Re: [Pgbuildfarm-members] VPN option?

I had an idea today that could be useful. How would members feel about
providing a VPN using OpenVPN, connecting back to a server with very
tightly controlled privileges - maybe Tom Lane and I would be the only
people allowed to connect back to the client machines, or maybe
committers - at any rate some very small group. This would of course be
optional, but it might help to short-circuit problem fixes.

Note: OpenVPN supports almost all the platforms we support, which is one
reason I picked it, but I am open to other suggestions.

Does this seem like a good idea to anyone?

Another question would be how we manage it? Nail up connections or make
them on demand? If on demand then the clients would need to poll the
server to see if a connection is needed.

cheers

andrew

On Tue, Jun 20, 2006 at 01:56:36PM -0400, Andrew Dunstan wrote:

> I had an idea today that could be useful. How would members feel
> about providing a VPN using OpenVPN, connecting back to a server
> with very tightly controlled privileges - maybe Tom Lane and I would
> be the only people allowed to connect back to the client machines,
> or maybe committers - at any rate some very small group. This would
> of course be optional, but it might help to short-circuit problem
> fixes.

I'm in, and I trust you guys not to mess up my machine. :)

> Note: OpenVPN supports almost all the platforms we support, which is
> one reason I picked it, but I am open to other suggestions.
>
> Does this seem like a good idea to anyone?
>
> Another question would be how we manage it? Nail up connections or
> make them on demand? If on demand then the clients would need to
> poll the server to see if a connection is needed.

How is communication with the server handled right now?

Cheers,
D
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
phone: +1 415 235 3778 AIM: dfetter666
Skype: davidfetter

Remember to vote!

On Tuesday 20 June 2006 10:56, Andrew Dunstan wrote:
> I had an idea today that could be useful. How would members feel about
> providing a VPN using OpenVPN, connecting back to a server with very
> tightly controlled privileges - maybe Tom Lane and I would be the only
> people allowed to connect back to the client machines, or maybe
> committers - at any rate some very small group. This would of course be
> optional, but it might help to short-circuit problem fixes.
>
> Note: OpenVPN supports almost all the platforms we support, which is one
> reason I picked it, but I am open to other suggestions.
>
> Does this seem like a good idea to anyone?

Personaly I like this idea, provided that the VPN can work over a nat'd
connection.

>
> Another question would be how we manage it? Nail up connections or make
> them on demand? If on demand then the clients would need to poll the
> server to see if a connection is needed.
>
> cheers
>
> andrew
> _______________________________________________
> Pgbuildfarm-members mailing list
> Pgbuildfarm-members(at)pgfoundry(dot)org
> http://pgfoundry.org/mailman/listinfo/pgbuildfarm-members

--
Darcy Buskermolen
Wavefire Technologies Corp.

http://www.wavefire.com
ph: 250.717.0200
fx: 250.763.1759

Does openVPN support multiple VPN's ?

I already use openVPN for my day job..

Dave
On 20-Jun-06, at 2:24 PM, David Fetter wrote:

> On Tue, Jun 20, 2006 at 01:56:36PM -0400, Andrew Dunstan wrote:
>
>> I had an idea today that could be useful. How would members feel
>> about providing a VPN using OpenVPN, connecting back to a server
>> with very tightly controlled privileges - maybe Tom Lane and I would
>> be the only people allowed to connect back to the client machines,
>> or maybe committers - at any rate some very small group. This would
>> of course be optional, but it might help to short-circuit problem
>> fixes.
>
> I'm in, and I trust you guys not to mess up my machine. :)
>
>> Note: OpenVPN supports almost all the platforms we support, which is
>> one reason I picked it, but I am open to other suggestions.
>>
>> Does this seem like a good idea to anyone?
>>
>> Another question would be how we manage it? Nail up connections or
>> make them on demand? If on demand then the clients would need to
>> poll the server to see if a connection is needed.
>
> How is communication with the server handled right now?
>
> Cheers,
> D
> --
> David Fetter <david(at)fetter(dot)org> http://fetter.org/
> phone: +1 415 235 3778 AIM: dfetter666
> Skype: davidfetter
>
> Remember to vote!
> _______________________________________________
> Pgbuildfarm-members mailing list
> Pgbuildfarm-members(at)pgfoundry(dot)org
> http://pgfoundry.org/mailman/listinfo/pgbuildfarm-members
>

Andrew Dunstan wrote:
> I had an idea today that could be useful. How would members feel about
> providing a VPN using OpenVPN, connecting back to a server with very
> tightly controlled privileges - maybe Tom Lane and I would be the only
> people allowed to connect back to the client machines, or maybe
> committers - at any rate some very small group. This would of course be
> optional, but it might help to short-circuit problem fixes.
>
> Note: OpenVPN supports almost all the platforms we support, which is one
> reason I picked it, but I am open to other suggestions.
>
> Does this seem like a good idea to anyone?

I can see that this might be of help sometimes but i can see some issues
with that too:

*) not completely sure on that(somebody might correct me) - but I would
assume that openvpn would require root or similiar privileges since it
might fiddle with routing or such - until now one was able to run the
buildfarm script completely as a non-superuser

*) iirc openvpn had a number of security issues over the last years -
that might add some additional maintainance burden (especially if
openvpn is not packaged for a certain OS or if the OS is not supported
any more upstream)

*) it would require to open at least on additional port on a firewall
(if the box is behind one) outbound whihc might be an issue in some
environments

*) some of use might already operate openVPN on their network or even
the buildfarm boxes - might cause some issues ...

*) i suspect that maintaining that VPN (from your POV) might be quite
some work especially wrt debugging since that might require help from
your (the server) side.

for me out of the 5 or so Boxes I have on the buildfarm i could only
give (24x7) local shell access away on two of them and on those tom
already has a shell ...

Stefan

Stefan Kaltenbrunner wrote:
> Andrew Dunstan wrote:
>> I had an idea today that could be useful. How would members feel about
>> providing a VPN using OpenVPN, connecting back to a server with very
>> tightly controlled privileges - maybe Tom Lane and I would be the only
>> people allowed to connect back to the client machines, or maybe
>> committers - at any rate some very small group. This would of course be
>> optional, but it might help to short-circuit problem fixes.
>>
>> Note: OpenVPN supports almost all the platforms we support, which is one
>> reason I picked it, but I am open to other suggestions.
>>
>> Does this seem like a good idea to anyone?
>
> I can see that this might be of help sometimes but i can see some issues
> with that too:
>
> *) not completely sure on that(somebody might correct me) - but I would
> assume that openvpn would require root or similiar privileges since it
> might fiddle with routing or such - until now one was able to run the
> buildfarm script completely as a non-superuser
>
> *) iirc openvpn had a number of security issues over the last years -
> that might add some additional maintainance burden (especially if
> openvpn is not packaged for a certain OS or if the OS is not supported
> any more upstream)
>
> *) it would require to open at least on additional port on a firewall
> (if the box is behind one) outbound whihc might be an issue in some
> environments
>
> *) some of use might already operate openVPN on their network or even
> the buildfarm boxes - might cause some issues ...
>
> *) i suspect that maintaining that VPN (from your POV) might be quite
> some work especially wrt debugging since that might require help from
> your (the server) side.

*) it would still require handing out individual user-accounts to all
"trusted" people or a per host/buildfarm member unique password stored
somewhere on the "server" for the user the script itself runs under ...

Stefan

Tom has told me he prefers to do things on an ad hoc basis anyway. so we'll
just let it drop.

cheers

andrew

Stefan Kaltenbrunner said:
> Stefan Kaltenbrunner wrote:
>> Andrew Dunstan wrote:
>>> I had an idea today that could be useful. How would members feel
>>> about providing a VPN using OpenVPN, connecting back to a server
>>> with very tightly controlled privileges - maybe Tom Lane and I would
>>> be the only people allowed to connect back to the client machines,
>>> or maybe committers - at any rate some very small group. This would
>>> of course be optional, but it might help to short-circuit problem
>>> fixes.
>>>
>>> Note: OpenVPN supports almost all the platforms we support, which is
>>> one reason I picked it, but I am open to other suggestions.
>>>
>>> Does this seem like a good idea to anyone?
>>
>> I can see that this might be of help sometimes but i can see some
>> issues with that too:
>>
>> *) not completely sure on that(somebody might correct me) - but I
>> would assume that openvpn would require root or similiar privileges
>> since it might fiddle with routing or such - until now one was able to
>> run the buildfarm script completely as a non-superuser
>>
>> *) iirc openvpn had a number of security issues over the last years -
>> that might add some additional maintainance burden (especially if
>> openvpn is not packaged for a certain OS or if the OS is not supported
>> any more upstream)
>>
>> *) it would require to open at least on additional port on a firewall
>> (if the box is behind one) outbound whihc might be an issue in some
>> environments
>>
>> *) some of use might already operate openVPN on their network or even
>> the buildfarm boxes - might cause some issues ...
>>
>> *) i suspect that maintaining that VPN (from your POV) might be quite
>> some work especially wrt debugging since that might require help from
>> your (the server) side.
>
> *) it would still require handing out individual user-accounts to all
> "trusted" people or a per host/buildfarm member unique password stored
> somewhere on the "server" for the user the script itself runs under ...
>
>
> Stefan
> _______________________________________________
> Pgbuildfarm-members mailing list
> Pgbuildfarm-members(at)pgfoundry(dot)org
> http://pgfoundry.org/mailman/listinfo/pgbuildfarm-members

Andrew,

It would actually be useful to set this up and leave the clients
disconnected. That way if Tom or others did need access they could
get it easily.

I"ve got an OpenVPN server running, the protocol can tunnel through
anything.

So setting it up and issuing keys to whomever wanted them would allow
connections to be made easily.

Dave
On 20-Jun-06, at 6:13 PM, Andrew Dunstan wrote:

>
> Tom has told me he prefers to do things on an ad hoc basis anyway.
> so we'll
> just let it drop.
>
> cheers
>
> andrew
>
> Stefan Kaltenbrunner said:
>> Stefan Kaltenbrunner wrote:
>>> Andrew Dunstan wrote:
>>>> I had an idea today that could be useful. How would members feel
>>>> about providing a VPN using OpenVPN, connecting back to a server
>>>> with very tightly controlled privileges - maybe Tom Lane and I
>>>> would
>>>> be the only people allowed to connect back to the client machines,
>>>> or maybe committers - at any rate some very small group. This
>>>> would
>>>> of course be optional, but it might help to short-circuit problem
>>>> fixes.
>>>>
>>>> Note: OpenVPN supports almost all the platforms we support,
>>>> which is
>>>> one reason I picked it, but I am open to other suggestions.
>>>>
>>>> Does this seem like a good idea to anyone?
>>>
>>> I can see that this might be of help sometimes but i can see some
>>> issues with that too:
>>>
>>> *) not completely sure on that(somebody might correct me) - but I
>>> would assume that openvpn would require root or similiar privileges
>>> since it might fiddle with routing or such - until now one was
>>> able to
>>> run the buildfarm script completely as a non-superuser
>>>
>>> *) iirc openvpn had a number of security issues over the last
>>> years -
>>> that might add some additional maintainance burden (especially if
>>> openvpn is not packaged for a certain OS or if the OS is not
>>> supported
>>> any more upstream)
>>>
>>> *) it would require to open at least on additional port on a
>>> firewall
>>> (if the box is behind one) outbound whihc might be an issue in some
>>> environments
>>>
>>> *) some of use might already operate openVPN on their network or
>>> even
>>> the buildfarm boxes - might cause some issues ...
>>>
>>> *) i suspect that maintaining that VPN (from your POV) might be
>>> quite
>>> some work especially wrt debugging since that might require help
>>> from
>>> your (the server) side.
>>
>> *) it would still require handing out individual user-accounts to all
>> "trusted" people or a per host/buildfarm member unique password
>> stored
>> somewhere on the "server" for the user the script itself runs
>> under ...
>>
>>
>> Stefan
>> _______________________________________________
>> Pgbuildfarm-members mailing list
>> Pgbuildfarm-members(at)pgfoundry(dot)org
>> http://pgfoundry.org/mailman/listinfo/pgbuildfarm-members
>
>
>
> _______________________________________________
> Pgbuildfarm-members mailing list
> Pgbuildfarm-members(at)pgfoundry(dot)org
> http://pgfoundry.org/mailman/listinfo/pgbuildfarm-members
>