action #159069
closedopenQA Project - coordination #105624: [saga][epic] Reconsider how openQA handles secrets
openQA Project - coordination #157537: [epic] Secure setup of openQA test machines with secure network+secure authentication
network-level firewall preventing direct ssh+vnc access to all machines within the oqa.prg2.suse.org network if needed
0%
Description
Motivation¶
In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments" including s390zl11…16. If we exhausted all other better options or if we need to find quicker solutions we can request to prevent direct ssh+vnc access to all machines within the oqa.prg2.suse.org so that also s390kvm… machines and other test instances with potentially insecure passwords can not be accessed.
Acceptance criteria¶
- AC1: firewall on network level prevents direct ssh+vnc access from outside, i.e. normal office networks, to all amchines within oqa.prg2.suse.org
- AC2: openQA jobs are still able to access ssh+vnc as necessary, e.g. from openQA workers in the same network OR openQA workers on the hypervisor hosts themselves
- AC3: All users listed in https://gitlab.suse.de/openqa/salt-pillars-openqa/-/blob/master/sshd/users.sls can still access ssh+vnc of all hosts at least over a jump host, e.g. OSD itself
Suggestions¶
- Follow #159066. If #159066 turns out to not be possible then continue here
- Create IT ticket according to https://progress.opensuse.org/projects/qa/wiki/Tools#SUSE-IT-ticket-handling and ask for the network-level firewall to block ssh+vnc to whole oqa.prg2.suse.org except for a jump host, e.g. OSD, potentially with a second interface on OSD for that access.
- Ensure that openQA tests still work, e.g. the login to the target SUT VM in "boot_to_desktop". Use for verification
- Ensure that the solution at least applies to s390kvm080.oqa.prg2.suse.org…s390kvm099.oqa.prg2.suse.org
- Add to our documentation, e.g. on https://wiki.suse.net/index.php/OpenQA that users need to go over a jump host
- Inform users about the change
Updated by okurz 8 months ago
- Copied from action #159066: network-level firewall preventing direct ssh+vnc access to openQA test VMs size:M added
Updated by okurz 7 months ago
- Status changed from Blocked to Rejected
- Target version changed from Tools - Next to Ready
I wrote in https://sd.suse.com/servicedesk/customer/portal/1/SD-150437
For the remaining affected hosts we managed to have a firewall configuration controlled by us preventing access outside the hosts we need for running openQA tests covering services like SSH and VNC. With this we consider this task resolved. Whoever can, please resolve this ticket as I can’t insert sad frowny here
Continuing in #157750