action #158242

Updated by okurz 4 months ago

## Motivation 
 In we are asked to handle "compromised root passwords in QA segments" including s390zl11…16 

 ## Acceptance criteria 
 * **AC1:** firewall on OSD svirt hosts prevents direct ssh+vnc access from outside, i.e. normal office networks 
 * **AC2:** openQA svirt jobs are still able to access ssh+vnc as necessary, e.g. from openQA workers in the same network OR openQA workers on the hypervisor hosts themselves 

 ## Suggestions 
 * Take openQA svirt worker instances related to one hypervisor host, e.g. s390zl12, out of production for testing 
 * Configure a/the firewall on that host to block ssh+vnc to VMs running on that host, e.g.… host 
 * Allow traffic from other hosts in 
 * Ensure that openQA tests still work, e.g. the login to the target SUT VM in "boot_to_desktop". Use for verification 
   * work 
 * Ensure that the according firewall config is made boot-persistent and in salt 
 * Crosscheck with at least one reboot 
 * Ensure that the solution at least applies to… 
 * Apply the same solution to all other OSD svirt hosts, at least unreal6+openqaw5-xen 
   * Use at least for verification hosts