Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure nothing is pulled from the outside when installing #713

Closed
nootal opened this issue Mar 7, 2019 · 3 comments · Fixed by #1377
Closed

Make sure nothing is pulled from the outside when installing #713

nootal opened this issue Mar 7, 2019 · 3 comments · Fixed by #1377
Labels
complexity:easy Something that requires less than a day to fix topic:ci Continuous integration and build orchestration topic:deployment Bugs in or enhancements to deployment stages
Milestone
MetalK8s 2.0.0-al...

Comments

@nootal
Copy link
Contributor

nootal commented Mar 7, 2019
edited by gdemonet
Loading

The ISO should be self-sufficient and contains everything necessary for an offline installation.
Any connection to the outside (internet, proxy cache, etc.) should be forbidden in the CI environments.

However, Vagrant being essentially a development tool, we will not enforce offline mode there (we may add an option to enable it in the future).
@nootal nootal added topic:deployment Bugs in or enhancements to deployment stages moonshot topic:ci Continuous integration and build orchestration labels Mar 7, 2019
@nootal nootal added this to the MetalK8s 2.0.0-alpha2 milestone Mar 7, 2019
@nootal nootal removed this from the MetalK8s 2.0.0-alpha2 milestone Mar 26, 2019
@gdemonet gdemonet added this to the MetalK8s 2.0.0-beta1 milestone Apr 2, 2019
@thomasdanan thomasdanan added the complexity:easy Something that requires less than a day to fix label May 3, 2019
@gdemonet
Copy link
Contributor

This will need changes to some tests, which rely on having access to Docker Hub for retrieving a busybox image. We should replace it with another utility image available offline, as described in #1093

sayf-eddine-scality added a commit that referenced this issue Jun 17, 2019
@sayf-eddine-scality
Limit build env access to NA/EUROPE networks
562e600 
relates: #713
sayf-eddine-scality added a commit that referenced this issue Jun 17, 2019
@sayf-eddine-scality
Limit build env access to NA/EUROPE networks
6169300 
relates: #713
sayf-eddine-scality added a commit that referenced this issue Jun 18, 2019
@sayf-eddine-scality
Limit build env access to NA/EUROPE networks
872d694 
relates: #713
@sayf-eddine-scality sayf-eddine-scality self-assigned this Jun 18, 2019
sayf-eddine-scality added a commit that referenced this issue Jun 18, 2019
@sayf-eddine-scality
Limit build env access to NA/EUROPE networks
5d9f409 
relates: #713
sayf-eddine-scality added a commit that referenced this issue Jun 18, 2019
@sayf-eddine-scality
Limit build env access to NA/EUROPE networks
d0373b6 
relates: #713
@gdemonet gdemonet removed the complexity:easy Something that requires less than a day to fix label Jun 25, 2019
@sayf-eddine-scality sayf-eddine-scality added the complexity:easy Something that requires less than a day to fix label Jul 2, 2019
@gdemonet gdemonet self-assigned this Jul 3, 2019
gdemonet added a commit that referenced this issue Jul 3, 2019
@gdemonet
WIP - constrain egress rules in CI MetalK8s nodes
85e6e1e 
Fixes: #713
gdemonet added a commit that referenced this issue Jul 5, 2019
@gdemonet
Constrain egress rules in CI for MetalK8s nodes
d8b2b3f 
We remove the default egress rules created for a security group. We then
add special egress rules to allow:
- connections to the "metadata service", used by cloud-init to retrieve
SSH keys at spawn time
- connections to the DNS servers in the tenant network

We also add an extra security group, with default egress rules, for the
Bastion, which needs Internet access.

Fixes: #713
gdemonet added a commit that referenced this issue Jul 5, 2019
@gdemonet
Constrain egress rules in CI for MetalK8s nodes
47cfc42 
We remove the default egress rules created for a security group. We then
add special egress rules to allow:
- connections to the "metadata service", used by cloud-init to retrieve
SSH keys at spawn time
- connections to the DNS servers in the tenant network

We also add an extra security group, with default egress rules, for the
Bastion, which needs Internet access.

Fixes: #713
gdemonet added a commit that referenced this issue Jul 5, 2019
@gdemonet
Constrain egress rules in CI for MetalK8s nodes
888c617 
We remove the default egress rules created for a security group. We then
add special egress rules to allow:
- connections to the "metadata service", used by cloud-init to retrieve
SSH keys at spawn time
- connections to the DNS servers in the tenant network

We also add an extra security group, with default egress rules, for the
Bastion, which needs Internet access.

Fixes: #713
@gdemonet gdemonet mentioned this issue Jul 8, 2019
Merged
@gdemonet
Copy link
Contributor

Since the introduction of #1928, which removed the base, extras and updates repos from our ISO (see dfabb91), we disabled the egress constraints in CI (see c1fbf76).

Reopening this issue to make sure we re-enable the "offline mode" in CI.

@gdemonet gdemonet reopened this Feb 16, 2021
@gdemonet gdemonet removed their assignment Feb 17, 2021
@gdemonet
Copy link
Contributor

Closed by #3151 - note that RHEL tests are still running online, due to a limitation in our infrastructure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
complexity:easy Something that requires less than a day to fix topic:ci Continuous integration and build orchestration topic:deployment Bugs in or enhancements to deployment stages
Projects
None yet
Milestone
MetalK8s 2.0.0-alpha4
Development

Successfully merging a pull request may close this issue.

Run multi-nodes CI stage offline scality/metalk8s
4 participants
@nootal @thomasdanan @sayf-eddine-scality @gdemonet