action #150815
closedQA - coordination #121720: [saga][epic] Migration to QE setup in PRG2+NUE3 while ensuring availability
QA - coordination #123800: [epic] Provide SUSE QE Tools services running in PRG2 aka. Prg CoLo
unable to login over ssh to o3 (gate.opensuse.org:2214) size:M
0%
Description
Observation¶
Recently there were changes in the opensuse.org infrastructure as also announced. Now I am unable to login over ssh to o3 (gate.opensuse.org:2214). Login over the SUSE internal network still works.
Steps to reproduce¶
ssh -p 2214 gate.opensuse.org
Acceptance criteria¶
- AC1: We can login to openqa.opensuse.org over a public interface using SSH from various network sources
- AC2: https://progress.opensuse.org/projects/openqav3/wiki/#Accessing-the-o3-infrastructure is still up-to-date
Suggestions¶
- DONE Try out the connection yourself
- DONE Report the problem in #dct-migration https://suse.slack.com/archives/C04MDKHQE20/p1699869402586159 and/or by SD-ticket
- Find a working solution and change accordingly where needed
- Ensure https://progress.opensuse.org/projects/openqav3/wiki/#Accessing-the-o3-infrastructure is still up-to-date
Rollback actions¶
- Use gate.opensuse.org:2214 in monitor-o3, see https://gitlab.suse.de/openqa/ci/-/merge_requests/4
Updated by okurz 6 months ago
- Status changed from New to Feedback
- Assignee set to okurz
https://suse.slack.com/archives/C04MDKHQE20/p1699869402586159
(Oliver Kurz) @Lazaros Haleplidis @Georg Pfützenreuter problem report as already pointed out in irc://irc.libera.chat/opensuse-admin I am unable to login to ariel.suse-dmz.opensuse.org over TCP 2214 (ssh) on gate.opensuse.org . Our internal reference https://progress.opensuse.org/issues/150815
…
(Georg Pfützenreuter) ok, then I suggest you open this port in your own infrastructure and if needed ask Lazaros to permit it to pass directly there without going through openSUSE
(Oliver Kurz) how would we be able to open a port in "our infrastructure"?
(Georg Pfützenreuter) go to one of your servers and execute a process that listens on a port
(Oliver Kurz) so @Lazaros Haleplidis @Martin Caj is that what you would like to see done? We can listen on o3 non-standard-ssh-port and we enable that in firewall?
Updated by okurz 6 months ago
No response yesterday so asking more explicitly again:
https://suse.slack.com/archives/C04MDKHQE20/p1699961094490689?thread_ts=1699869402.586159&cid=C04MDKHQE20
(Oliver Kurz) @Lazaros Haleplidis @John Ford @Moroni Flores @Martin Caj @Georg Pfützenreuter so is https://suse.slack.com/archives/C04MDKHQE20/p1699877008506009?thread_ts=1699869402.586159&cid=C04MDKHQE20 what you suggest we do now after gate.opensuse.org does not allow ssh connection to o3 anymore so make sshd listen on o3 on a non-standard port for the public internet and you allow/forward that in the firewall?
Updated by okurz 6 months ago
- Related to tickets #139244: gate.opensuse.org no longer forwards port 2271 to gcc.infra.opensuse.org added
Updated by mgriessmeier 5 months ago
reminded during "DCT migration weekly" to follow up in slack and/or jira, was taken as action item by John Ford and Toks
Updated by okurz 5 months ago
- Due date changed from 2023-12-04 to 2023-12-18
Lengthy discussion with Tammo Oepkes from cybersecurity. Current suggestion from Tammo is to designate ariel as an "openSUSE-machine" which I fear would entail more consequences and bigger restructuring work. My suggestion is still to just open port 2214 on the public o3 interface, run sshd on that and keep everything else as is. Will need to wait for Tammo or others to come back based on that proposal.
Updated by okurz 4 months ago
- Status changed from Feedback to Blocked
As decided with mhaeffner I now created a specific Jira card myself: https://jira.suse.com/browse/ENGINFRA-3691
Updated by okurz about 2 months ago
- Target version changed from Ready to Tools - Next
Updated by okurz about 5 hours ago
- Due date deleted (
2024-04-30) - Status changed from Blocked to Rejected
- Target version changed from Tools - Next to Ready
From https://sd.suse.com/servicedesk/customer/portal/1/SD-148421 , message by me:
Given your assessment I revoke my original request and suggest we do not continue with the implementation of any changes. The plan to move the complete openqa.opensuse.org infrastructure into the openSUSE infrastructure is sound however poses a too high effort and risks with the change endangering further engagement of SUSE employees as well as community members. Given that we will accept the additional administration effort for SUSE employees to keep the infrastructure running in the current infrastructure design on behalf of community members as well as the implicit potential loss of (limited) revenue due to not being able to provide this access. You can close/reject this ticket.
this is based on assessments provided by stakeholders of IT, CyberSec, workers council, etc., which would make it necessary to apply major, disruptive changes to the openqa.opensuse.org infrastructure.