QA » openQA Project » openQA Infrastructure

Motivation¶

In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments" including s390zl11…16. If we exhausted all other better options or if we need to find quicker solutions we can request to prevent direct ssh+vnc access to all machines within the oqa.prg2.suse.org so that also s390kvm… machines and other test instances with potentially insecure passwords can not be accessed.

Acceptance criteria¶

• AC1: firewall on network level prevents direct ssh+vnc access from outside, i.e. normal office networks, to all amchines within oqa.prg2.suse.org
• AC2: openQA jobs are still able to access ssh+vnc as necessary, e.g. from openQA workers in the same network OR openQA workers on the hypervisor hosts themselves
• AC3: All users listed in https://gitlab.suse.de/openqa/salt-pillars-openqa/-/blob/master/sshd/users.sls can still access ssh+vnc of all hosts at least over a jump host, e.g. OSD itself

Suggestions¶

• Follow #159066. If #159066 turns out to not be possible then continue here
• Create IT ticket according to https://progress.opensuse.org/projects/qa/wiki/Tools#SUSE-IT-ticket-handling and ask for the network-level firewall to block ssh+vnc to whole oqa.prg2.suse.org except for a jump host, e.g. OSD, potentially with a second interface on OSD for that access.
• Ensure that openQA tests still work, e.g. the login to the target SUT VM in "boot_to_desktop". Use for verification
  • https://openqa.suse.de/tests/latest?machine=s390x-kvm&test=extra_tests_bootloader
  • https://openqa.suse.de/tests/latest?machine=s390x-kvm&test=default
• Ensure that the solution at least applies to s390kvm080.oqa.prg2.suse.org…s390kvm099.oqa.prg2.suse.org
• Add to our documentation, e.g. on https://wiki.suse.net/index.php/OpenQA that users need to go over a jump host
• Inform users about the change