On 11/14/23 15:39, Michael Matz wrote:
Hello Georg,
On Sat, 11 Nov 2023, Georg Pfuetzenreuter wrote:
5. Proxying
We try to keep the amount of machines with direct exposure to the internet to a minimum in the new infrastructure. Hence all traffic for most public services will need to pass the atlas{1,2}.infra.opensuse.org reverse proxy servers. This was already implemented for all existing services, but should be noted when designing new ones.
So, I gather from this and remarks in Slack that gate.opensuse.org deliberately switched off ssh port forwarding. Ergo our method to push data from inside the SUSE network to gcc-stats (via ssh -p 2271 gcc@gate.opensuse.org) doesn't work anymore.
What's the alternative to that? openVPN doesn't seem viable as we need to rsync-push data from different machines (again, all inside the SUSE engineering networks) to gcc-stats. openVPN only normally supports one source machine, and additionally the credentials should probably not just lie around on random devel machines. In effect I don't really _want_ any of these devel machines to be part of the heroes VPN network. Maybe our own sshd on gcc-stats open to the SUSE network? But that requires routing from SUSE networks directly to gcc-stats. The port forwarding was basically the most efficient and secure mechanism for this.
So, yeah, what's the alternative? Thanks for any insight.
Hi Michael, thanks for reaching out. A colleague of yours (?) had the same request regarding gcc-stats.i.o.o and opened a ticket regarding it, in which I already proposed an alternative two days ago: https://progress.opensuse.org/issues/139244 Please follow-up in the ticket and coordinate with other users of gcc-stats.i.o.o in order for all of you to have a common solution. Best, Georg
Ciao, Micha.
Heyho, On Tue, 14 Nov 2023, Georg Pfuetzenreuter wrote:
So, yeah, what's the alternative? Thanks for any insight.
Hi Michael,
thanks for reaching out. A colleague of yours (?) had the same request regarding gcc-stats.i.o.o and opened a ticket regarding it,
That would be Martin, my manager :-)
in which I already proposed an alternative two days ago: https://progress.opensuse.org/issues/139244
Ah, yes, ssh jump host would work as well. I'll add some ssh keys I'd need to the ticket. Many thanks! Ciao, Michael.
participants (2)
-
Georg Pfuetzenreuter
-
Michael Matz