#5319 Need iptables rules for docker bridge port on OSBS builders to limit access only to whitelisted hosts.
Closed: Fixed None Opened 7 years ago by maxamillion.

= phenomenon =
For the OSBS builder system, the docker buildroots use the docker0 bridge interface on the OpenShift nodes to access the outside world so we need to lock those down similar to the koji builders to prevent builds from accessing the outside world.

= reason =
We want to make sure that the buildroots only pull content from Fedora.

= recommendation =

Setup iptables rules to lock down the bridge interface on osbs-master01.stg (templated so this could be applied to more OpenShift nodes at a later date)

+------------------------+ +-------------+
| fedpkg containerbuild |--------443-------->+ koji.stg |
+------------------------+ +-------------+
| ^
| |
+-----------------80/443----------------+ |
| |
| +--------------------443-----------------+
| |
| |
| | +------------80/443-------------+
| | | |
V | V +------------------+
+--------------------------+ | |
| | | kojipkgs |
| osbs-master01.stg | | |
| | | (not stage, |
+--------------------------+ | it doesn't |
| ^ ^ | mirror /pub/) |
| | | | |
| | | +------------------+
| | |
| | |
443 443 +----------------443---------------+
| | |
V | +------------+
+--------------------------+ | distgit |
| docker-registry01.stg | +------------+
| |
+--------------------------+


This is complete as far as I understand.

Please reopen if you need anything further from us.

Login to comment on this ticket.

Metadata