Bug 621236 – Remove firewalling of fixed.gnome.org:9070

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 621236 - Remove firewalling of fixed.gnome.org:9070


Summary:	Remove firewalling of fixed.gnome.org:9070


Status:	RESOLVED FIXED

Product:	sysadmin
Classification:	Infrastructure
Component:	Other
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GNOME Sysadmins
QA Contact:	GNOME Sysadmins

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2010-06-10 19:48 UTC by Frederic Peters
Modified:	2010-12-02 18:36 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Frederic Peters 2010-06-10 19:48:23 UTC

The buildbot master is running on fixed.gnome.org, port 9070; at the moment the port is firewalled so it's necessary for build slaves to have a fixed IP address, and to register those.

As it would be really useful to have more build slaves, it would be really nice if that rule could be removed.

Thanks.

Comment 1 Matthias Clasen 2010-07-06 12:03:34 UTC

I'd still be interested in this.

Comment 2 Christer Edwards 2010-10-18 17:33:07 UTC

What are the implications of globally opening this port on the host firewall? Is there any application-level restrictions that can be put in place (ie; you can limit the build slaves at the application, and don't need to rely on us to update iptables)?

What other security concerns might we face by globally allowing this port? Can anyone attach a build server to this port? What consequences would this have?

If you could give me a better idea of how the build master/slave process works I (we) can better determine the possibility of this request.

Comment 3 Alejandro Piñeiro Iglesias (IRC: infapi00) 2010-12-02 11:41:09 UTC

(In reply to comment #2)
> What are the implications of globally opening this port on the host firewall?
> Is there any application-level restrictions that can be put in place (ie; you
> can limit the build slaves at the application, and don't need to rely on us to
> update iptables)?
> 
> What other security concerns might we face by globally allowing this port? Can
> anyone attach a build server to this port? What consequences would this have?

No, not anyone can attach a build slave. In order to attach a new build slave you need a login and a password. The list of allowed build slaves are saved as part of the configuration of the master installed at RHEL5. The idea is that the build brigade maintainers (AFAIK: Olav, Frederic, Iago an me) would give a login and password to any allowed slave. But as the description says, due this firewall rule, it is also required to ask sysadmin to include the new IP.

> If you could give me a better idea of how the build master/slave process works
> I (we) can better determine the possibility of this request.

CCing myself in order to try to answer any other question.

More information here: http://live.gnome.org/BuildBrigade/DocsAndGuides

Comment 4 Christer Edwards 2010-12-02 18:36:00 UTC

Based on this further information I'm comfortable opening the port globally. I'll update the firewall now (I'll include a backup of the original at /etc/sysconfig/iptables-2010-12-02).

Closing ticket.