Project

General

Profile

action #157750

Updated by okurz 8 months ago

## Motivation 
 In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments" including s390zl11…16 . We should secure our network in regard to that. 

 ## Acceptance criteria 
 * AC1: s390x OSD machine test machines are not directly accessible by SUSE users to use ssh 

 ## Suggestions 
 * Better secure the networks to have s390kvm… (and others) less accessible -> We have stated the requirement in https://confluence.suse.com/pages/viewpage.action?pageId=1006108843 that ssh 22/tcp needs to be reachable. We could try to replicate the setup we know from o3 to give OSD a second network interface which allows ssh 22/tcp and block ssh 22/tcp on .oqa.prg2.suse.org as usually we don't need ssh to workers, just from within the oqa network as well as for administrative purposes for which we could go over OSD which we also already normally do for salt. 
 * Probably we need another network with its own definition, domain, IP ranges, DHCP, e.g. qe-test.prg2.suse.org 
 * Create an according SD ticket with the above request, reference https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 as motivation

Back