Re: [Pgbuildfarm-members] VPN option?

Andrew Dunstan wrote:
> I had an idea today that could be useful. How would members feel about
> providing a VPN using OpenVPN, connecting back to a server with very
> tightly controlled privileges - maybe Tom Lane and I would be the only
> people allowed to connect back to the client machines, or maybe
> committers - at any rate some very small group. This would of course be
> optional, but it might help to short-circuit problem fixes.
>
> Note: OpenVPN supports almost all the platforms we support, which is one
> reason I picked it, but I am open to other suggestions.
>
> Does this seem like a good idea to anyone?

I can see that this might be of help sometimes but i can see some issues
with that too:

*) not completely sure on that(somebody might correct me) - but I would
assume that openvpn would require root or similiar privileges since it
might fiddle with routing or such - until now one was able to run the
buildfarm script completely as a non-superuser

*) iirc openvpn had a number of security issues over the last years -
that might add some additional maintainance burden (especially if
openvpn is not packaged for a certain OS or if the OS is not supported
any more upstream)

*) it would require to open at least on additional port on a firewall
(if the box is behind one) outbound whihc might be an issue in some
environments

*) some of use might already operate openVPN on their network or even
the buildfarm boxes - might cause some issues ...

*) i suspect that maintaining that VPN (from your POV) might be quite
some work especially wrt debugging since that might require help from
your (the server) side.

for me out of the 5 or so Boxes I have on the buildfarm i could only
give (24x7) local shell access away on two of them and on those tom
already has a shell ...

Stefan