--b0op/nKJ9CeIhp9z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 10/12, Eyal Edri wrote:
=20
=20
----- Original Message -----
> From: "Sandro Bonazzola" <sbonazzo(a)redhat.com>
> To: secalert(a)redhat.com
> Cc: security(a)ovirt.org, infra(a)ovirt.org
> Sent: Thursday, October 9, 2014 9:09:20 AM
> Subject: Re: [
engineering.redhat.com #319333] Re: [Security] System job=
to deploy rpms
>=20
> Il 08/10/2014 18:18, Red Hat Product Security ha scritto:
> > On Wed Oct 08 08:35:15 2014, sbonazzo(a)redhat.com wrote:
> >> Il 08/10/2014 12:02, Ohad Basan ha scritto:
> >>> Hello everyone.
> >>>
> >>> I've created a small job (not yet enabled)
> >>> that gets an rpm and then deploys it to the static repo at
> >>
resources.ovirt.org
> >>> for this I've sent this patch
http://gerrit.ovirt.org/#/c/33863/
> >>> that will add the "resources" user. it will have permissions
only
> >> for the static rpms directory and will scp the files to there.
> >>> is it acceptable by everybody security-wise?
> >>>
> >>
> >> Adding security list to the loop.
> >=20
> > Hi, thanks for this. I'm a bit confused though. Is this pertaining =
to the
> > infrastructure for the oVirt project, or is this code going
into the =
oVirt
> > code itself that is then consumed by downstream users? I
only ask be=
cause
> > of the reference to
resources.ovirt.org so I'm unsure
whether this is=
a
> > code question or an infrastructure question.
> >=20
> > Can you please advise?
>=20
> It's infrastructure question
=20
let me try to clarify.
today our continuous delivery process is async partially:
-
jenkins.ovirt.org builds and publish the rpms into resources.ovirt.org=
under
jenkins home (unprivileged user).
- a cron job scans the target dir and checks if new rpms are there
(via =
flag used by the script) and updates the repos accordingly.
=20
the idea behind this is not to allow direct access from jenkins to resour=
ces.ovirt.org via ssh.
=20
now what ohad is suggesting is to change the process and ALLOW direct acc=
ess to
certain repositories under
resources.ovirt.org, with the following c=
hanges:
- new user will be used - resources
- the user will have limited sudo access only to read/write to the relev=
ant
repository (static repos)
- no cron job will run async to update it.
=20
so the question is are we comfortable with this change? is it safe or has=
the
same security level as the current async one?=20
if its safe we might consider changing the original flow as well to
be sy=
nced and not use a cron job.
=20
your input is appreciated,
As far as I know, the only reason we had to use the cron (kiril might
know better, but he does not work with us anymore) was to avoid
exposing the signing key for the packages to the jenkins ssh user, but
that part was never automated anyhow and the nightly-static packages
are not signed.
So I think that creating a new user without privileges to mess
anything up (only access to the nightly repos) is as secure as the
cron approach, but more convenient.
In the future I'm thinking on using a simple web service to deploy the
rpms, that way the clients do not need ssh access to the machine at
all. But that's not ready yet.
=20
Eyal.
=20
>=20
> >=20
>=20
>=20
> --
> Sandro Bonazzola
> Better technology. Faster innovation. Powered by community collaboratio=
n.
> See how it works at
redhat.com
> _______________________________________________
> Infra mailing list
> Infra(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/infra
>=20
_______________________________________________
Infra mailing list
Infra(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra
--=20
David Caro
Red Hat S.L.
Continuous Integration Engineer - EMEA ENG Virtualization R&D
Tel.: +420 532 294 605
Email: dcaro(a)redhat.com
Web:
www.redhat.com
RHT Global #: 82-62605
--b0op/nKJ9CeIhp9z
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUO6/HAAoJEEBxx+HSYmnDmHYH/2FezDvHuE8LJAROrlWCEnhr
dl5Jk12b0XsiX3y8oQT61HI3c1fpDtgUlgkwKHpJa0ukE4SPZBVyXsmucMDdDHmZ
XFDhGSGX9GdtqUf5A9rO4tOnXfhDdTS6RwuUJJQ5Toz+BWu8/+eQS2pZUVCbYCS0
Bg7X/RRpsakpKCS+bqENOkWNcY194UWx5egwx2UDk7G1pW4UmKgCYN8TxJq3jVVG
kqFS+bnPOMX9sJXErisBi1P/x0hIF7ojB+Jmhf4TgIv7NamB2UaYGGNbzK5Li417
DJzL6H7Ethxdm8HkKzf/KC8CPRztPdowUhq8/X13Rce10K7POg2jWvN/DbfpOp8=
=GNDY
-----END PGP SIGNATURE-----
--b0op/nKJ9CeIhp9z--