action #116629: Preparation planning for migration of SUSE openQA+QA systems to new security zones size:M - QA - openSUSE Project Management Tool

action #116629

## Motivation 
 See parent #116623 

 ## Acceptance criteria 
 * **AC1:** A complete list of affected machines and required services is provided usable by Cybersecurity team 


 ## Suggestions 
 * Read existing materials and proposals, e.g. above mentioned confluence pages 
 * okurz suggests to make sure [racktables Nuremberg&QA](https://racktables.nue.suse.com/index.php?andor=and&cft%5B%5D=11&cfe=%7BNuremberg%7D+and+%28%7BQA%7D%29+and+not+%7BOld-Decommissioned%7D+and+not+%7BDecommissioned%7D+and+not+%7BTo+be+decommissioned%7D&page=depot&tab=default&submit.x=20&submit.y=15) Nuremberg&QA](https://racktables.nue.suse.com/index.php?andor=and&cft%5B%5D=32&cft%5B%5D=22&cfe=&page=depot&tab=default) is the complete list for all the machines we need to care about, [racktables Nuremberg&QAM](https://racktables.nue.suse.com/index.php?andor=and&cft%5B%5D=11&cfe=%7BNuremberg%7D+and+%28%7BQA%7D%29+and+not+%7BOld-Decommissioned%7D+and+not+%7BDecommissioned%7D+and+not+%7BTo+be+decommissioned%7D&page=depot&tab=default&submit.x=20&submit.y=15) Nuremberg&QAM](https://racktables.nue.suse.com/index.php?andor=and&cft%5B%5D=32&cft%5B%5D=94&cfe=&page=depot&tab=default) respectively. https://gitlab.suse.de/qa-sle/qanet-configs/ has all the DHCP+DNS entries for the QA subnet. 
 * Come up with a proposal for what network security zones we need and what security rules should apply for those 
 * Provide a list of all machines with FQDN, MAC, VLAN, IPv4, IPv6 for machines as well as BMCs as required by Lazaros Haleplidis, at best readable directly from Racktables 

 ## Out of scope 
 Currently the dedicated openqa.opensuse.org network is not covered by this change. According to Lazaros Haleplidis no public facing machines which is including https://openqa.opensuse.org are touched by this. 

 ## Further details 
 1. What are *your* requirements that need to be fulfilled? 
     All inbound traffic needs to be well defined. 
    
 2. Do we have any benefits from this change? 
     Better separation within SUSE networks 

 3. How can the security rules be controlled? 
     Creating a ticket. Automation, e.g. using terraform, etc., is evaluated 

 4. Do we need *two* networks, one for openQA and QA? 
     Right now we use machines within the Eng-Infra network. We can specify requirements  

 5. We need HTTP communication to various hosts within the .suse.de domain. download.suse.de, gitlab.suse.de, etc. 
     All of these need to be specifically specified 

 BMCs are planned to be accessible over jump hosts. It is planned to migrate IP access to machines first and keep IPMI till the end. Jump hosts is planned to be a Linux VM accessible over SSH from where we can access BMCs of the systems. 

 It is possible to have dedicated "test networks" so equivalent to our QA network where we have machines+BMCs within the same network. It might not be the suggested setup but is possible. 

 We meet again on 2022-09-22, 1500 CEST. Lazaros Haleplidis will invite us for 2022-09-22.

Back

Project

General

Profile

QA

action #116629