Project

General

Profile

Actions

coordination #157537

open

coordination #105624: [saga][epic] Reconsider how openQA handles secrets

[epic] Secure setup of openQA test machines with secure network+secure authentication

Added by okurz 9 months ago. Updated 16 days ago.

Status:
Blocked
Priority:
Normal
Assignee:
Category:
Feature requests
Target version:
Start date:
2024-03-18
Due date:
% Done:

75%

Estimated time:
(Total: 0.00 h)

Description

Motivation

In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments" including s390zl11…16 . We should secure our network and password handling better.

Acceptance criteria

  • AC1: No openQA machine test machines directly accessible by SUSE users use ssh root with publically known passwords

Ideas

  1. Be able to set a different password valid for tests, in particular s390kvm…, e.g. be able to set password by test variable and follow through in the complete test platform -> #157555
  2. Key based authentication -> #157744
  3. Rotating, automatic passwords saved as test variables connected to images, e.g. to be able to use a pre-installed image
  4. Better secure the networks to have s390kvm… (and others) less accessible -> We have stated the requirement in https://confluence.suse.com/pages/viewpage.action?pageId=1006108843 that ssh 22/tcp needs to be reachable. We could try to replicate the setup we know from o3 to give OSD a second network interface which allows ssh 22/tcp and block ssh 22/tcp on .oqa.prg2.suse.org as usually we don't need ssh to workers, just from within the oqa network as well as for administrative purposes for which we could go over OSD which we also already normally do for salt. -> #157750
  5. If there is a need about securing the VNC server itself take a look into https://github.com/search?q=repo%3Aos-autoinst%2Fos-autoinst-distri-opensuse%20vncpasswd&type=code as in some cases a VNC password is already used.

Subtasks 14 (3 open11 closed)

openQA Infrastructure (public) - action #157468: Handle internal test machines with compromised root password size:MResolvedokurz2024-03-18

Actions
openQA Tests (public) - action #157555: [spike][timeboxed:10h][qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:SRejectedokurz

Actions
openQA Tests (public) - action #157744: [spike][timeboxed:10h][qe-core] Use ssh key authentication in particular for s390x kvm installation openQA jobsRejected2024-03-22

Actions
openQA Infrastructure (public) - action #157750: Better secure the networks to have s390kvm… (and others) less accessibleResolvedokurz2024-03-22

Actions
openQA Infrastructure (public) - action #158242: Prevent ssh access to test VMs on svirt hypervisor hosts with firewall size:MRejecteddheidler2024-03-28

Actions
action #158455: [spike][timeboxed:10h] openQA worker native on s390xResolvedokurz2024-03-28

Actions
action #158628: Prevent passwords being logged in s390x kvm test casesResolvedokurz2024-04-08

Actions
action #158985: openQA worker native on s390xResolvedokurz

Actions
openQA Infrastructure (public) - action #159063: s390x qemu backend host within SUSE networksNew2024-04-16

Actions
openQA Infrastructure (public) - action #159066: network-level firewall preventing direct ssh+vnc access to openQA test VMs size:MResolvednicksinger2024-03-28

Actions
openQA Infrastructure (public) - action #159069: network-level firewall preventing direct ssh+vnc access to all machines within the oqa.prg2.suse.org network if neededRejectedokurz2024-03-28

Actions
action #159621: Make tests work with native openQA worker s390x qemu size:MWorkable

Actions
openQA Tests (public) - action #160325: [qe-core] Use templating system in autoyast profiles to use testapi::$password instead of nots3cr3tResolvedrfan12024-05-14

Actions
openQA Infrastructure (public) - action #160436: Use s390zl19+s390zl1a in production size:SWorkable

Actions

Related issues 1 (0 open1 closed)

Related to openQA Infrastructure (public) - action #162353: Ensure consistent known root password on all OSD webUI+workers size:SResolvednicksinger2024-06-17

Actions
Actions #1

Updated by okurz 9 months ago

  • Subtask #157468 added
Actions #2

Updated by okurz 9 months ago

  • Subtask #157555 added
Actions #3

Updated by okurz 9 months ago

  • Subtask #157744 added
Actions #4

Updated by okurz 9 months ago

  • Subtask #157750 added
Actions #5

Updated by okurz 9 months ago

  • Description updated (diff)
  • Status changed from New to Blocked
  • Assignee set to okurz

Defined more subtasks

Actions #6

Updated by okurz 9 months ago

  • Subject changed from [epic] Secure setup of openQA test machines with secure network+secure passwords to [epic] Secure setup of openQA test machines with secure network+secure authentication
Actions #7

Updated by okurz 9 months ago

  • Target version changed from future to Ready

According to https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we likely need this sooner rather than later. Adding to our backlog.

Actions #8

Updated by okurz 9 months ago

  • Subtask #158242 added
Actions #9

Updated by okurz 9 months ago

  • Description updated (diff)
Actions #10

Updated by okurz 9 months ago

  • Subtask #158455 added
Actions #11

Updated by okurz 9 months ago

  • Subtask #158628 added
Actions #12

Updated by okurz 9 months ago

  • Subtask #158631 added
Actions #13

Updated by xlai 9 months ago

  • Subtask #158793 added
Actions #14

Updated by okurz 8 months ago

  • Subtask #158985 added
Actions #15

Updated by okurz 8 months ago

  • Subtask #159063 added
Actions #16

Updated by okurz 8 months ago

  • Subtask #159066 added
Actions #17

Updated by okurz 8 months ago

  • Subtask #159069 added
Actions #18

Updated by jbaier_cz 8 months ago

  • Subtask #159621 added
Actions #19

Updated by szarate 7 months ago

  • Subtask #160325 added
Actions #20

Updated by okurz 7 months ago

  • Subtask #160436 added
Actions #21

Updated by okurz 7 months ago

  • Target version changed from Ready to Tools - Next

With #159066 resolved we have time-critical tasks resolved with only #160436 right now in next. Updating the epic accordingly.

Actions #22

Updated by okurz 6 months ago

  • Subtask #162140 added
Actions #23

Updated by okurz 5 months ago

  • Target version changed from Tools - Next to future
Actions #24

Updated by livdywan 2 months ago

  • Related to action #162353: Ensure consistent known root password on all OSD webUI+workers size:S added
Actions #25

Updated by szarate 16 days ago

  • Subtask deleted (#158631)
Actions

Also available in: Atom PDF