bounceradmin.mozilla.com should be accessible to build machines and through build-vpn

RESOLVED FIXED

Status

Infrastructure & Operations
NetOps
RESOLVED FIXED
8 years ago
5 years ago

People

(Reporter: bhearsum, Assigned: XioNoX)

Tracking

Details

(Reporter)

Description

8 years ago
We use this webapp to add and manage bouncer entries, both through automation as well as manually. Therefore, it should be accessible through build-vpn and to the build machines.

Comment 1

8 years ago
Would like comments from infra-sec in case there's something we're overlooking.
Assignee: network-operations → server-ops
Component: Server Operations: Netops → Server Operations: Security
QA Contact: mrz → clyon

Comment 2

8 years ago
What is the current process? Is this something that we are adding because of the build-vpn?

Little more background would be good.

Comment 3

8 years ago
Current process requires you to be on vlan72 (mpt-vpn).

The build network is supposed to be isolated from other systems.  This request is to allow users on the build-vpn host to talk to bounceradmin (vlan72).
(In reply to comment #3)
> Current process requires you to be on vlan72 (mpt-vpn).
> 
> The build network is supposed to be isolated from other systems.  This request
> is to allow users on the build-vpn host to talk to bounceradmin (vlan72).

Why does what hosts the build network is allowed to reach have anything to do with the routes allowed for build-vpn users?

Comment 5

8 years ago
You will have -a- host in the build network allowed to talk to a host outside that other hosts in the build network do not.  I'm merely passing information over to clyon.
(Reporter)

Comment 6

8 years ago
(In reply to comment #5)
> You will have -a- host in the build network allowed to talk to a host outside
> that other hosts in the build network do not.  I'm merely passing information
> over to clyon.

That really doesn't work well with our pool-of-slaves model...
(In reply to comment #6)
> (In reply to comment #5)
> > You will have -a- host in the build network allowed to talk to a host outside
> > that other hosts in the build network do not.  I'm merely passing information
> > over to clyon.
> 
> That really doesn't work well with our pool-of-slaves model...

We already have our pool-o-slaves talking to hosts outside build.m.o (f.e. for uploading/downloading builds.) In order to be able to automate adding bouncer entries as part of release automation, these same pool-o-slaves need to be able to access bounceradmin, so adding this now while setting up build-vpn seems a good idea.

mrz/clyon: please let us know if you need more info.
(In reply to comment #7)
> mrz/clyon: please let us know if you need more info.

clyon: let me know if you need more info after the quick whiteboard diagram yesterday

Updated

8 years ago
Assignee: server-ops → infrasec
Component: Server Operations: Security → Infrastructure Security

Comment 9

8 years ago
Few more emails between John O and myself, we have a good understanding of what is happening. 

Access to bounceradmin on vlan 75 from the build vpn, there isn't much risk and probably better over the current setup. 

so we are good with the changes.
Assignee: infrasec → network-operations
Component: Infrastructure Security → Server Operations: Netops
QA Contact: clyon → mrz

Updated

7 years ago
Assignee: network-operations → ravi
Status: NEW → ASSIGNED

Updated

7 years ago
Assignee: ravi → ayounsi
(Assignee)

Comment 10

7 years ago
Only build vpn or the whole build network?
The whole build network.
(Assignee)

Comment 12

7 years ago
Access granted
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Product: mozilla.org → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.