QA Client Network Isolation and FAS Groups

Tue Jan 14 23:09:05 UTC 2014

On Fri, 10 Jan 2014 11:09:16 -0700
Tim Flink <tflink at redhat.com> wrote:

> For network isolation, I don't pretend to be an expert on networking
> so I'll describe the functionality that we're looking for and what I
> think might work for a solution, but I'll defer to the expertise here
> on whether it's a good idea or not :)
> 
> The beaker and taskotron clients will need network access to several
> Fedora systems in order to work.
> 
> Taskotron Clients:
>  - Taskotron buildmaster
>  - bodhi, koji, repos, dist-git, task-git (part of taskotron, not yet
>    created), resultsdb (also part of taskotron)
> 
> Beaker Clients:
>  - Beaker server and lab controller (same system for now)
>  - repos, maybe grabbing packages from koji/bodhi

ok, and to be clear the koji/bodhi/dist-git is all public stuff right? 
(ie, it could get it via public ip ok?)

> I put together a quick diagram with the various network connections:
> http://tflink.fedorapeople.org/taskotron/client-network-connections.png

Cool. All those arrows are bidirectional?
Are all the ones outside the box http/https?

> From a few previous conversations, I think that a private network for
> the clients could provide the isolation that we're looking for. As far
> as getting network access to the systems needed to function, I figured
> that the beaker server and taskotron master would have network
> interfaces on this private network and a gateway could be used to
> restrict outgoing traffic to only the resources required.

So, in some senses the 'qa' network is this. It's restricted from
talking to other internal stuff with some exceptions. 

Sadly over time, we have grown the number of things in that network and
of course all the stuff in that network can talk to each other (barring
local firewalls). 

> All of the clients would be hosted on the qa virthosts, which are
> currently in the same rack. I was thinking that it would be possible
> to use one of the network interfaces in these virthosts to create this
> private network (assuming that the network switch capacity is
> available) but I'm definitely open to other ideas.

Could we just do it with a private libvirt network on the qa virthosts?
ie, pick 172.31.17.0 and put them all in that and setup a bastion host
as their gateway that does NAT for them out to the stuff they need. 
Or would NAT not work for this? They would still physically be on the
qa network tho, so I guess we could try and request a real seperate one
from RHIT. 

> Does this idea for network access and isolation seem reasonable and
> do-able? I figure that the network isolation/access part will require
> more discussion and time for implementation after a decision is
> reached. Our systems will work fine with the current network
> configuration but I wanted to get this part of the conversation
> started so that the implementation could happen before we get too far
> with automation development.

Yeah, I think we can make something work here. 

There was also talk about redoing a lot of our network setup a while
back, but not sure where that went. The thought was to completely
seperate Fedora from anything else (which would be great), but would
require rework on a bunch of things. Once it's done however, we could
not have to care as much about adding new private nets, etc. 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20140114/981dc604/attachment.sig>