Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MP+ firewall rules #490

Closed
2 tasks done
Tracked by #470
mfocko opened this issue May 17, 2023 · 8 comments
Closed
2 tasks done
Tracked by #470

MP+ firewall rules #490

mfocko opened this issue May 17, 2023 · 8 comments
Assignees
@mfocko
Labels
area/general Related to whole service, not a specific part/integration. complexity/single-task Regular task, should be done within days. gain/high This brings a lot of value to (not strictly a lot of) users. impact/low This issue impacts only a few users. kind/internal Doesn't affect users directly, may be e.g. infrastructure, DB related.

Comments

@mfocko
Copy link
Member

mfocko commented May 17, 2023
edited by jpopelka
Loading

When deploying to the MP+, based on the ESS requirement for monitoring the network traffic, all of the egress (outgoing network connections) are implicitly denied and must be requested to be allowed.

Links to relevant parts of the “documentation”:

TODO:

  • Based on the documentation above, (presumably) create a ticket to sort out the firewall rules
    Preliminary list of the required domains (it may be required to translate to IP subnets :/):
    • pkgs.fedoraproject.org / src.fedoraproject.org
    • github.com
    • gitlab.com
    • gitlab.freedesktop.org
    • gitlab.gnome.org
    • salsa.debian.org
    • Copr
    • Image Builder
    • Koji
  • Investigate if there are any further actions to be taken, e.g. src.fedoraproject.org is reachable via curl, but not via ssh (similarly for github.com) (could've been a user error on my end though)
@mfocko mfocko mentioned this issue May 17, 2023
Closed
5 tasks
@mfocko mfocko changed the title firewall allows connection to the git forges and hosts with archives MP+ firewall rules May 17, 2023
@mfocko mfocko added area/general Related to whole service, not a specific part/integration. complexity/single-task Regular task, should be done within days. gain/high This brings a lot of value to (not strictly a lot of) users. impact/low This issue impacts only a few users. kind/internal Doesn't affect users directly, may be e.g. infrastructure, DB related. labels May 17, 2023
@jpopelka jpopelka self-assigned this Jun 21, 2023
@jpopelka jpopelka added the blocked We are blocked! label Jun 26, 2023
@jpopelka
Copy link
Member

The firewall rules change has been planned for 19th July.

@nforro nforro removed the blocked We are blocked! label Jul 20, 2023
@mfocko
Copy link
Member Author

mfocko commented Jul 24, 2023

Seems to be OK, GitHub and GitLab appears to be working, also reporting back is fine.

Unless there is an issue with some of the self-hosted GitLab instances or dist-git, I'd expect issues to appear during the sync-release jobs.

@mfocko
Copy link
Member Author

mfocko commented Jul 24, 2023

Missed:

  • Testing Farm (api.dev.testing-farm.io)

@sentry-io
Copy link

sentry-io bot commented Jul 24, 2023

Sentry issue: PCKT-002-PACKIT-SERVICE-64C

@lbarcziova lbarcziova assigned mfocko and unassigned jpopelka Aug 21, 2023
@mfocko
Copy link
Member Author

mfocko commented Aug 21, 2023
edited
Loading

Latest update:

@mfocko
Copy link
Member Author

mfocko commented Aug 25, 2023

Pinged on the ticket, moving to blocked till we get a response

@mfocko mfocko added the blocked We are blocked! label Aug 25, 2023
@mfocko
Copy link
Member Author

mfocko commented Oct 12, 2023

Scraped from the specfiles:

  • go.dev
  • pigeonhole.dovecot.org
  • dovecot.org

@mfocko to create a ticket

@mfocko mfocko closed this as completed Oct 23, 2023
@lachmanfrantisek
Copy link
Member

🎉

@nforro nforro removed the blocked We are blocked! label Nov 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mfocko mfocko

Labels
area/general Related to whole service, not a specific part/integration. complexity/single-task Regular task, should be done within days. gain/high This brings a lot of value to (not strictly a lot of) users. impact/low This issue impacts only a few users. kind/internal Doesn't affect users directly, may be e.g. infrastructure, DB related.
Projects
Packit Kanban Board
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jpopelka @mfocko @nforro @lachmanfrantisek