Closed Bug 601150 Opened 14 years ago Closed 14 years ago

bounceradmin.mozilla.com should be accessible to build machines and through build-vpn

Categories

(Infrastructure & Operations Graveyard :: NetOps, task)

Product:
Infrastructure & Operations Graveyard
Component:
NetOps
Platform:
All
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bhearsum, Assigned: arzhel)

Details

We use this webapp to add and manage bouncer entries, both through automation as well as manually. Therefore, it should be accessible through build-vpn and to the build machines.
Would like comments from infra-sec in case there's something we're overlooking.
Assignee: network-operations → server-ops
Component: Server Operations: Netops → Server Operations: Security
QA Contact: mrz → clyon
What is the current process? Is this something that we are adding because of the build-vpn?

Little more background would be good.
Current process requires you to be on vlan72 (mpt-vpn).

The build network is supposed to be isolated from other systems.  This request is to allow users on the build-vpn host to talk to bounceradmin (vlan72).
(In reply to comment #3)
> Current process requires you to be on vlan72 (mpt-vpn).
> 
> The build network is supposed to be isolated from other systems.  This request
> is to allow users on the build-vpn host to talk to bounceradmin (vlan72).

Why does what hosts the build network is allowed to reach have anything to do with the routes allowed for build-vpn users?
You will have -a- host in the build network allowed to talk to a host outside that other hosts in the build network do not.  I'm merely passing information over to clyon.
(In reply to comment #5)
> You will have -a- host in the build network allowed to talk to a host outside
> that other hosts in the build network do not.  I'm merely passing information
> over to clyon.

That really doesn't work well with our pool-of-slaves model...
(In reply to comment #6)
> (In reply to comment #5)
> > You will have -a- host in the build network allowed to talk to a host outside
> > that other hosts in the build network do not.  I'm merely passing information
> > over to clyon.
> 
> That really doesn't work well with our pool-of-slaves model...

We already have our pool-o-slaves talking to hosts outside build.m.o (f.e. for uploading/downloading builds.) In order to be able to automate adding bouncer entries as part of release automation, these same pool-o-slaves need to be able to access bounceradmin, so adding this now while setting up build-vpn seems a good idea.

mrz/clyon: please let us know if you need more info.
(In reply to comment #7)
> mrz/clyon: please let us know if you need more info.

clyon: let me know if you need more info after the quick whiteboard diagram yesterday
Assignee: server-ops → infrasec
Component: Server Operations: Security → Infrastructure Security
Few more emails between John O and myself, we have a good understanding of what is happening. 

Access to bounceradmin on vlan 75 from the build vpn, there isn't much risk and probably better over the current setup. 

so we are good with the changes.
Assignee: infrasec → network-operations
Component: Infrastructure Security → Server Operations: Netops
QA Contact: clyon → mrz
Assignee: network-operations → ravi
Status: NEW → ASSIGNED
Assignee: ravi → ayounsi
Only build vpn or the whole build network?
The whole build network.
Access granted
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Product: mozilla.org → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.