tickets #89887
closed
nuka (l10n.opensuse.org) lost network connection
Added by sbrabec over 3 years ago.
Updated over 3 years ago.
Category:
Core services and virtual infrastructure
Description
openSUSE Weblate[1] unconditionally needs network access to the outside internet, or at least to GitHub. Now it fails and the repositories are diverging into conflicts.
It is critical for its functionality.
References:
https://l10n.opensuse.org/
--
Best Regards / S pozdravem,
Stanislav Brabec
- Priority changed from Normal to Urgent
- Category set to Core services and virtual infrastructure
- Private changed from Yes to No
We switched the firewall on scar.i.o.o (which handles outgoing traffic) from SuSEfirewall to nftables yesterday evening.
I just found (and hopefully fixed) a bug in the nftables config and gave nuka very broad permissions - does it work now?
That said: I'd prefer to make the firewall as tight as possible. Can you please give me some details how / on which ports weblate needs to connect to the outside? Guessed example "It needs https to access github."
cboltz wrote:
We switched the firewall on scar.i.o.o (which handles outgoing traffic) from SuSEfirewall to nftables yesterday evening.
I just found (and hopefully fixed) a bug in the nftables config and gave nuka very broad permissions - does it work now?
That said: I'd prefer to make the firewall as tight as possible. Can you please give me some details how / on which ports weblate needs to connect to the outside? Guessed example "It needs https to access github."
It currently needs git access over ssh. I think that all repositories are now configured to ssh, and that we don't need http/https to github. (We do not support hub tool nowadays.)
It also needs to send mails.
I guess nothing more is needed.
sbrabec wrote:
cboltz wrote:
We switched the firewall on scar.i.o.o (which handles outgoing traffic) from SuSEfirewall to nftables yesterday evening.
I just found (and hopefully fixed) a bug in the nftables config and gave nuka very broad permissions - does it work now?
That said: I'd prefer to make the firewall as tight as possible. Can you please give me some details how / on which ports weblate needs to connect to the outside? Guessed example "It needs https to access github."
It currently needs git access over ssh. I think that all repositories are now configured to ssh, and that we don't need http/https to github. (We do not support hub tool nowadays.)
It also needs to send mails.
I guess nothing more is needed.
It is still failing :-(
ssh: connect to host github.com port 22: Connection timed out
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists. (128)
https://l10n.opensuse.org/projects/uyuni/backend/#repository
OK, second round - and this time ssh should work.
The error you quoted has a note "19 hours ago", and hopefully obsolete. (Not sure if just waiting is enough, or if someone needs to tell weblate that it should try again.)
Since I'm still new to nftables and learned a few things by pain tonight ;-) please check if everything works, and report back.
Mails get sent via relay.i.o.o, therefore nuka doesn't need to talk SMTP to the outside world itsself.
- % Done changed from 0 to 100
Re-checking. ssh to GitHub works again. I think that Weblate could live without any other connection to outside (except mail relay).
I think it was fixes.
- Status changed from New to Resolved
Also available in: Atom
PDF