CMR scenario #2
This page refers to Cross model relations. See that page for background information.
In this example, we supply a CMR infrastructure “out of the box” with a few nimble commands and then proceed to query, poke, analyse, and finally extend it by addressing firewall concerns.
This scenario describes a MediaWiki deployment, based upon multiple (LXD) controllers, used by a non-admin user, and consumed by a single model.
Build the infrastructure
The infrastructure is built in this way:
juju bootstrap localhost lxd-cmr-1 juju add-model cmr-model-1 juju deploy mysql juju offer mysql:db juju bootstrap localhost lxd-cmr-2 juju add-model cmr-model-2 juju deploy mediawiki juju add-relation mediawiki:db lxd-cmr-1:admin/cmr-model-1.mysql
status command provides a summary of what offers have been made. Here we’ll apply it to the model ‘cmr-model-1’ in the ‘lxd-cmr-1’ controller:
juju status --relations -m lxd-cmr-1:cmr-model-1
Model Controller Cloud/Region Version SLA Timestamp cmr-model-1 lxd-cmr-1 localhost/localhost 2.4-beta4 unsupported 18:32:57Z App Version Status Scale Charm Store Rev OS Notes mysql 5.7.22 active 1 mysql jujucharms 58 ubuntu Unit Workload Agent Machine Public address Ports Message mysql/0* active idle 0 10.252.47.60 3306/tcp Ready Machine State DNS Inst id Series AZ Message 0 started 10.252.47.60 juju-68c45a-0 xenial Running Offer Application Charm Rev Connected Endpoint Interface Role mysql mysql mysql 58 1/1 db mysql provider Relation provider Requirer Interface Type Message mysql:cluster mysql:cluster mysql-ha peer
In the ‘Offer’ section, the ‘Connected’ column shows the number of active connections to the offer and the total number of connections/relations (including those suspended).
offers command (alias
juju list-offers) shows similar information. However, it also allows for several formats, each of which displays different kinds of information.
The ‘summary’ format provides information very similar to that gained via the
status command (it adds the offer URL):
juju offers --format summary -m lxd-cmr-1:cmr-model-1
Offer Application Charm Connected Store URL Endpoint Interface Role mysql mysql cs:mysql-58 1/1 lxd-cmr-1 admin/cmr-model-1.mysql db mysql provider
The ‘yaml’ format shows additional information, such as who is allowed to access the offer and what ingress subnets are required to allow traffic from the consuming model:
juju offers --format yaml -m lxd-cmr-1:cmr-model-1
mysql: application: mysql store: lxd-cmr-1 charm: cs:mysql-58 offer-url: admin/cmr-model-1.mysql endpoints: db: interface: mysql role: provider connections: - source-model-uuid: 4f032e24-4912-4620-894e-0b8f5324465c username: admin relation-id: 1 endpoint: db status: current: joined since: 2018-06-01 ingress-subnets: - 10.252.47.222/32 users: admin: display-name: admin access: admin everyone@external: access: read
The ‘tabular’ format (the default) shows each relation (connection) to the offer from the consuming model:
juju offers -m lxd-cmr-1:cmr-model-1
Offer User Relation id Status Endpoint Interface Role Ingress subnets mysql admin 1 joined db mysql provider 10.252.47.222/32
This command can also filter what offers are included in the result. Note that, for brevity, the scenario model is not specified in the below examples.
To list all offers for a given application:
juju offers --application mysql
To list all offers for a given interface:
juju offers --interface mysql
To list all offers for a given user who has created a relation to the offer:
juju offers --connected-user <user name>
To list all offers for a given user who can consume the offer:
juju offers --format summary --allowed-consumer <user name>
The above command is best run with
--format summary as the intent is to see, for a given user, what offers they might relate to, regardless of whether there are existing relations (which is what the tabular view shows).
To list a specific offer (here named ‘mysql’):
juju offers mysql
juju show-offer command gives details about a specific offer:
juju show-offer lxd-cmr-1:admin/cmr-model-1.mysql
Store URL Access Description Endpoint Interface Role lxd-cmr-1 admin/cmr-model-1.mysql admin MySQL is a fast, stable and true multi-user, db mysql provider multi-threaded SQL database server. SQL (Structured Query Language) is the most popular database query language in the world. The ma...
Notice how this command takes the offer URL as the argument. The controller portion (‘lxd-cmr-1’) can be omitted if the current controller contains the offer. In the same vein, if the offer resides in the current model then just the short name can be used (‘cmr-model-1.mysql’).
For more details, including which users can access the offer, use the ‘yaml’ format.
A non-admin user with read/consume access can also view an offer’s details, but they won’t see user ACL information.
Offers can be searched based on various criteria:
- URL (or part thereof)
- offer name
- model name
- interface name
The results will show information about the offer, including the ACL permissions (of the user making the query).
To find all offers on controller
juju find-offers lxd-cmr-1:
Store URL Access Interfaces lxd-cmr-1 admin/cmr-model-1.mysql admin mysql:db
The ‘yaml’ format will display extra information, including users who can access the offer (if an admin is making the query). Below we show this, in addition to searching by offer name:
juju find-offers lxd-cmr-1: --offer mysql --format yaml
lxd-cmr-1:admin/cmr-model-1.mysql: access: admin endpoints: db: interface: mysql role: provider users: admin: display-name: admin access: admin everyone@external: access: read
To find offers in model
cmr-model-1 on controller
juju find-offers lxd-cmr-1:cmr-model-1
Relating to offers from behind a firewall
Let the consuming model in this scenario be protected by a firewall that NATs all outgoing traffic to the single IPv4 address of 188.8.131.52/32.
Here, the admin on the offering side decided to create a whitelist consisting of a range of addresses known to cover the consuming side:
juju set-firewall-rule juju-application-offer --whitelist 184.108.40.206/16
Now request to have the single NAT address contact the offer:
juju add-relation mediawiki:db lxd-cmr-1:admin/cmr-model-1.mysql --via 220.127.116.11/32