So, in puppet320, we have getcert.cgi which is used by the puppetizing process to allow us to automatically generate and have puppet-signed certs for hosts. https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/Puppetization_Process The getcert.cgi script has builtin security checks, for the following: * Host is within the 10.*.*.* range. * Host is in DNS (per what the machine sees) * Hosts DNS reverse maps to mozilla.com * Hosts IP falls within an array of regex's we provide in secrets The first 3 of the above blocks SeaMonkey from using this script for the following reasons: * SeaMonkey hosts are allocated public IP ranges (63.245.223.*) [though no public netflows] * SeaMonkey hosts must use Google DNS servers, and we don't expose DNS, for these IPs * due to no DNS, no mozilla.com DNS The IP regex is still doable/useable. ----- I don't even know if this is possible to do without DNS, but if it is would make setting up SeaMonkey machines easier... if its not I would love to figure out what I need to document to make it happen. First needinfo to dustin if this is even something we can both do technically and something he would be `willing` to support in puppetAgain even if we config in order to keep all moco sec walls here. If :dustin agrees with it, we'd then need to get opsec signoff before we can make it happen. ----- I won't be offended if this is a horrible idea, even for seamonkey and someone feels strong enough to wontfix
The 10.0/8 check is redundant to the IP regexes, so that could be removed without issue. DNS is required for functionality, not just security. One option may be adding things to /etc/hosts on the puppetmaster. But your hosts are in global DNS, so I don't see why that's an issue. dustin@cerf ~ $ host sea-puppet.community.scl3.mozilla.com sea-puppet.community.scl3.mozilla.com has address 220.127.116.11 dustin@cerf ~ $ host 18.104.22.168 22.214.171.124.in-addr.arpa domain name pointer sea-puppet.community.scl3.mozilla.com. dustin@cerf ~ $ So yes, feel free to remove the 10.*.*.* check. The rest should stay. Please do that in a non-sec bug.
Component: Server Operations: RelEng → RelOps: Puppet
Product: mozilla.org → Infrastructure & Operations
QA Contact: arich → dustin
Rail, while you're changing getcert.cgi, can you remove the hard-coded 10.* check? Easiest will be to just dupe this bug to wherever you make that change.
Assignee: bugspam.Callek → rail
(In reply to Dustin J. Mitchell [:dustin] (I read my bugmail; don't needinfo me) from comment #2) > Rail, while you're changing getcert.cgi, can you remove the hard-coded 10.* > check? Easiest will be to just dupe this bug to wherever you make that > change. Done!
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 939543
You need to log in before you can comment on or make changes to this bug.