If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

remove ssh access from cruncher to all masters (releng.scl3)

RESOLVED FIXED

Status

Infrastructure & Operations
NetOps: DC ACL Request
--
minor
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: dustin, Assigned: dcurado)

Tracking

Details

(Reporter)

Description

3 years ago
I know we just added this in bug 1093171, but the parent bug prompted a discussion about *why* we need this access.  Cruncher is a general-use, low-security host, which has active connections to users' SSH agents and probably a few ssh private keys.  It shouldn't have access via SSH to all of the masters.

This amounts to a revert of bug 1093171, since the other changes take place in AWS.

We have this policy:

dustin@fw1.releng.scl3.mozilla.net> show configuration security policies from-zone srv to-zone srv policy any--ssh
match {
    source-address cruncher;
    destination-address any;
    application junos-ssh;
}
then {
    permit;
}

but since srv is a single-VLAN zone, the policy is never applied.  Deleting it might be a good cleanup, but I'll leave that to you.

It's fine to defer this to a TCW, or at least after the work week.
(Reporter)

Updated

3 years ago
Blocks: 1092871
(Assignee)

Comment 1

3 years ago
will do this in the 12/20 TCW
Assignee: network-operations → dcurado
Status: NEW → ASSIGNED
(Assignee)

Comment 2

3 years ago
setting CAB review:

Impact: should be none.  It's a significant change to the releng firewall, and releng asked us to be hands off during December, so I saved this for the 12/20 TCW.

Duration: n/a
Flags: cab-review?
fwiw, releng is signed off on this change. It need not be during a TCW, just announced in #releng prior to doing it. (An email to release@m.c a day ahead would be the whipped cream topping to it all.)
(Assignee)

Comment 4

3 years ago
I will try making this change on thursday, 12/11, unless I get waved off from someone.
Will send mail to mail to release@m.c now, suggesting I do it 24 hours from now.
(Assignee)

Comment 5

3 years ago
done!
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Blocks: 1111702
Flags: cab-review? → cab-review+
(Reporter)

Comment 6

3 years ago
Dave, I'm not sure what you changed here, but it looks like the permit is still in place:

dustin@fw1.releng.scl3.mozilla.net> show configuration security policies from-zone srv to-zone bb 
apply-groups global-policies;
/* Including 1027111 and 1093171 */
policy srv-bb--ssh {
    match {
        source-address [ buildbot-master-set cruncher ];
        destination-address any;
        application junos-ssh;
    }
    then {
        permit;
    }
}
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 7

3 years ago
The policy you're referencing (in comment 6) is a different policy than the one you referenced
in the description.  The latter has been removed.
I'll remove the former as well.
Thanks for catching that.
(Assignee)

Comment 8

3 years ago
Dustin -- for the policy you referenced in comment 6 -- I'm assuming I should just only remove
"cruncher" as a source-address, but leave "buildbot-master-set"

sorry for the double check on this, just want to avoid any problems

Thanks
(Assignee)

Comment 9

3 years ago
blah
Flags: needinfo?(dustin)
(Reporter)

Comment 10

3 years ago
Yes, that's correct.  This bug is requesting a revert of bug 1093171, which *did* add the policy I'm referencing in comment 6.  The policy I pasted in the description was just a nice ride-along cleanup :)
(Assignee)

Comment 11

3 years ago
OK, I see.  My original read of the bug was too quick/shallow.
(a nice summary of my bug reading abilities right there!)
Sorry about that.

I can make this change today if you're confident I won't break anything?
Thanks!
(Reporter)

Comment 12

3 years ago
I'm full of exuberant confidence.
(Assignee)

Comment 13

3 years ago
OK, I delete cruncher from the policy.
Hopefully resolved now.
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago3 years ago
Flags: needinfo?(dustin)
Resolution: --- → FIXED

Updated

2 years ago
Cab Review: --- → approved
Flags: cab-review+
You need to log in before you can comment on or make changes to this bug.