[JIRA] (OVIRT-1170) add option to disable networking (or have it off by default)
[ https://ovirt-jira.atlassian.net/browse/OVIRT-1170?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] eyal edri updated OVIRT-1170: - Resolution: Done Status: Done (was: Blocked) No reply on this ticket, if it will be needed in the future, please reopen it with relevant info. > add option to disable networking (or have it off by default) > > > Key: OVIRT-1170 > URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1170 > Project: oVirt - virtualization made easy > Issue Type: New Feature >Reporter: Greg Sheremeta >Assignee: infra > > Add option to disable networking (or have it off by default). Basically, we > want to prevent a job from accessing the internet if we want repeatable > builds and/or are doing a downstream build somewhere else. Other/downstream > build environments often have networking off. Copr has an option: (See: > https://lists.fedorahosted.org/archives/list/copr-de...@lists.fedorahosted.org/thread/LZZPJ534ZDRD7YYFDC3BXDUVVPF5B735/ > ) > In particular, the ovirt-engine-nodejs-modules build-artifacts job *tries* to > stay offline, but an evil node module called 'phantomjs' connects to the > internet in a post-offline-install hook. I'd like the option to disallow that > and have the build fail. -- This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100063) ___ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
[JIRA] (OVIRT-1170) add option to disable networking (or have it off by default)
[ https://ovirt-jira.atlassian.net/browse/OVIRT-1170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=34620#comment-34620 ] eyal edri commented on OVIRT-1170: -- ping > add option to disable networking (or have it off by default) > > > Key: OVIRT-1170 > URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1170 > Project: oVirt - virtualization made easy > Issue Type: New Feature >Reporter: gsher...@redhat.com >Assignee: infra > > Add option to disable networking (or have it off by default). Basically, we > want to prevent a job from accessing the internet if we want repeatable > builds and/or are doing a downstream build somewhere else. Other/downstream > build environments often have networking off. Copr has an option: (See: > https://lists.fedorahosted.org/archives/list/copr-de...@lists.fedorahosted.org/thread/LZZPJ534ZDRD7YYFDC3BXDUVVPF5B735/ > ) > In particular, the ovirt-engine-nodejs-modules build-artifacts job *tries* to > stay offline, but an evil node module called 'phantomjs' connects to the > internet in a post-offline-install hook. I'd like the option to disallow that > and have the build fail. -- This message was sent by Atlassian JIRA (v1001.0.0-SNAPSHOT#100058) ___ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
[JIRA] (OVIRT-1170) add option to disable networking (or have it off by default)
[ https://ovirt-jira.atlassian.net/browse/OVIRT-1170?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] eedri updated OVIRT-1170: - Blocked By: waiting for user feedback Status: Blocked (was: To Do) > add option to disable networking (or have it off by default) > > > Key: OVIRT-1170 > URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1170 > Project: oVirt - virtualization made easy > Issue Type: New Feature >Reporter: gsher...@redhat.com >Assignee: infra > > Add option to disable networking (or have it off by default). Basically, we > want to prevent a job from accessing the internet if we want repeatable > builds and/or are doing a downstream build somewhere else. Other/downstream > build environments often have networking off. Copr has an option: (See: > https://lists.fedorahosted.org/archives/list/copr-de...@lists.fedorahosted.org/thread/LZZPJ534ZDRD7YYFDC3BXDUVVPF5B735/ > ) > In particular, the ovirt-engine-nodejs-modules build-artifacts job *tries* to > stay offline, but an evil node module called 'phantomjs' connects to the > internet in a post-offline-install hook. I'd like the option to disallow that > and have the build fail. -- This message was sent by Atlassian JIRA (v1000.1092.1#100053) ___ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
[JIRA] (OVIRT-1170) add option to disable networking (or have it off by default)
[ https://ovirt-jira.atlassian.net/browse/OVIRT-1170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=28928#comment-28928 ] Greg Sheremeta commented on OVIRT-1170: --- Yes, still need this. I just haven't gotten back to it yet. I'll test soon. > add option to disable networking (or have it off by default) > > > Key: OVIRT-1170 > URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1170 > Project: oVirt - virtualization made easy > Issue Type: New Feature >Reporter: Greg Sheremeta >Assignee: infra > > Add option to disable networking (or have it off by default). Basically, we > want to prevent a job from accessing the internet if we want repeatable > builds and/or are doing a downstream build somewhere else. Other/downstream > build environments often have networking off. Copr has an option: (See: > https://lists.fedorahosted.org/archives/list/copr-de...@lists.fedorahosted.org/thread/LZZPJ534ZDRD7YYFDC3BXDUVVPF5B735/ > ) > In particular, the ovirt-engine-nodejs-modules build-artifacts job *tries* to > stay offline, but an evil node module called 'phantomjs' connects to the > internet in a post-offline-install hook. I'd like the option to disallow that > and have the build fail. -- This message was sent by Atlassian JIRA (v1000.824.3#100035) ___ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
[JIRA] (OVIRT-1170) add option to disable networking (or have it off by default)
[ https://ovirt-jira.atlassian.net/browse/OVIRT-1170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=28924#comment-28924 ] eyal edri [Administrator] commented on OVIRT-1170: -- Do we still need it? If it didn't work out in check-patch, another option is to add an OST test for it. > add option to disable networking (or have it off by default) > > > Key: OVIRT-1170 > URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1170 > Project: oVirt - virtualization made easy > Issue Type: New Feature >Reporter: Greg Sheremeta >Assignee: infra > > Add option to disable networking (or have it off by default). Basically, we > want to prevent a job from accessing the internet if we want repeatable > builds and/or are doing a downstream build somewhere else. Other/downstream > build environments often have networking off. Copr has an option: (See: > https://lists.fedorahosted.org/archives/list/copr-de...@lists.fedorahosted.org/thread/LZZPJ534ZDRD7YYFDC3BXDUVVPF5B735/ > ) > In particular, the ovirt-engine-nodejs-modules build-artifacts job *tries* to > stay offline, but an evil node module called 'phantomjs' connects to the > internet in a post-offline-install hook. I'd like the option to disallow that > and have the build fail. -- This message was sent by Atlassian JIRA (v1000.824.3#100035) ___ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
[JIRA] (OVIRT-1170) add option to disable networking (or have it off by default)
[ https://ovirt-jira.atlassian.net/browse/OVIRT-1170?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] eyal edri [Administrator] updated OVIRT-1170: - Epic Link: OVIRT-400 > add option to disable networking (or have it off by default) > > > Key: OVIRT-1170 > URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1170 > Project: oVirt - virtualization made easy > Issue Type: New Feature >Reporter: Greg Sheremeta >Assignee: infra > > Add option to disable networking (or have it off by default). Basically, we > want to prevent a job from accessing the internet if we want repeatable > builds and/or are doing a downstream build somewhere else. Other/downstream > build environments often have networking off. Copr has an option: (See: > https://lists.fedorahosted.org/archives/list/copr-de...@lists.fedorahosted.org/thread/LZZPJ534ZDRD7YYFDC3BXDUVVPF5B735/ > ) > In particular, the ovirt-engine-nodejs-modules build-artifacts job *tries* to > stay offline, but an evil node module called 'phantomjs' connects to the > internet in a post-offline-install hook. I'd like the option to disallow that > and have the build fail. -- This message was sent by Atlassian JIRA (v1000.784.2#100032) ___ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
[JIRA] (OVIRT-1170) add option to disable networking (or have it off by default)
[ https://ovirt-jira.atlassian.net/browse/OVIRT-1170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=27537#comment-27537 ] Greg Sheremeta commented on OVIRT-1170: --- Nod, I'll test it. > add option to disable networking (or have it off by default) > > > Key: OVIRT-1170 > URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1170 > Project: oVirt - virtualization made easy > Issue Type: New Feature >Reporter: Greg Sheremeta >Assignee: infra > > Add option to disable networking (or have it off by default). Basically, we > want to prevent a job from accessing the internet if we want repeatable > builds and/or are doing a downstream build somewhere else. Other/downstream > build environments often have networking off. Copr has an option: (See: > https://lists.fedorahosted.org/archives/list/copr-de...@lists.fedorahosted.org/thread/LZZPJ534ZDRD7YYFDC3BXDUVVPF5B735/ > ) > In particular, the ovirt-engine-nodejs-modules build-artifacts job *tries* to > stay offline, but an evil node module called 'phantomjs' connects to the > internet in a post-offline-install hook. I'd like the option to disallow that > and have the build fail. -- This message was sent by Atlassian JIRA (v1000.773.2#100032) ___ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
[JIRA] (OVIRT-1170) add option to disable networking (or have it off by default)
[
https://ovirt-jira.atlassian.net/browse/OVIRT-1170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=27532#comment-27532
]
Barak Korren commented on OVIRT-1170:
-
Oh sorry that should have been:
{code}
rm /etc/resolv.conf
{code}
Or perhaps more safely:
{code}
truncate /etc/resolv.conf
{code}
This should be safe enough, and will block anything that does not use direct IP
addresses to access outside resources.
> add option to disable networking (or have it off by default)
>
>
> Key: OVIRT-1170
> URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1170
> Project: oVirt - virtualization made easy
> Issue Type: New Feature
>Reporter: Greg Sheremeta
>Assignee: infra
>
> Add option to disable networking (or have it off by default). Basically, we
> want to prevent a job from accessing the internet if we want repeatable
> builds and/or are doing a downstream build somewhere else. Other/downstream
> build environments often have networking off. Copr has an option: (See:
> https://lists.fedorahosted.org/archives/list/copr-de...@lists.fedorahosted.org/thread/LZZPJ534ZDRD7YYFDC3BXDUVVPF5B735/
> )
> In particular, the ovirt-engine-nodejs-modules build-artifacts job *tries* to
> stay offline, but an evil node module called 'phantomjs' connects to the
> internet in a post-offline-install hook. I'd like the option to disallow that
> and have the build fail.
--
This message was sent by Atlassian JIRA
(v1000.773.2#100032)
___
Infra mailing list
Infra@ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra
[JIRA] (OVIRT-1170) add option to disable networking (or have it off by default)
[ https://ovirt-jira.atlassian.net/browse/OVIRT-1170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=27531#comment-27531 ] Greg Sheremeta commented on OVIRT-1170: --- I'm not familiar with what removing /etc/hosts would do (I would have guessed nothing helpful) Shutting off access to known problematic domains is helpful, but won't catch when we pull in new dependencies that access domains we don't know about. So I'm afraid this won't really help anything. > add option to disable networking (or have it off by default) > > > Key: OVIRT-1170 > URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1170 > Project: oVirt - virtualization made easy > Issue Type: New Feature >Reporter: Greg Sheremeta >Assignee: infra > > Add option to disable networking (or have it off by default). Basically, we > want to prevent a job from accessing the internet if we want repeatable > builds and/or are doing a downstream build somewhere else. Other/downstream > build environments often have networking off. Copr has an option: (See: > https://lists.fedorahosted.org/archives/list/copr-de...@lists.fedorahosted.org/thread/LZZPJ534ZDRD7YYFDC3BXDUVVPF5B735/ > ) > In particular, the ovirt-engine-nodejs-modules build-artifacts job *tries* to > stay offline, but an evil node module called 'phantomjs' connects to the > internet in a post-offline-install hook. I'd like the option to disallow that > and have the build fail. -- This message was sent by Atlassian JIRA (v1000.773.2#100032) ___ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
[JIRA] (OVIRT-1170) add option to disable networking (or have it off by default)
[
https://ovirt-jira.atlassian.net/browse/OVIRT-1170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=27500#comment-27500
]
Barak Korren commented on OVIRT-1170:
-
[~gsher...@redhat.com] Could this be resolved at the automation script level
with something like:
{code}
cat 127.0.0.1 host_evil_module_is.connecting.to > /etc/hosts
{code}
Or
{code}
rm /etc/hosts
{code}
?
Hermetically shutting off the connection is not easily achievable at this point
because we need the connection to talk back to Jenkins, and the automation
scripts are not running in their own network namespace (Until we get around to
implementing OVIRT-873)
> add option to disable networking (or have it off by default)
>
>
> Key: OVIRT-1170
> URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1170
> Project: oVirt - virtualization made easy
> Issue Type: New Feature
>Reporter: Greg Sheremeta
>Assignee: infra
>
> Add option to disable networking (or have it off by default). Basically, we
> want to prevent a job from accessing the internet if we want repeatable
> builds and/or are doing a downstream build somewhere else. Other/downstream
> build environments often have networking off. Copr has an option: (See:
> https://lists.fedorahosted.org/archives/list/copr-de...@lists.fedorahosted.org/thread/LZZPJ534ZDRD7YYFDC3BXDUVVPF5B735/
> )
> In particular, the ovirt-engine-nodejs-modules build-artifacts job *tries* to
> stay offline, but an evil node module called 'phantomjs' connects to the
> internet in a post-offline-install hook. I'd like the option to disallow that
> and have the build fail.
--
This message was sent by Atlassian JIRA
(v1000.773.2#100032)
___
Infra mailing list
Infra@ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra
[JIRA] (OVIRT-1170) add option to disable networking (or have it off by default)
Greg Sheremeta created OVIRT-1170: - Summary: add option to disable networking (or have it off by default) Key: OVIRT-1170 URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1170 Project: oVirt - virtualization made easy Issue Type: New Feature Reporter: Greg Sheremeta Assignee: infra Add option to disable networking (or have it off by default). Basically, we want to prevent a job from accessing the internet if we want repeatable builds and/or are doing a downstream build somewhere else. Other/downstream build environments often have networking off. Copr has an option: (See: https://lists.fedorahosted.org/archives/list/copr-de...@lists.fedorahosted.org/thread/LZZPJ534ZDRD7YYFDC3BXDUVVPF5B735/ ) In particular, the ovirt-engine-nodejs-modules build-artifacts job *tries* to stay offline, but an evil node module called 'phantomjs' connects to the internet in a post-offline-install hook. I'd like the option to disallow that and have the build fail. -- This message was sent by Atlassian JIRA (v1000.769.1#100032) ___ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
