On 11/12/19 5:36 PM, Andrew Bogott wrote:
We've been butting our heads against the inability of VMs in the -dev cloud to talk to outside networks. When Jason and Arturo looked at ways to open that up, they ran into several code comments from you expressing unspecific worries about security concerns with allowing that traffic. Do you remember what those concerns were? If it was just a matter of 'we don't need this anyway' then we might go ahead and allow that traffic, but I want to make sure we aren't overlooking some grave danger.
I think we can move forward with this change and re-consider things in case we see any issue later on.
I believe it's really important eqiad1 and codfw1dev are very similar in architecture, features and behavior so we can use the staging/dev/test environment effectively.
I'm not 100% sure how LDAP works for the codfw1dev deployment, but I would double check that we don't leak anything to the outside. Special consideration for cases like internet --> VM in codfw1dev (some proxy, redirection or floating IP can enable this).
regards.