Project

General

Profile

Actions

action #159069

closed

openQA Project - coordination #105624: [saga][epic] Reconsider how openQA handles secrets

openQA Project - coordination #157537: [epic] Secure setup of openQA test machines with secure network+secure authentication

network-level firewall preventing direct ssh+vnc access to all machines within the oqa.prg2.suse.org network if needed

Added by okurz 2 months ago. Updated about 1 month ago.

Status:
Rejected
Priority:
Low
Assignee:
Category:
Feature requests
Target version:
Start date:
2024-03-28
Due date:
% Done:

0%

Estimated time:

Description

Motivation

In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments" including s390zl11…16. If we exhausted all other better options or if we need to find quicker solutions we can request to prevent direct ssh+vnc access to all machines within the oqa.prg2.suse.org so that also s390kvm… machines and other test instances with potentially insecure passwords can not be accessed.

Acceptance criteria

  • AC1: firewall on network level prevents direct ssh+vnc access from outside, i.e. normal office networks, to all amchines within oqa.prg2.suse.org
  • AC2: openQA jobs are still able to access ssh+vnc as necessary, e.g. from openQA workers in the same network OR openQA workers on the hypervisor hosts themselves
  • AC3: All users listed in https://gitlab.suse.de/openqa/salt-pillars-openqa/-/blob/master/sshd/users.sls can still access ssh+vnc of all hosts at least over a jump host, e.g. OSD itself

Suggestions


Related issues 1 (0 open1 closed)

Copied from openQA Infrastructure - action #159066: network-level firewall preventing direct ssh+vnc access to openQA test VMs size:MResolvednicksinger2024-03-28

Actions
Actions #1

Updated by okurz 2 months ago

  • Copied from action #159066: network-level firewall preventing direct ssh+vnc access to openQA test VMs size:M added
Actions #2

Updated by okurz about 1 month ago

  • Status changed from Blocked to Rejected
  • Target version changed from Tools - Next to Ready

I wrote in https://sd.suse.com/servicedesk/customer/portal/1/SD-150437

For the remaining affected hosts we managed to have a firewall configuration controlled by us preventing access outside the hosts we need for running openQA tests covering services like SSH and VNC. With this we consider this task resolved. Whoever can, please resolve this ticket as I can’t insert sad frowny here

Continuing in #157750

Actions

Also available in: Atom PDF