action #150815
closed
QA - coordination #121720: [saga][epic] Migration to QE setup in PRG2+NUE3 while ensuring availability
QA - coordination #123800: [epic] Provide SUSE QE Tools services running in PRG2 aka. Prg CoLo
unable to login over ssh to o3 (gate.opensuse.org:2214) size:M
Added by okurz 6 months ago.
Updated 15 days ago.
Description
Observation¶
Recently there were changes in the opensuse.org infrastructure as also announced. Now I am unable to login over ssh to o3 (gate.opensuse.org:2214). Login over the SUSE internal network still works.
Steps to reproduce¶
ssh -p 2214 gate.opensuse.org
Acceptance criteria¶
Suggestions¶
Rollback actions¶
- Tags changed from infra to infra, reactive work
- Status changed from New to Feedback
- Assignee set to okurz
https://suse.slack.com/archives/C04MDKHQE20/p1699869402586159
(Oliver Kurz) @Lazaros Haleplidis @Georg Pfützenreuter problem report as already pointed out in irc://irc.libera.chat/opensuse-admin I am unable to login to ariel.suse-dmz.opensuse.org over TCP 2214 (ssh) on gate.opensuse.org . Our internal reference https://progress.opensuse.org/issues/150815
…
(Georg Pfützenreuter) ok, then I suggest you open this port in your own infrastructure and if needed ask Lazaros to permit it to pass directly there without going through openSUSE
(Oliver Kurz) how would we be able to open a port in "our infrastructure"?
(Georg Pfützenreuter) go to one of your servers and execute a process that listens on a port
(Oliver Kurz) so @Lazaros Haleplidis @Martin Caj is that what you would like to see done? We can listen on o3 non-standard-ssh-port and we enable that in firewall?
- Subject changed from unable to login over ssh to o3 (gate.opensuse.org:2214) to unable to login over ssh to o3 (gate.opensuse.org:2214) size:M
- Description updated (diff)
- Due date set to 2023-11-27
- Description updated (diff)
- Related to tickets #139244: gate.opensuse.org no longer forwards port 2271 to gcc.infra.opensuse.org added
- Due date changed from 2023-11-27 to 2023-12-04
- Priority changed from High to Normal
I brougt up the topic in the weekly DCT call and mflores and jford will create an according card on their side and follow-up.
No card yet in scope of Eng-Infra. We would like to do the proper way so we will wait for that to happen on Eng-Infra side or remind otherwise after reasonable waiting time.
reminded during "DCT migration weekly" to follow up in slack and/or jira, was taken as action item by John Ford and Toks
- Due date changed from 2023-12-04 to 2023-12-18
Lengthy discussion with Tammo Oepkes from cybersecurity. Current suggestion from Tammo is to designate ariel as an "openSUSE-machine" which I fear would entail more consequences and bigger restructuring work. My suggestion is still to just open port 2214 on the public o3 interface, run sshd on that and keep everything else as is. Will need to wait for Tammo or others to come back based on that proposal.
- Due date changed from 2023-12-18 to 2024-02-29
of course there was no response :(
I brought up the topic to jford as organizer of DCT migration again and likely this won't be looked into until at least mid of 2024-01
- Status changed from Feedback to Blocked
- Due date changed from 2024-02-29 to 2024-04-30
- Target version changed from Ready to Tools - Next
- Due date deleted (
2024-04-30)
- Status changed from Blocked to Rejected
- Target version changed from Tools - Next to Ready
From https://sd.suse.com/servicedesk/customer/portal/1/SD-148421 , message by me:
Given your assessment I revoke my original request and suggest we do not continue with the implementation of any changes. The plan to move the complete openqa.opensuse.org infrastructure into the openSUSE infrastructure is sound however poses a too high effort and risks with the change endangering further engagement of SUSE employees as well as community members. Given that we will accept the additional administration effort for SUSE employees to keep the infrastructure running in the current infrastructure design on behalf of community members as well as the implicit potential loss of (limited) revenue due to not being able to provide this access. You can close/reject this ticket.
this is based on assessments provided by stakeholders of IT, CyberSec, workers council, etc., which would make it necessary to apply major, disruptive changes to the openqa.opensuse.org infrastructure.
- Parent task set to #123800
Also available in: Atom
PDF