On Fri, 10 Jan 2014 11:09:16 -0700
Tim Flink <tflink(a)redhat.com> wrote:
For network isolation, I don't pretend to be an expert on
networking
so I'll describe the functionality that we're looking for and what I
think might work for a solution, but I'll defer to the expertise here
on whether it's a good idea or not :)
The beaker and taskotron clients will need network access to several
Fedora systems in order to work.
Taskotron Clients:
- Taskotron buildmaster
- bodhi, koji, repos, dist-git, task-git (part of taskotron, not yet
created), resultsdb (also part of taskotron)
Beaker Clients:
- Beaker server and lab controller (same system for now)
- repos, maybe grabbing packages from koji/bodhi
ok, and to be clear the koji/bodhi/dist-git is all public stuff right?
(ie, it could get it via public ip ok?)
Cool. All those arrows are bidirectional?
Are all the ones outside the box http/https?
From a few previous conversations, I think that a private network
for
the clients could provide the isolation that we're looking for. As far
as getting network access to the systems needed to function, I figured
that the beaker server and taskotron master would have network
interfaces on this private network and a gateway could be used to
restrict outgoing traffic to only the resources required.
So, in some senses the 'qa' network is this. It's restricted from
talking to other internal stuff with some exceptions.
Sadly over time, we have grown the number of things in that network and
of course all the stuff in that network can talk to each other (barring
local firewalls).
All of the clients would be hosted on the qa virthosts, which are
currently in the same rack. I was thinking that it would be possible
to use one of the network interfaces in these virthosts to create this
private network (assuming that the network switch capacity is
available) but I'm definitely open to other ideas.
Could we just do it with a private libvirt network on the qa virthosts?
ie, pick 172.31.17.0 and put them all in that and setup a bastion host
as their gateway that does NAT for them out to the stuff they need.
Or would NAT not work for this? They would still physically be on the
qa network tho, so I guess we could try and request a real seperate one
from RHIT.
Does this idea for network access and isolation seem reasonable and
do-able? I figure that the network isolation/access part will require
more discussion and time for implementation after a decision is
reached. Our systems will work fine with the current network
configuration but I wanted to get this part of the conversation
started so that the implementation could happen before we get too far
with automation development.
Yeah, I think we can make something work here.
There was also talk about redoing a lot of our network setup a while
back, but not sure where that went. The thought was to completely
seperate Fedora from anything else (which would be great), but would
require rework on a bunch of things. Once it's done however, we could
not have to care as much about adding new private nets, etc.
kevin