One of the things that QA is focusing on ATM is getting better automation support for Fedora. We're currently doing this in two ways (that will eventually combine): - taskotron (replacing autoqa) - beaker (different type of system - used by Red Hat QE, who is interested in running some of their tests upstream in Fedora) Before we start granting access to the systems to Fedora contributors, we want to a) make the process relatively easy and b) isolate the client machines so that if something goes wrong or a bad actor gains access to them, any potential problems can be limited. To do this, I'd like to propose one change and ask for input on another. The first change is with FAS groups and shell access. To the best of my knowledge, in order to ssh into the bastion hosts, a user needs to be a member of the sysadmin group. While this works well for sysadmin people, I'm not sure I see a benefit of sending all sysadmin email to folks who are just looking to debug beaker or taskotron clients. I'd like to propose the creation of a new FAS shell group for qa automation and separate groups for beaker users, beaker admins, taskotron users and taskotron admins (qa-automation, beaker, beaker-admin, taskotron, taskotron-admin). The qa-automation group wouldn't need access to bastion01, just whichever bastion host has access to the automation clients (bastion-comm01 for now). The other groups would be kind of like the relationship between the various sysadmin FAS groups and the base sysadmin group (ie, sysadmin access for all members, sysadmin-dns, sysadmin-qa etc. for farther access). Does this seem reasonable and do-able? If so, I'd like to get the FAS group stuff done in the relatively near future - not "drop everything and do it now" but ideally in the next couple of weeks if possible. For network isolation, I don't pretend to be an expert on networking so I'll describe the functionality that we're looking for and what I think might work for a solution, but I'll defer to the expertise here on whether it's a good idea or not :) The beaker and taskotron clients will need network access to several Fedora systems in order to work. Taskotron Clients: - Taskotron buildmaster - bodhi, koji, repos, dist-git, task-git (part of taskotron, not yet created), resultsdb (also part of taskotron) Beaker Clients: - Beaker server and lab controller (same system for now) - repos, maybe grabbing packages from koji/bodhi I put together a quick diagram with the various network connections: http://tflink.fedorapeople.org/taskotron/client-network-connections.png From a few previous conversations, I think that a private network for the clients could provide the isolation that we're looking for. As far as getting network access to the systems needed to function, I figured that the beaker server and taskotron master would have network interfaces on this private network and a gateway could be used to restrict outgoing traffic to only the resources required. All of the clients would be hosted on the qa virthosts, which are currently in the same rack. I was thinking that it would be possible to use one of the network interfaces in these virthosts to create this private network (assuming that the network switch capacity is available) but I'm definitely open to other ideas. Does this idea for network access and isolation seem reasonable and do-able? I figure that the network isolation/access part will require more discussion and time for implementation after a decision is reached. Our systems will work fine with the current network configuration but I wanted to get this part of the conversation started so that the implementation could happen before we get too far with automation development. Thanks, Tim
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
