On 11/12/19 5:36 PM, Andrew Bogott wrote:
We've been butting our heads against the inability
of VMs in the -dev cloud to
talk to outside networks. When Jason and Arturo looked at ways to open that up,
they ran into several code comments from you expressing unspecific worries about
security concerns with allowing that traffic. Do you remember what those
concerns were? If it was just a matter of 'we don't need this anyway' then
we
might go ahead and allow that traffic, but I want to make sure we aren't
overlooking some grave danger.
I think we can move forward with this change and re-consider things in case we
see any issue later on.
I believe it's really important eqiad1 and codfw1dev are very similar in
architecture, features and behavior so we can use the staging/dev/test
environment effectively.
I'm not 100% sure how LDAP works for the codfw1dev deployment, but I would
double check that we don't leak anything to the outside. Special consideration
for cases like internet --> VM in codfw1dev (some proxy, redirection or floating
IP can enable this).
regards.
--
Arturo Borrero Gonzalez
SRE / Wikimedia Cloud Services
Wikimedia Foundation