Closed Bug 585619 Opened 14 years ago Closed 14 years ago

requesting an http:// accessible pushlog to the build machines for shadow-central

Categories

(mozilla.org Graveyard :: Server Operations, task)

Product:
mozilla.org Graveyard
Component:
Server Operations
Platform:
x86
All
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: lsblakk, Assigned: aravind)

References

Details

(Whiteboard: [sg:nse]) 

Our current hgpoller.py isn't designed to handle doing https://user:pass polling of repos. Being able to accept the ssl cert is an issue that would require a fair amount of effort so if it's possible, can we get an http:// accessible pushlog just for machines on the build network?
Assignee: server-ops → aravind
I'd vote modify hgpoller.. opening it up to the network opens up more holes in this than I'd like.  I will let Dan comment on this.
Whiteboard: [sg:nse]
Dan, comments?
(In reply to comment #1)
> I'd vote modify hgpoller.. opening it up to the network opens up more holes in
> this than I'd like.  I will let Dan comment on this.

This is non trivial and would take a lot of time, testing, and resources.  If it's possible to get an http: accessible pushlog can we mitigate security risks in other ways.  Reworking all our automation for this experiment seems like a step in the wrong direction to me.
shadow-central is not an experiment, and there are likely to be future shadow-x branch and project repos in the future.

Where does hgpoller live? I can't find hgpoller.py anywhere, but we have a lot of repos and I have only searched a few that seemed likely. I don't understand why an https://user:pass@hgpvt.mozilla.org URI would behave any differently than a http://hg.mozilla.org one, but maybe it's a python thing.

What would be involved in creating an http-accessible pushlog and restricting it to "the build network"? Are the repos in the same datacenter/network as the build machines? What technology would be used to restrict http access to just the "build network", and how many irrelevant machines would that be creating access points to?

I would imagine if the build machines are compromised we are screwed well beyond a minor leak of advance information about security patches.
http://hg.mozilla.org/build/buildbotcustom/file/03f4752982a3/changes/hgpoller.py

getPage can handle https://user:pass@hgpvt.mozilla.org but we need something to handle validating the ssl cert - that's not built in.

in setting up the build network my understanding is that we are specifically trying to limit the amount of 'irrelevant machines' that could access our releng infrastructure, and we poke holes in the network for several build machine communication needs so is there a reason why doing it for an http pushlog would be more insecure than what we already do?
Aravind can you give feedback to the questions in comment 4?
(In reply to comment #4)
> What would be involved in creating an http-accessible pushlog and restricting
> it to "the build network"? 

I'd have to open up apache/nginx  ACLs to allow that network range to access the url without a password.

> Are the repos in the same datacenter/network as the build machines? 

Nope, the build machines are spread out all over (physically), but on a network level, I think they all are still in the same network.

> What technology would be used to restrict http access to just
> the "build network", and how many irrelevant machines would that be creating
> access points to?

Apache/Nginx acls.  I don't know enough about the machines currently in the build network, to answer that.  But presumably, this includes try servers etc.. which are currently treated as "not trusted" machines.

> I would imagine if the build machines are compromised we are screwed well
> beyond a minor leak of advance information about security patches.

I am worried not just about the build machines being compromised, but also about un-authorized access to the build network.  And since we'd be giving carte blanche access to the entire network, it makes it more risky.
(In reply to comment #0)
> Our current hgpoller.py isn't designed to handle doing https://user:pass
> polling of repos. Being able to accept the ssl cert is an issue that would
> require a fair amount of effort so if it's possible, can we get an http://
> accessible pushlog just for machines on the build network?

going back to this comment, why can't we do https? Shouldn't this be the model going forward? Don't know why we would be sending auth over http?
>  Don't know why we would be sending auth over http?

The current automation does not use auth to get the pushlog for our hg repos.  So this is not about sending auth over http, but rather about having a pushlog for this repo available via http without requiring auth, but also without exposing the repo.
Or change the current automation. Why is that off the table?

Back to my question in comment 4, where can I find these tools/scripts?
(In reply to comment #9)
> >  Don't know why we would be sending auth over http?
> 
> The current automation does not use auth to get the pushlog for our hg repos. 
> So this is not about sending auth over http, but rather about having a pushlog
> for this repo available via http without requiring auth, but also without
> exposing the repo.

Given the environment, we shouldn't consider acl's for access, we should require auth. It is easier to change auth vs client acl's if we feel there was an issue.
So, after all this discussion it was brought up in discussion that there are other ways to trigger builds for this repo - currently forcing a build works and we could also work on doing an hg hook that does a sendchange to the buildbot master on commit to the repo.  Closing this as WONTFIX so we can move forward and explore other options.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
Sorry, making it invalid instead.
Resolution: WONTFIX → INVALID
Group: core-security
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.