action #158242
Updated by okurz about 1 month ago
## Motivation In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments" including s390zl11…16 ## Acceptance criteria * **AC1:** firewall on OSD svirt hosts prevents direct ssh+vnc access from outside, i.e. normal office networks * **AC2:** openQA svirt jobs are still able to access ssh+vnc as necessary, e.g. from openQA workers in the same network OR openQA workers on the hypervisor hosts themselves ## Suggestions * Take openQA svirt worker instances related to one hypervisor host, e.g. s390zl12, out of production for testing * Configure a/the firewall on that host to block ssh+vnc to VMs running on that host, e.g. s390kvm080.oqa.prg2.suse.org…s390kvm099.oqa.prg2.suse.org host * Allow traffic from other hosts in oqa.prg2.suse.org * Ensure that openQA tests still work, e.g. the login to the target SUT VM in "boot_to_desktop". Use for verification * https://openqa.suse.de/tests/latest?machine=s390x-kvm&test=extra_tests_bootloader * https://openqa.suse.de/tests/latest?machine=s390x-kvm&test=default work * Ensure that the according firewall config is made boot-persistent and in salt * Crosscheck with at least one reboot * Ensure that the solution at least applies to s390kvm080.oqa.prg2.suse.org…s390kvm099.oqa.prg2.suse.org * Apply the same solution to all other OSD svirt hosts, at least unreal6+openqaw5-xen * Use at least https://openqa.suse.de/tests/latest?machine=svirt-xen-pv&test=default for verification hosts