On Fri, 10 Jan 2014 11:09:16 -0700 Tim Flink <tflink@xxxxxxxxxx> wrote: > For network isolation, I don't pretend to be an expert on networking > so I'll describe the functionality that we're looking for and what I > think might work for a solution, but I'll defer to the expertise here > on whether it's a good idea or not :) > > The beaker and taskotron clients will need network access to several > Fedora systems in order to work. > > Taskotron Clients: > - Taskotron buildmaster > - bodhi, koji, repos, dist-git, task-git (part of taskotron, not yet > created), resultsdb (also part of taskotron) > > Beaker Clients: > - Beaker server and lab controller (same system for now) > - repos, maybe grabbing packages from koji/bodhi ok, and to be clear the koji/bodhi/dist-git is all public stuff right? (ie, it could get it via public ip ok?) > I put together a quick diagram with the various network connections: > http://tflink.fedorapeople.org/taskotron/client-network-connections.png Cool. All those arrows are bidirectional? Are all the ones outside the box http/https? > From a few previous conversations, I think that a private network for > the clients could provide the isolation that we're looking for. As far > as getting network access to the systems needed to function, I figured > that the beaker server and taskotron master would have network > interfaces on this private network and a gateway could be used to > restrict outgoing traffic to only the resources required. So, in some senses the 'qa' network is this. It's restricted from talking to other internal stuff with some exceptions. Sadly over time, we have grown the number of things in that network and of course all the stuff in that network can talk to each other (barring local firewalls). > All of the clients would be hosted on the qa virthosts, which are > currently in the same rack. I was thinking that it would be possible > to use one of the network interfaces in these virthosts to create this > private network (assuming that the network switch capacity is > available) but I'm definitely open to other ideas. Could we just do it with a private libvirt network on the qa virthosts? ie, pick 172.31.17.0 and put them all in that and setup a bastion host as their gateway that does NAT for them out to the stuff they need. Or would NAT not work for this? They would still physically be on the qa network tho, so I guess we could try and request a real seperate one from RHIT. > Does this idea for network access and isolation seem reasonable and > do-able? I figure that the network isolation/access part will require > more discussion and time for implementation after a decision is > reached. Our systems will work fine with the current network > configuration but I wanted to get this part of the conversation > started so that the implementation could happen before we get too far > with automation development. Yeah, I think we can make something work here. There was also talk about redoing a lot of our network setup a while back, but not sure where that went. The thought was to completely seperate Fedora from anything else (which would be great), but would require rework on a bunch of things. Once it's done however, we could not have to care as much about adding new private nets, etc. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
