#2242 Limit access to test systems qa01.c.fp.org through qa06.c.fp.org
Closed: Fixed None Opened 8 years ago by jlaska.

= phenomenon =

  • There are several bare metal test systems configured for QA that are currently open for SSH from outside fedora proper.
  • These test systems are intended for the private use by AutoQA

= background analysis =

  • AutoQA test systems qa01.c.fedoraproject.org thru qa06.c.fedoraproject.org are currently accessible via ssh from outside fedora infrastructure (FAS credentials required iirc)

= implementation recommendation =

  • Update access controls such that access to qa01 - qa06 is only allowed from bastion and autoqa01.phx2.redhat.com.
  • No access from outside Fedora infrastructure is needed for qa01.c -> qa06.c

Hey Smooge, are you waiting on any information from me on this request? Also, it seems I'm no longer able to login to the qa01.c systems. However, I can track that as a different issue if desired.

These machines resolve to a 172.16 private network here now, so I don't think they are reachable from the net anymore. Closing this.

Feel free to re-open if there's further action to take here.

Replying to [comment:4 kevin]:

These machines resolve to a 172.16 private network here now, so I don't think they are reachable from the net anymore. Closing this.

Feel free to re-open if there's further action to take here.

When we deploy the new AutoQA instance (prod+stg), perhaps it makes sense for the test clients to not even be routable/visible externally? If I understand correctly, qa01-qa06.c.fp.org (172.16.0.[11-16]) are all blocked, but visible externally?

Thanks,
James

Login to comment on this ticket.

Metadata