tickets #89887
closednuka (l10n.opensuse.org) lost network connection
100%
Description
openSUSE Weblate[1] unconditionally needs network access to the outside internet, or at least to GitHub. Now it fails and the repositories are diverging into conflicts.
It is critical for its functionality.
References:
https://l10n.opensuse.org/
--
Best Regards / S pozdravem,
Stanislav Brabec
Updated by cboltz about 3 years ago
- Category set to Core services and virtual infrastructure
- Private changed from Yes to No
We switched the firewall on scar.i.o.o (which handles outgoing traffic) from SuSEfirewall to nftables yesterday evening.
I just found (and hopefully fixed) a bug in the nftables config and gave nuka very broad permissions - does it work now?
That said: I'd prefer to make the firewall as tight as possible. Can you please give me some details how / on which ports weblate needs to connect to the outside? Guessed example "It needs https to access github."
Updated by sbrabec about 3 years ago
cboltz wrote:
We switched the firewall on scar.i.o.o (which handles outgoing traffic) from SuSEfirewall to nftables yesterday evening.
I just found (and hopefully fixed) a bug in the nftables config and gave nuka very broad permissions - does it work now?
That said: I'd prefer to make the firewall as tight as possible. Can you please give me some details how / on which ports weblate needs to connect to the outside? Guessed example "It needs https to access github."
It currently needs git access over ssh. I think that all repositories are now configured to ssh, and that we don't need http/https to github. (We do not support hub tool nowadays.)
It also needs to send mails.
I guess nothing more is needed.
Updated by pagarcia about 3 years ago
sbrabec wrote:
cboltz wrote:
We switched the firewall on scar.i.o.o (which handles outgoing traffic) from SuSEfirewall to nftables yesterday evening.
I just found (and hopefully fixed) a bug in the nftables config and gave nuka very broad permissions - does it work now?
That said: I'd prefer to make the firewall as tight as possible. Can you please give me some details how / on which ports weblate needs to connect to the outside? Guessed example "It needs https to access github."
It currently needs git access over ssh. I think that all repositories are now configured to ssh, and that we don't need http/https to github. (We do not support hub tool nowadays.)
It also needs to send mails.
I guess nothing more is needed.
It is still failing :-(
ssh: connect to host github.com port 22: Connection timed out
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists. (128)
https://l10n.opensuse.org/projects/uyuni/backend/#repository
Updated by cboltz about 3 years ago
OK, second round - and this time ssh should work.
The error you quoted has a note "19 hours ago", and hopefully obsolete. (Not sure if just waiting is enough, or if someone needs to tell weblate that it should try again.)
Since I'm still new to nftables and learned a few things by pain tonight ;-) please check if everything works, and report back.
Mails get sent via relay.i.o.o, therefore nuka doesn't need to talk SMTP to the outside world itsself.
Updated by sbrabec about 3 years ago
- % Done changed from 0 to 100
Re-checking. ssh to GitHub works again. I think that Weblate could live without any other connection to outside (except mail relay).
I think it was fixes.