Project

General

Profile

Actions

action #157750

closed

openQA Project - coordination #105624: [saga][epic] Reconsider how openQA handles secrets

openQA Project - coordination #157537: [epic] Secure setup of openQA test machines with secure network+secure authentication

Better secure the networks to have s390kvm… (and others) less accessible

Added by okurz 7 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Feature requests
Target version:
Start date:
2024-03-22
Due date:
% Done:

0%

Estimated time:

Description

Motivation

In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments" including s390zl11…16 . We should secure our network in regard to that.

Acceptance criteria

  • AC1: s390x OSD machine test machines are not directly accessible by SUSE users to use ssh

Suggestions

  • Better secure the networks to have s390kvm… (and others) less accessible -> We have stated the requirement in https://confluence.suse.com/pages/viewpage.action?pageId=1006108843 that ssh 22/tcp needs to be reachable. We could try to replicate the setup we know from o3 to give OSD a second network interface which allows ssh 22/tcp and block ssh 22/tcp on .oqa.prg2.suse.org as usually we don't need ssh to workers, just from within the oqa network as well as for administrative purposes for which we could go over OSD which we also already normally do for salt.
  • Probably we need another network with its own definition, domain, IP ranges, DHCP, e.g. qe-test.prg2.suse.org
  • Create an according SD ticket with the above request, reference https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 as motivation
Actions #1

Updated by okurz 7 months ago

  • Tags set to infra, s390x, security, prg2
Actions #2

Updated by okurz 7 months ago

  • Target version changed from future to Tools - Next

According to https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we likely need this sooner rather than later. Adding to our next-backlog.

Actions #3

Updated by okurz 6 months ago

  • Description updated (diff)
Actions #4

Updated by okurz 6 months ago

  • Status changed from New to Blocked
  • Assignee set to okurz
Actions #5

Updated by okurz 5 months ago

I wrote in https://sd.suse.com/servicedesk/customer/portal/1/SD-150437

For the remaining affected hosts we managed to have a firewall configuration controlled by us preventing access outside the hosts we need for running openQA tests covering services like SSH and VNC. With this we consider this task resolved. Whoever can, please resolve this ticket as I can’t insert sad frowny here

With this I rejected #159069 as we shouldn't need it anymore. As https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 is still open I am keeping this ticket open and block on it.

Actions #6

Updated by okurz 5 months ago

  • Status changed from Blocked to Resolved
  • Target version changed from Tools - Next to Ready
Actions

Also available in: Atom PDF