coordination #116623
closed
coordination #121720: [saga][epic] Migration to QE setup in PRG2+NUE3 while ensuring availability
[epic] Migration of SUSE Nbg based openQA+QA+QAM systems to new security zones
Added by okurz about 2 years ago.
Updated 10 months ago.
Estimated time:
(Total: 0.00 h)
Description
Motivation¶
The SUSE Cybersecurity team plans to provide better network segmentation to improve security. Proposals exist e.g. on https://confluence.suse.com/pages/viewpage.action?pageId=952173193 and https://confluence.suse.com/pages/viewpage.action?pageId=1006108843 .
mgriessmeier and nsinger and okurz had a meeting with Lazaros Haleplidis on 2022-09-15. We should now plan which systems and services need which security rules, e.g. which ports accessible, etc.
Acceptance criteria¶
- AC1: All Nbg based QA/QAM machines are within the new security zones (including OSD machines, excluding O3 machines)
- AC2: All QA provided services continue to be operational
Suggestions¶
- Read existing materials and proposals, e.g. above mentioned confluence pages
- okurz suggests to make sure racktables Nuremberg&QA&QAM is the complete list for all the machines we need to care about
- Come up with a proposal for what network security zones we need and what security rules should apply for thos
- Provide a list of all machines with FQDN, MAC, VLAN, IPv4, IPv6 for machines as well as BMCs as required by Lazaros Haleplidis, at best readable directly from Racktables
Out of scope¶
Currently the dedicated openqa.opensuse.org network is not covered by this change. According to Lazaros Haleplidis no public facing machines which is including https://openqa.opensuse.org are touched by this.
Further details¶
What are your requirements that need to be fulfilled?
All inbound traffic needs to be well defined.
Do we have any benefits from this change?
Better separation within SUSE networks
How can the security rules be controlled?
Creating a ticket. Automation, e.g. using terraform, etc., is evaluated
Do we need two networks, one for openQA and QA?
Right now we use machines within the Eng-Infra network. We can specify requirements
We need HTTP communication to various hosts within the .suse.de domain. download.suse.de, gitlab.suse.de, etc.
All of these need to be specifically specified
BMCs are planned to be accessible over jump hosts. It is planned to migrate IP access to machines first and keep IPMI till the end. Jump hosts is planned to be a Linux VM accessible over SSH from where we can access BMCs of the systems.
It is possible to have dedicated "test networks" so equivalent to our QA network where we have machines+BMCs within the same network. It might not be the suggested setup but is possible.
We meet again on 2022-09-22, 1500 CEST. Lazaros Haleplidis will invite us for 2022-09-22.
- Project changed from 46 to 175
- Description updated (diff)
- Status changed from New to Blocked
- Description updated (diff)
- Description updated (diff)
I suggest we coordinate the further work in #discuss-qe-new-security-zones which allows more easily to reference messages and pull in other people as necessary. I pinged the team suse qe tools as well as in #eng-testing https://suse.slack.com/archives/C02CANHLANP/p1666788854486469 :
@channel regarding https://progress.opensuse.org/issues/116623 " [epic] Migration of SUSE openQA+QA+QAM systems to new security zones" I created a new room #discuss-qe-new-security-zones to coordinate the work with across multiple teams for now including me, nsinger, mgriessmeier and Lazaros Haleplidis from SUSE-IT. He wants to focus on Nbg SRV1 and start as soon as possible. I suggested to use openqaworker11 https://racktables.nue.suse.com/index.php?page=object&tab=default&object_id=9584 as a test machine. Starting 2022-10-31 08:30Z we will migrate that machine with eth0+eth1+ipmi and after confirmation of everything fully working continue with other machines. DHCP/DNS still to be provided by SUSE-IT Eng-Infra. Lazaros will clarify serving DHCP/DNS with mcaj. As stated by Lazaros the goal is that VLAN 2 in Nuremberg is fully replaced by more team specific zones.
Who will join the effort?
- Related to action #120441: OSD parallel jobs failed with "get_job_autoinst_url: No worker info for job xxx available" size:meow added
- Related to deleted (action #120441: OSD parallel jobs failed with "get_job_autoinst_url: No worker info for job xxx available" size:meow)
Both these tickets are already related. Also, please reference tickets in the format #[0-9]* to see a direct preview of the ticket subject and status
hsehic quoted mflores stating that the security zone migration should only cover Nbg Maxtorhof SRV1 for now and only further systems starting "summer 2023". This needs to be clarified.
Participated in a meeting with SUSE-IT about this topic. It's planned that firewall rules are deployed using terraform with recipes in gitlab. Expected to be implemented early next year. Later access to monitoring of traffic is planned. Nbg NUE1 (Maxtorhof) SRV1 is priority for a migration.
- Project changed from 175 to 46
- Related to action #125450: Improve collaboration with Eng-Infra - Firewall management access, potentially also DHCP+DNS size:M added
- Category set to Infrastructure
- Target version changed from Ready to future
- Parent task changed from #115280 to #130955
I assume a final migration will only be necessary as part of #130955, changing parent accordingly
- Parent task changed from #130955 to #121720
- Subtask deleted (
#120651)
- Status changed from Blocked to Resolved
- Target version changed from future to Ready
With NUE1 decommissioned all active systems are in new security zones and I guess machines that are brought (back) into production will also end up in new security zones. No specific work for improving error reporting here was done and I don't think we need to improve that further. We need to rely on SUSE-IT to monitor their firewall accordingly.
- Subject changed from [epic] Migration of SUSE openQA+QA+QAM systems to new security zones to [epic] Migration of SUSE Nbg based openQA+QA+QAM systems to new security zones
Also available in: Atom
PDF