From: | "Andrew Dunstan" <andrew(at)dunslane(dot)net> |
---|---|
To: | <stefan(at)kaltenbrunner(dot)cc> |
Cc: | pgbuildfarm-members(at)pgfoundry(dot)org |
Subject: | Re: [Pgbuildfarm-members] VPN option? |
Date: | 2006-06-20 22:13:09 |
Message-ID: | 1645.24.211.165.134.1150841589.squirrel@www.dunslane.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | buildfarm-members |
Tom has told me he prefers to do things on an ad hoc basis anyway. so we'll
just let it drop.
cheers
andrew
Stefan Kaltenbrunner said:
> Stefan Kaltenbrunner wrote:
>> Andrew Dunstan wrote:
>>> I had an idea today that could be useful. How would members feel
>>> about providing a VPN using OpenVPN, connecting back to a server
>>> with very tightly controlled privileges - maybe Tom Lane and I would
>>> be the only people allowed to connect back to the client machines,
>>> or maybe committers - at any rate some very small group. This would
>>> of course be optional, but it might help to short-circuit problem
>>> fixes.
>>>
>>> Note: OpenVPN supports almost all the platforms we support, which is
>>> one reason I picked it, but I am open to other suggestions.
>>>
>>> Does this seem like a good idea to anyone?
>>
>> I can see that this might be of help sometimes but i can see some
>> issues with that too:
>>
>> *) not completely sure on that(somebody might correct me) - but I
>> would assume that openvpn would require root or similiar privileges
>> since it might fiddle with routing or such - until now one was able to
>> run the buildfarm script completely as a non-superuser
>>
>> *) iirc openvpn had a number of security issues over the last years -
>> that might add some additional maintainance burden (especially if
>> openvpn is not packaged for a certain OS or if the OS is not supported
>> any more upstream)
>>
>> *) it would require to open at least on additional port on a firewall
>> (if the box is behind one) outbound whihc might be an issue in some
>> environments
>>
>> *) some of use might already operate openVPN on their network or even
>> the buildfarm boxes - might cause some issues ...
>>
>> *) i suspect that maintaining that VPN (from your POV) might be quite
>> some work especially wrt debugging since that might require help from
>> your (the server) side.
>
> *) it would still require handing out individual user-accounts to all
> "trusted" people or a per host/buildfarm member unique password stored
> somewhere on the "server" for the user the script itself runs under ...
>
>
> Stefan
> _______________________________________________
> Pgbuildfarm-members mailing list
> Pgbuildfarm-members(at)pgfoundry(dot)org
> http://pgfoundry.org/mailman/listinfo/pgbuildfarm-members
From | Date | Subject | |
---|---|---|---|
Next Message | Dave Cramer | 2006-06-21 11:04:44 | Re: [Pgbuildfarm-members] VPN option? |
Previous Message | Stefan Kaltenbrunner | 2006-06-20 19:01:13 | Re: [Pgbuildfarm-members] VPN option? |