Closed
Bug 1173786
Opened 10 years ago
Closed 10 years ago
Modify security groups for windows
Categories
(Release Engineering :: General, defect)
Release Engineering
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: arich, Assigned: arich)
References
Details
Attachments
(1 file)
|
2.92 KB,
text/plain
|
Details |
We have security group sg-18a07677 for windows hosts in use1 and sg-84beade6 usw2 (nothing in usw1) that looks like were added by hand. These need to be added to securitygroups.yaml and modified so that they have the necessary ports (like RDP) specific to windows machines.
I'm going to need some assistance form the windows folks in determining exactly what those permissions need to be.
|
Assignee | |
Updated•10 years ago
|
Flags: needinfo?(q)
Flags: needinfo?(mcornmesser)
|
|
Assignee | |
Comment 1•10 years ago
|
||
rail: there seems to be some additions made to securitygroups.yaml made by you to do some sort of application to instances and interfaces with specific tags. I.e. for try:
try:
description: security group for try build slaves
regions:
us-west-1: vpc-7a7dd613
us-west-2: vpc-cd63f2a4
us-east-1: vpc-b42100df
apply-to:
instances:
tags:
- [moz-type, try-linux64]
- [Name, try-linux64-ec2-*]
interfaces:
tags:
- [moz-type, try-linux64]
inbound:
include: slave-vlan-inbound
outbound:
include: slave-vlan-outbound
What's the recommended method of extending this to include additional tags and names for try-2008?
Flags: needinfo?(rail)
|
||
Comment 2•10 years ago
|
||
Probably being explicit would be better here. I'd create a new rule for windows machines and add rdp/vnc rules.
Flags: needinfo?(rail)
|
|
Assignee | |
Comment 3•10 years ago
|
||
rail: The default and windows security groups will be applied as part of the configs/try-2008 and configs/b-2008 files. This seems to be something specific to buildslaves/tryslaves and should probably be the same as what we have for linux. I doubt we want to replicate the logic to yet another place to keep track of.
|
||
Comment 4•10 years ago
|
||
I am adding this to the agenda for the Windows chat tomorrow.
Flags: needinfo?(mcornmesser)
|
|
Assignee | |
Comment 5•10 years ago
|
||
5900 for VNC
3309 for RDP
445 for SMB (we shouldn't open that unless we need to)
|
|
Assignee | |
Comment 7•10 years ago
|
||
I think we don't actually need this group for the build/try/test slaves since they include the admin-access group (which allows all from admin hosts like the vpn). See https://github.com/mozilla/build-cloud-tools/pull/86
Could someone instantiate an instance and test this out?
rthijssen: If this works, this means we won't need the secondary windows group in the b-2008 and try-2008 config files.
Flags: needinfo?(mcornmesser)
|
|
||
Comment 8•10 years ago
|
||
Confirmed, I was able to RDP using the build or try security groups.
Flags: needinfo?(mcornmesser)
|
|
Assignee | |
Comment 9•10 years ago
|
||
rob: this means that sg-18a07677 and sg-84beade6 can be removed from the b-2008 and try-2008 config files.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Comment 10•10 years ago
|
||
|
||
Updated•8 years ago
|
Component: Tools → General
You need to log in
before you can comment on or make changes to this bug.
Description
•