, action-get will recurse into the param map as needed.
Examples
TIMEOUT=$(action-get timeout)
action-log
Usage
action-log <message>
Summary
record a progress message for the current action
action-set
Usage
action-set <key>=<value> [<key>=<value> ...]
Summary
set action results
Details
action-set adds the given values to the results map of the Action. This map is returned to the user after the completion of the Action. Keys must start and end with lowercase alphanumeric, and contain only lowercase alphanumeric, hyphens and periods. The following special keys are reserved for internal use: “stdout”, “stdout-encoding”, “stderr”, “stderr-encoding”.
Example usage:
action-set outfile.size=10G
action-set foo.bar=2
action-set foo.baz.val=3
action-set foo.bar.zab=4
action-set foo.baz=1
will yield:
outfile:
size: "10G"
foo:
bar:
zab: "4"
baz: "1"
Examples
action-set answer 42
add-metric
The
add-metric
hook tool may only be executed from thecollect-metrics
hook.
Usage
add-metric [options] key1=value1 [key2=value2 ...]
Summary
Records a measurement which will be forwarded to the Juju controller. The same metric may not be collected twice in the same command.
Options
-l, --labels (= "")
labels to be associated with metric values
Examples
add-metric metric1=value1 [metric2=value2 …]
application-version-set
Usage
application-version-set <new-version>
Summary
Specify which version of the application is deployed. This will be provided to users via juju status
.
Details
application-version-set tells Juju which version of the application software is running. This could be a package version number or some other useful identifier, such as a Git hash, that indicates the version of the deployed software. (It shouldn’t be confused with the charm revision.) The version set will be displayed in “juju status” output for the application.
Examples
application-version-set 1.1.10
close-port
Usage
close-port [options] <port>[/<protocol>] or <from>-<to>[/<protocol>] or icmp
Summary
Register a request to close a port or port range.
Options
--endpoints (= "")
a comma-delimited list of application endpoints to target with this operation
--format (= "")
deprecated format flag
Details
close-port registers a request to close the specified port or port range.
By default, the specified port or port range will be closed for all defined application endpoints. The --endpoints option can be used to constrain the close request to a comma-delimited list of application endpoints.
close-port
ensures a port, or port range, is not accessible from the public interface.
Examples
# Close single port
close-port 80
# Close a range of ports
close-port 9000-9999/udp
# Disable ICMP
close-port icmp
# Close a range of ports for a set of endpoints (since Juju 2.9)
close-port 80-90 --endpoints dmz,public
config-get
Usage
config-get [options] [<key>]
Summary
Print application configuration.
Options
-a, --all (= false)
print all keys
--format (= smart)
Specify output format (json|smart|yaml)
-o, --output (= "")
Specify an output file
Details
config-get
returns information about the application configuration (as defined by config.yaml
). If called without arguments, it returns a dictionary containing all config settings that are either explicitly set, or which have a non-nil default value. If the --all
flag is passed, it returns a dictionary containing all defined config settings including nil values (for those without defaults). If called with a single argument, it returns the value of that config key. Missing config keys are reported as nulls, and do not return an error.
Examples
INTERVAL=$(config-get interval)
config-get --all
credential-get
Usage
credential-get [options]
Summary
Access cloud credentials.
Options
--format (= smart)
Specify output format (json|smart|yaml)
-o, --output (= "")
Specify an output file
Details
credential-get returns the cloud specification used by the unit’s model.
goal-state
Usage
goal-state [options]
Summary
Print the status of the charm’s peers and related units.
Options
--format (= yaml)
Specify output format (json|yaml)
-o, --output (= "")
Specify an output file
Details
‘goal-state’ command will list the charm units and relations, specifying their status and their relations to other units in different charms.
goal-state
queries information about charm deployment and returns it as structured data.
goal-state
provides:
- the details of other peer units have been deployed and their status
- the details of remote units on the other end of each endpoint and their status
The output will be a subset of that produced by the juju status
. There will be output for sibling (peer) units and relation state per unit.
The unit status values are the workload status of the (sibling) peer units. We also use a unit status value of dying when the unit’s life becomes dying. Thus unit status is one of:
allocating
active
waiting
blocked
error
dying
The relation status values are determined per unit and depend on whether the unit has entered or left scope. The possible values are:
joining
: a relation has been created, but no units are available. This occurs when the application on the other side of the relation is added to a model, but the machine hosting the first unit has not yet been provisioned. Callingrelation-set
will work correctly as that data will be passed through to the unit when it comes online, butrelation-get
will not provide any data.joined
: the relation is active. A unit has entered scope and is accessible to this one.broken
: unit has left, or is preparing to leave scope. Callingrelation-get
is not advised as the data will quickly out of date when the unit leaves.suspended
: parent cross model relation is suspendederror
: an external error has been detected
By reporting error state, the charm has a chance to determine that goal state may not be reached due to some external cause. As with status, we will report the time since the status changed to allow the charm to empirically guess that a peer may have become stuck if it has not yet reached active state.
Examples
goal-state
is-leader
Usage
is-leader [options]
Summary
Print application leadership status.
Options
--format (= smart)
Specify output format (json|smart|yaml)
-o, --output (= "")
Specify an output file
Details
is-leader prints a boolean indicating whether the local unit is guaranteed to be application leader for at least 30 seconds. If it fails, you should assume that there is no such guarantee.
is-leader
indicates whether the current unit is the application leader.
is-leader
will write "True"
to STDOUT and return 0 if the unit is currently leader and can be guaranteed to remain so for 30 seconds.
Output can be expressed as --format json
or --format yaml
if desired.
Examples
LEADER=$(is-leader)
if [ "${LEADER}" == "True" ]; then
# Do something a leader would do
fi
juju-log
Usage
juju-log [options] <message>
Summary
Write a message to the juju log.
Options
--debug (= false)
log at debug level
--format (= "")
deprecated format flag
-l, --log-level (= "INFO")
Send log message at the given level
juju-log
writes messages directly to the unit’s log file. Valid levels are: INFO, WARN, ERROR, DEBUG
Examples
juju-log -l 'WARN' Something has transpired
juju-reboot
Usage
juju-reboot [options]
Summary
Reboot the host machine.
Options
--now (= false)
reboot immediately, killing the invoking process
Details
juju-reboot causes the host machine to reboot, after stopping all containers hosted on the machine.
An invocation without arguments will allow the current hook to complete, and will only cause a reboot if the hook completes successfully.
If the --now flag is passed, the current hook will terminate immediately, and be restarted from scratch after reboot. This allows charm authors to write hooks that need to reboot more than once in the course of installing software.
The --now flag cannot terminate a debug-hooks session; hooks using --now should be sure to terminate on unexpected errors, so as to guarantee expected behaviour in all situations.
juju-reboot is not supported when running actions.
Examples
# immediately reboot
juju-reboot --now
# Reboot after current hook exits
juju-reboot
k8s-raw-get
Usage
k8s-raw-get
Summary
Get k8s raw spec information.
Details
Gets configuration data used to set up k8s resources.
k8s-raw-set
Usage
k8s-raw-set [options] --file <core spec file>
Summary
Set k8s raw spec information.
Options
--file (= -)
file containing k8s raw spec
Details
Sets configuration data in k8s raw format to use for k8s resources. The spec applies to all units for the application.
k8s-spec-get
Usage
k8s-spec-get
Summary
Get k8s spec information.
Details
Gets configuration data used to set up k8s resources.
k8s-spec-set
Usage
k8s-spec-set [options] --file <core spec file> [--k8s-resources <k8s spec file>]
Summary
Set k8s spec information.
Options
--file (= -)
file containing pod spec
--k8s-resources (= )
file containing k8s specific resources not yet modelled by Juju
Details
Sets configuration data to use for k8s resources. The spec applies to all units for the application.
leader-get
The functionality provided by leader data (
leader-get
andleader-set
) is now being replaced by “application-level relation data”. Seerelation-get
andrelation-set
.
Usage
leader-get [options] [<key>]
Summary
Print application leadership settings.
Options
--format (= smart)
Specify output format (json|smart|yaml)
-o, --output (= "")
Specify an output file
Details
leader-get prints the value of a leadership setting specified by key. If no key is given, or if the key is “-”, all keys and values will be printed.
Examples:
ADDRESSS=$(leader-get cluster-leader-address)
leader-set
The functionality provided by leader data (
leader-get
andleader-set
) is now being replaced by “application-level relation data”. Seerelation-get
andrelation-set
.
Usage
leader-set <key>=<value> [...]
Summary
Write application leadership settings.
Details
leader-set immediate writes the supplied key/value pairs to the controller, which will then inform non-leader units of the change. It will fail if called without arguments, or if called by a unit that is not currently application leader.
leader-set
lets you distribute string key=value pairs to other units, but with the following differences:
- there’s only one leader-settings bucket per application (not one per unit)
- only the leader can write to the bucket
- only minions are informed of changes to the bucket
- changes are propagated instantly
The instant propagation may be surprising, but it exists to satisfy the use case where shared data can be chosen by the leader at the very beginning of the install hook.
It is strongly recommended that leader settings are always written as a self-consistent group leader-set one=one two=two three=three
.
Examples:
leader-set cluster-leader-address=10.0.0.123
network-get
Usage
network-get [options] <binding-name> [--ingress-address] [--bind-address] [--egress-subnets]
Summary
Get network config.
Options
--bind-address (= false)
get the address for the binding on which the unit should listen
--egress-subnets (= false)
get the egress subnets for the binding
--format (= smart)
Specify output format (json|smart|yaml)
--ingress-address (= false)
get the ingress address for the binding
-o, --output (= "")
Specify an output file
--primary-address (= false)
(deprecated) get the primary address for the binding
-r, --relation (= )
specify a relation by id
Details
network-get returns the network config for a given binding name. By default it returns the list of interfaces and associated addresses in the space for the binding, as well as the ingress address for the binding. If defined, any egress subnets are also returned.
If one of the following flags are specified, just that value is returned.
If more than one flag is specified, a map of values is returned.
--bind-address: the address the local unit should listen on to serve connections, as well
as the address that should be advertised to its peers.
--ingress-address: the address the local unit should advertise as being used for incoming connections.
--egress-subnets: subnets (in CIDR notation) from which traffic on this relation will originate.
network-get
reports hostnames, IP addresses and CIDR blocks related to endpoint bindings.
By default it lists three pieces of address information:
- binding address(es)
- ingress address(es)
- egress subnets
See Network primitives for in-depth coverage.
open-port
Requires Juju 3.1+ for Kubernetes charms
Usage
open-port [options] <port>[/<protocol>] or <from>-<to>[/<protocol>] or icmp
Summary
Register a request to open a port or port range.
Options
--endpoints (= "")
a comma-delimited list of application endpoints to target with this operation
--format (= "")
deprecated format flag
Details
open-port
registers a port or range to open on the public-interface.
By default, the specified port or port range will be opened for all defined application endpoints. The --endpoints option can be used to constrain the open request to a comma-delimited list of application endpoints.
The behavior differs a little bit between machine charms and Kubernetes charms.
Machine charms. On public clouds the port will only be open while the application is exposed. It accepts a single port or range of ports with an optional protocol, which may be icmp
, udp
, or tcp
. tcp
is the default.
open-port
will not have any effect if the application is not exposed, and may have a somewhat delayed effect even if it is. This operation is transactional, so changes will not be made unless the hook exits successfully.
Prior to Juju 2.9, when charms requested a particular port range to be opened, Juju would automatically mark that port range as opened for all defined application endpoints. As of Juju 2.9, charms can constrain opened port ranges to a set of application endpoints by providing the --endpoints
flag followed by a comma-delimited list of application endpoints.
Kubernetes charms. The port will open directly regardless of whether the application is exposed or not. This connects to the fact that juju expose
currently has no effect on sidecar charms. Additionally, it is currently not possible to designate a range of ports to open for Kubernetes charms; to open a range, you will have to run open-port
multiple times.
Examples:
Open port 80 to TCP traffic:
open-port 80/tcp
Open port 1234 to UDP traffic:
open-port 1234/udp
Open a range of ports to UDP traffic:
open-port 1000-2000/udp
Open a range of ports to TCP traffic for specific application endpoints (since Juju 2.9):
open-port 1000-2000/tcp --endpoints dmz,monitoring
opened-ports
The opened-ports hook tool lists all the ports currently opened by the running charm. It does not, at the moment, include ports which may be opened by other charms co-hosted on the same machine lp#1427770.
Usage
opened-ports [options]
Summary
List all ports or port ranges opened by the unit.
Options
--endpoints (= false)
display the list of target application endpoints for each port range
--format (= smart)
Specify output format (json|smart|yaml)
-o, --output (= "")
Specify an output file
Details
opened-ports lists all ports or port ranges opened by a unit.
By default, the port range listing does not include information about the application endpoints that each port range applies to. Each list entry is formatted as / (e.g. “80/tcp”) or -/ (e.g. “8080-8088/udp”).
If the --endpoints option is specified, each entry in the port list will be augmented with a comma-delimited list of endpoints that the port range applies to (e.g. “80/tcp (endpoint1, endpoint2)”). If a port range applies to all endpoints, this will be indicated by the presence of a '’ character (e.g. "80/tcp ()").
Opening ports is transactional (i.e. will take place on successfully exiting the current hook), and therefore opened-ports
will not return any values for pending open-port
operations run from within the same hook.
Examples:
opened-ports
Prior to Juju 2.9, when charms requested a particular port range to be opened, Juju would automatically mark that port range as opened for all defined application endpoints. As of Juju 2.9, charms can constrain opened port ranges to a set of application endpoints. To ensure backwards compatibility, opened-ports
will, by default, display the unique set of opened port ranges for all endpoints. To list of opened port ranges grouped by application endpoint can be obtained by running opened-ports --endpoints
.
payload-register
Usage
payload-register <type> <class> <id> [tags...]
Summary
Register a charm payload with Juju.
Details
“payload-register” is used while a hook is running to let Juju know that a payload has been started. The information used to start the payload must be provided when “register” is run.
The payload class must correspond to one of the payloads defined in the charm’s metadata.yaml.
An example fragment from metadata.yaml
:
payloads:
monitoring:
type: docker
kvm-guest:
type: kvm
Examples:
payload-register monitoring docker 0fcgaba
payload-status-set
Usage
payload-status-set <class> <id> <status>
Summary
Update the status of a payload.
Details
“payload-status-set” is used to update the current status of a registered payload.
The <class>
and <id>
provided must match a payload that has been previously
registered with juju using payload-register. The <status>
must be one of the
follow: starting
, started
, stopping
, stopped
.
Examples:
payload-status-set monitor abcd13asa32c starting
payload-unregister
Usage
payload-unregister <class> <id>
Summary
Stop tracking a payload.
Details
payload-unregister
is used while a hook is running to let Juju know
that a payload has been manually stopped. The <class>
and <id>
provided
must match a payload that has been previously registered with juju using
payload-register
.
Examples:
payload-unregister monitoring 0fcgaba
pod-spec-get
Usage
pod-spec-get
Summary
Get k8s spec information (deprecated).
Details
Gets configuration data used to set up k8s resources.
pod-spec-set
Usage
pod-spec-set [options] --file <core spec file> [--k8s-resources <k8s spec file>]
Summary
Set k8s spec information (deprecated).
Options
--file (= -)
file containing pod spec
--k8s-resources (= )
file containing k8s specific resources not yet modelled by Juju
Details
Sets configuration data to use for k8s resources. The spec applies to all units for the application.
relation-get
Usage
relation-get [options] <key> <unit id>
Summary
Get relation settings.
Options
--app (= false)
Get the relation data for the overall application, not just a unit
--format (= smart)
Specify output format (json|smart|yaml)
-o, --output (= "")
Specify an output file
-r, --relation (= )
Specify a relation by id
Details
relation-get prints the value of a unit’s relation setting, specified by key. If no key is given, or if the key is “-”, all keys and values will be printed.
A unit can see its own settings by calling “relation-get - MYUNIT”, this will include any changes that have been made with “relation-set”.
When reading remote relation data, a charm can call relation-get --app - to get the data for the application data bag that is set by the remote applications leader.
Further details:
relation-get
reads the settings of the local unit, or of any remote unit, in a given relation (set with -r
, defaulting to the current relation identifier, as in relation-set
). The first argument specifies the settings key, and the second the remote unit, which may be omitted if a default is available (that is, when running a relation hook other than -relation-broken).
If the first argument is omitted, a dictionary of all current keys and values will be printed; all values are always plain strings without any interpretation. If you need to specify a remote unit but want to see all settings, use -
for the first argument.
The environment variable JUJU_REMOTE_UNIT
stores the default remote unit.
You should never depend upon the presence of any given key in relation-get
output. Processing that depends on specific values (other than private-address
) should be restricted to -relation-changed hooks for the relevant unit, and the absence of a remote unit’s value should never be treated as an error in the local unit.
In practice, it is common and encouraged for -relation-changed hooks to exit early, without error, after inspecting relation-get
output and determining the data is inadequate; and for all other hooks to be resilient in the face of missing keys, such that -relation-changed hooks will be sufficient to complete all configuration that depends on remote unit settings.
Key value pairs for remote units that have departed remain accessible for the lifetime of the relation.
Examples:
# Getting the settings of the default unit in the default relation is done with:
relation-get
username: jim
password: "12345"
# To get a specific setting from the default remote unit in the default relation
relation-get username
jim
# To get all settings from a particular remote unit in a particular relation you
relation-get -r database:7 - mongodb/5
username: bob
password: 2db673e81ffa264c
relation-ids
Usage relation-ids [options]
Summary
List all relation ids with the given relation name.
Options
--format (= smart)
Specify output format (json|smart|yaml)
-o, --output (= "")
Specify an output file
relation-ids
outputs a list of the related applications with a relation name. Accepts a single argument (relation-name) which, in a relation hook, defaults to the name of the current relation. The output is useful as input to the relation-list
, relation-get
, and relation-set
commands to read or write other relation values.
Examples:
relation-ids database
relation-list
Usage
relation-list [options]
Summary
List relation units.
Options
--app (= false)
List remote application instead of participating units
--format (= smart)
Specify output format (json|smart|yaml)
-o, --output (= "")
Specify an output file
-r, --relation (= )
Specify a relation by id
Details
-r
must be specified when not in a relation hook.
relation-list
outputs a list of all the related units for a relation identifier. If not running in a relation hook context, -r
needs to be specified with a relation identifier similar to therelation-get
and relation-set
commands.
Examples:
relation-list 9
relation-set
Usage
relation-set [options] key=value [key=value ...]
Summary
Set relation settings.
Options
--app (= false)
pick whether you are setting "application" settings or "unit" settings
--file (= )
file containing key-value pairs
--format (= "")
deprecated format flag
-r, --relation (= )
specify a relation by id
Details
“relation-set” writes the local unit’s settings for some relation. If no relation is specified then the current relation is used. The setting values are not inspected and are stored as strings. Setting an empty string causes the setting to be removed. Duplicate settings are not allowed.
If the unit is the leader, it can set the application settings using “–app”. These are visible to related applications via ‘relation-get --app’ or by supplying the application name to ‘relation-get’ in place of a unit name.
The --file option should be used when one or more key-value pairs are too long to fit within the command length limit of the shell or operating system. The file will contain a YAML map containing the settings. Settings in the file will be overridden by any duplicate key-value arguments. A value of “-” for the filename means .
Further details:
relation-set
writes the local unit’s settings for some relation. If it’s not running in a relation hook, -r
needs to be specified. The value
part of an argument is not inspected, and is stored directly as a string. Setting an empty string causes the setting to be removed.
relation-set
is the tool for communicating information between units of related applications. By convention the charm that provides
an interface is likely to set values, and a charm that requires
that interface will read values; but there is nothing enforcing this. Whatever information you need to propagate for the remote charm to work must be propagated via relation-set, with the single exception of the private-address
key, which is always set before the unit joins.
For some charms you may wish to overwrite the private-address
setting, for example if you’re writing a charm that serves as a proxy for some external application. It is rarely a good idea to remove that key though, as most charms expect that value to exist unconditionally and may fail if it is not present.
All values are set in a transaction at the point when the hook terminates successfully (i.e. the hook exit code is 0). At that point all changed values will be communicated to the rest of the system, causing -changed hooks to run in all related units.
There is no way to write settings for any unit other than the local unit. However, any hook on the local unit can write settings for any relation which the local unit is participating in.
Examples:
relation-set port=80 tuning=default
relation-set -r server:3 username=jim password=12345
resource-get
Usage
resource-get <resource name>
Summary
Get the path to the locally cached resource file.
Details
“resource-get” is used while a hook is running to get the local path to the file for the identified resource. This file is an fs-local copy, unique to the unit for which the hook is running. It is downloaded from the controller, if necessary.
If “resource-get” for a resource has not been run before (for the unit) then the resource is downloaded from the controller at the revision associated with the unit’s application. That file is stored in the unit’s local cache. If “resource-get” has been run before then each subsequent run syncs the resource with the controller. This ensures that the revision of the unit-local copy of the resource matches the revision of the resource associated with the unit’s application.
Either way, the path provided by “resource-get” references the up-to-date file for the resource. Note that the resource may get updated on the controller for the application at any time, meaning the cached copy may be out of date at any time after you call “resource-get”. Consequently, the command should be run at every point where it is critical that the resource be up to date.
The “upgrade-charm” hook is useful for keeping your charm’s resources on a unit up to date. Run “resource-get” there for each of your charm’s resources to do so. The hook fires whenever the the file for one of the application’s resources changes on the controller (in addition to when the charm itself changes). That means it happens in response to “juju upgrade-charm” as well as to “juju push-resource”.
Note that the “upgrade-charm” hook does not run when the unit is started up. So be sure to run “resource-get” for your resources in the “install” hook (or “config-changed”, etc.).
Note that “resource-get” only provides an FS path to the resource file. It does not provide any information about the resource (e.g. revision).
Further details:
resource-get
fetches a resource from the Juju controller or the Juju Charm store. The command returns a local path to the file for a named resource.
If resource-get
has not been run for the named resource previously, then the resource is downloaded from the controller at the revision associated with the unit’s application. That file is stored in the unit’s local cache. If resource-get
has been run before then each subsequent run synchronizes the resource with the controller. This ensures that the revision of the unit-local copy of the resource matches the revision of the resource associated with the unit’s application.
The path provided by resource-get
references the up-to-date file for the resource. Note that the resource may get updated on the controller for the application at any time, meaning the cached copy may be out of date at any time after resource-get
is called. Consequently, the command should be run at every point where it is critical for the resource be up to date.
Examples:
# resource-get software
/var/lib/juju/agents/unit-resources-example-0/resources/software/software.zip
secret-add
Usage
secret-add [options] [key[#base64|#file]=value...]
Summary
Add a new secret.
Options
--description (= "")
the secret description
--expire (= "")
either a duration or time when the secret should expire
--file (= "")
a YAML file containing secret key values
--label (= "")
a label used to identify the secret in hooks
--owner (= "application")
the owner of the secret, either the application or unit
--rotate (= "")
the secret rotation policy
Details
Add a secret with a list of key values.
If a key has the ‘#base64’ suffix, the value is already in base64 format and no encoding will be performed, otherwise the value will be base64 encoded prior to being stored.
If a key has the ‘#file’ suffix, the value is read from the corresponding file.
By default, a secret is owned by the application, meaning only the unit leader can manage it. Use “–owner unit” to create a secret owned by the specific unit which created it.
Examples:
secret-add token=34ae35facd4
secret-add key#base64=AA==
secret-add key#file=/path/to/file another-key=s3cret
secret-add --owner unit token=s3cret
secret-add --rotate monthly token=s3cret
secret-add --expire 24h token=s3cret
secret-add --expire 2025-01-01T06:06:06 token=s3cret
secret-add --label db-password \
--description "my database password" \
data#base64=s3cret==
secret-add --label db-password \
--description "my database password" \
--file=/path/to/file
secret-get
Usage
secret-get [options] <ID> [key[#base64]]
Summary
Get the content of a secret.
Options
--format (= yaml)
Specify output format (json|yaml)
--label (= "")
a label used to identify the secret in hooks
-o, --output (= "")
Specify an output file
--peek (= false)
get the latest revision just this time
--refresh (= false)
get the latest revision and also get this same revision for subsequent calls
Details
Get the content of a secret with a given secret ID. The first time the value is fetched, the latest revision is used. Subsequent calls will always return this same revision unless –peek or --refresh are used. Using --peek will fetch the latest revision just this time. Using --refresh will fetch the latest revision and continue to return the same revision next time unless --peek or --refresh is used.
Either the ID or label can be used to identify the secret.
Examples:
secret-get secret:9m4e2mr0ui3e8a215n4g
secret-get secret:9m4e2mr0ui3e8a215n4g token
secret-get secret:9m4e2mr0ui3e8a215n4g token#base64
secret-get secret:9m4e2mr0ui3e8a215n4g --format json
secret-get secret:9m4e2mr0ui3e8a215n4g --peek
secret-get secret:9m4e2mr0ui3e8a215n4g --refresh
secret-get secret:9m4e2mr0ui3e8a215n4g --label db-password
secret-grant
Usage
secret-grant [options] <ID>
Summary
Grant access to a secret.
Options
-r, --relation (= )
the relation with which to associate the grant
--unit (= "")
the unit to grant access
Details
Grant access to view the value of a specified secret. Access is granted in the context of a relation - unless revoked earlier, once the relation is removed, so too is the access grant.
By default, all units of the related application are granted access. Optionally specify a unit name to limit access to just that unit.
Examples:
secret-grant secret:9m4e2mr0ui3e8a215n4g -r 0 --unit mediawiki/6
secret-grant secret:9m4e2mr0ui3e8a215n4g --relation db:2
secret-ids
Usage
secret-ids [options]
Summary
Print secret ids.
Options
--format (= smart)
Specify output format (json|smart|yaml)
-o, --output (= "")
Specify an output file
Details
Returns the secret ids for secrets owned by the application.
Examples:
secret-ids
secret-info-get
Usage
secret-info-get [options] <ID>
Summary
Get a secret’s metadata info.
Options
--format (= yaml)
Specify output format (json|yaml)
--label (= "")
a label used to identify the secret
-o, --output (= "")
Specify an output file
Details
Get the metadata of a secret with a given secret ID. Either the ID or label can be used to identify the secret.
Examples:
secret-info-get --label db-password
secret-info-get --label db-password
secret-remove
Usage
secret-remove [options] <ID>
Summary
remove a existing secret
Options
--revision (= 0)
remove the specified revision
Details
Remove a secret with the specified URI.
Examples:
secret-remove secret:9m4e2mr0ui3e8a215n4g
secret-revoke
Usage
secret-revoke [options] <ID>
Summary
Revoke access to a secret.
Options
--app, --application (= "")
the application to revoke access
-r, --relation (= )
the relation for which to revoke the grant
--unit (= "")
the unit to revoke access
Details
Revoke access to view the value of a specified secret. Access may be revoked from an application (all units of that application lose access), or from a specified unit. If run in a relation hook, the related application’s access is revoked, unless a uni is specified, in which case just that unit’s access is revoked.’
Examples:
secret-revoke secret:9m4e2mr0ui3e8a215n4g
secret-revoke secret:9m4e2mr0ui3e8a215n4g --relation 1
secret-revoke secret:9m4e2mr0ui3e8a215n4g --app mediawiki
secret-revoke secret:9m4e2mr0ui3e8a215n4g --unit mediawiki/6
secret-set
Usage
secret-set [options] <ID> [key[#base64]=value...]
Summary
Update an existing secret.
Options
--description (= "")
the secret description
--expire (= "")
either a duration or time when the secret should expire
--file (= "")
a YAML file containing secret key values
--label (= "")
a label used to identify the secret in hooks
--owner (= "application")
the owner of the secret, either the application or unit
--rotate (= "")
the secret rotation policy
Details
Update a secret with a list of key values, or set new metadata. If a value has the ‘#base64’ suffix, it is already in base64 format and no encoding will be performed, otherwise the value will be base64 encoded prior to being stored. To just update selected metadata like rotate policy, do not specify any secret value.
Examples:
secret-set secret:9m4e2mr0ui3e8a215n4g token=34ae35facd4
secret-set secret:9m4e2mr0ui3e8a215n4g key#base64 AA==
secret-set secret:9m4e2mr0ui3e8a215n4g --rotate monthly token=s3cret
secret-set secret:9m4e2mr0ui3e8a215n4g --expire 24h
secret-set secret:9m4e2mr0ui3e8a215n4g --expire 24h token=s3cret
secret-set secret:9m4e2mr0ui3e8a215n4g --expire 2025-01-01T06:06:06 token=s3cret
secret-set secret:9m4e2mr0ui3e8a215n4g --label db-password \
--description "my database password" \
data#base64 s3cret==
secret-set secret:9m4e2mr0ui3e8a215n4g --label db-password \
--description "my database password"
secret-set secret:9m4e2mr0ui3e8a215n4g --label db-password \
--description "my database password" \
--file=/path/to/file
state-delete
Usage
state-delete <key>
Summary
Delete server-side-state key value pair.
Details
state-delete deletes the value of the server side state specified by key.
See also:
state-get
state-set
state-get
Usage
state-get [options] [<key>]
Summary
Print server-side-state value.
Options
--format (= smart)
Specify output format (json|smart|yaml)
-o, --output (= "")
Specify an output file
--strict (= false)
Return an error if the requested key does not exist
Details
state-get prints the value of the server side state specified by key. If no key is given, or if the key is “-”, all keys and values will be printed.
See also:
state-delete
state-set
state-set
Usage
state-set [options] key=value [key=value ...]
Summary
Set server-side-state values.
Options
--file (= )
file containing key-value pairs
Details
state-set sets the value of the server side state specified by key.
The --file option should be used when one or more key-value pairs are too long to fit within the command length limit of the shell or operating system. The file will contain a YAML map containing the settings as strings. Settings in the file will be overridden by any duplicate key-value arguments. A value of “-” for the filename means .
The following fixed size limits apply:
- Length of stored keys cannot exceed 256 bytes.
- Length of stored values cannot exceed 65536 bytes.
See also:
state-delete
state-get
status-get
Usage
status-get [options] [--include-data] [--application]
Summary
Print status information.
Options
--application (= false)
print status for all units of this application if this unit is the leader
--format (= smart)
Specify output format (json|smart|yaml)
--include-data (= false)
print all status data
-o, --output (= "")
Specify an output file
Details
By default, only the status value is printed. If the --include-data flag is passed, the associated data are printed also.
Further details:
status-get
allows charms to query the current workload status.
Without arguments, it just prints the status code e.g. ‘maintenance’. With --include-data
specified, it prints YAML which contains the status value plus any data associated with the status.
Include the --application
option to get the overall status for the application, rather than an individual unit.
Examples:
Access the unit’s status:
status-get
status-get --include-data
Access the application’s status:
status-get --application
status-set
Usage
status-set [options] <maintenance | blocked | waiting | active> [message]
Summary
Set status information.
Options
--application (= false)
set this status for the application to which the unit belongs if the unit is the leader
Details
Sets the workload status of the charm. Message is optional. The “last updated” attribute of the status is set, even if the status and message are the same as what’s already set.
Further details:
status-set
changes what is displayed in juju status
.
status-set
allows charms to describe their current status. This places the responsibility on the charm to know its status, and set it accordingly using the status-set
hook tool. Changes made via status-set
are applied without waiting for a hook execution to end and are not rolled back if a hook execution fails.
The leader unit is responsible for setting the overall status of the application by using the --application
option.
This hook tool takes 2 arguments. The first is the status code and the second is a message to report to the user.
Valid status codes are:
maintenance
(the unit is not currently providing a service, but expects to be soon, e.g. when first installing)blocked
(the unit cannot continue without user input)waiting
(the unit itself is not in error and requires no intervention, but it is not currently in service as it depends on some external factor, e.g. an application to which it is related is not running)active
(This unit believes it is correctly offering all the services it is primarily installed to provide)
For more extensive explanations of these status codes, please see the status reference page.
The second argument is a user-facing message, which will be displayed to any users viewing the status, and will also be visible in the status history. This can contain any useful information.
In the case of a blocked
status though the status message should tell the user explicitly how to unblock the unit insofar as possible, as this is primary way of indicating any action to be taken (and may be surfaced by other tools using Juju, e.g. the Juju GUI).
A unit in the active
state with should not generally expect anyone to look at its status message, and often it is better not to set one at all. In the event of a degradation of service, this is a good place to surface an explanation for the degradation (load, hardware failure or other issue).
A unit in error
state will have a message that is set by Juju and not the charm because the error state represents a crash in a charm hook - an unmanaged and uninterpretable situation. Juju will set the message to be a reflection of the hook which crashed. For example “Crashed installing the software” for an install hook crash, or “Crash establishing database link” for a crash in a relationship hook.
Examples:
Set the unit’s status:
# Set the unit's workload status to "maintenance".
# This implies a short downtime that should self-resolve.
status-set maintenance "installing software"
status-set maintenance "formatting storage space, time left: 120s"
# Set the unit's workload status to "waiting"
# The workload is awaiting something else in the model to become active
status-set waiting "waiting for database"
# Set the unit workload's status to "active"
# The workload is installed and running. Any messages should be informational.
status-set active
status-set active "Storage 95% full"
# Set the unit's workload status to "blocked"
# This implies human intervention is required to unblock the unit.
# Messages should describe what is needed to resolve the problem.
status-set blocked "Add a database relation"
status-set blocked "Storage full"
Set the application’s status:
# From a unit, update its status
status-set maintenance "Upgrading to 4.1.1"
# From the leader, update the application's status line
status-set --application maintenance "Application upgrade underway"
Non-leader units which attempt to use --application
will receive an error:
status-set --application maintenance "I'm not the leader."
error: this unit is not the leader
storage-add
Usage
storage-add <charm storage name>[=count] ...
Summary
Add storage instances.
Details
Storage add adds storage instances to unit using provided storage directives. A storage directive consists of a storage name as per charm specification and optional storage COUNT.
COUNT is a positive integer indicating how many instances of the storage to create. If unspecified, COUNT defaults to 1.
Further details:
storage-add
adds storage volumes to the unit.
storage-add
takes the name of the storage volume (as defined in the charm metadata), and optionally the number of storage instances to add. By default, it will add a single storage instance of the name.
Examples:
storage-add database-storage=1
storage-get
Usage
storage-get [options] [<key>]
Summary
Print information for storage instance with specified id.
Options
--format (= smart)
Specify output format (json|smart|yaml)
-o, --output (= "")
Specify an output file
-s (= )
specify a storage instance by id
Details
When no <key>
is supplied, all keys values are printed.
Further details:
storage-get
obtains information about storage being attached to, or detaching from, the unit.
If the executing hook is a storage hook, information about the storage related to the hook will be reported; this may be overridden by specifying the name of the storage as reported by storage-list, and must be specified for non-storage hooks.
storage-get
can be used to identify the storage location during storage-attached and storage-detaching hooks. The exception to this is when the charm specifies a static location for singleton stores.
Examples:
# retrieve information by UUID
storage-get 21127934-8986-11e5-af63-feff819cdc9f
# retrieve information by name
storage-get -s data/0
storage-list
Usage
storage-list [options] [<storage-name>]
Summary
List storage attached to the unit.
Options
--format (= smart)
Specify output format (json|smart|yaml)
-o, --output (= "")
Specify an output file
Details
storage-list will list the names of all storage instances attached to the unit. These names can be passed to storage-get via the “-s” flag to query the storage attributes.
A storage name may be specified, in which case only storage instances for that named storage will be returned.
Further details:
storage-list
list storages instances that are attached to the unit.
The storage instance identifiers returned from storage-list
may be passed through to the storage-get
command using the -s option.
unit-get
unit-get
is deprecated in favour ofnetwork-get
hook tool. See Network primitives for details.
Usage
unit-get [options] <setting>
Summary
Print public-address or private-address.
Options
--format (= smart)
Specify output format (json|smart|yaml)
-o, --output (= "")
Specify an output file
Further details:
unit-get
returns the IP address of the unit.
It accepts a single argument, which must be private-address
or public-address
. It is not affected by context.
Note that if a unit has been deployed with --bind space
then the address returned from unit-get private-address
will get the address from this space, not the ‘default’ space.
[/details]
Examples:
unit-get public-address
Contributors: @achilleasa, @amandahla, @benhoyt, @charlie4284, @dmitrii, @jameinel, @pmatulis, @ppasotti, @timclicks, @tmihoc