From: | Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc> |
---|---|
To: | PGBuildFarm <pgbuildfarm-members(at)pgfoundry(dot)org> |
Subject: | Re: [Pgbuildfarm-members] VPN option? |
Date: | 2006-06-20 19:01:13 |
Message-ID: | 449845F9.7020306@kaltenbrunner.cc |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | buildfarm-members |
Stefan Kaltenbrunner wrote:
> Andrew Dunstan wrote:
>> I had an idea today that could be useful. How would members feel about
>> providing a VPN using OpenVPN, connecting back to a server with very
>> tightly controlled privileges - maybe Tom Lane and I would be the only
>> people allowed to connect back to the client machines, or maybe
>> committers - at any rate some very small group. This would of course be
>> optional, but it might help to short-circuit problem fixes.
>>
>> Note: OpenVPN supports almost all the platforms we support, which is one
>> reason I picked it, but I am open to other suggestions.
>>
>> Does this seem like a good idea to anyone?
>
> I can see that this might be of help sometimes but i can see some issues
> with that too:
>
> *) not completely sure on that(somebody might correct me) - but I would
> assume that openvpn would require root or similiar privileges since it
> might fiddle with routing or such - until now one was able to run the
> buildfarm script completely as a non-superuser
>
> *) iirc openvpn had a number of security issues over the last years -
> that might add some additional maintainance burden (especially if
> openvpn is not packaged for a certain OS or if the OS is not supported
> any more upstream)
>
> *) it would require to open at least on additional port on a firewall
> (if the box is behind one) outbound whihc might be an issue in some
> environments
>
> *) some of use might already operate openVPN on their network or even
> the buildfarm boxes - might cause some issues ...
>
> *) i suspect that maintaining that VPN (from your POV) might be quite
> some work especially wrt debugging since that might require help from
> your (the server) side.
*) it would still require handing out individual user-accounts to all
"trusted" people or a per host/buildfarm member unique password stored
somewhere on the "server" for the user the script itself runs under ...
Stefan
From | Date | Subject | |
---|---|---|---|
Next Message | Andrew Dunstan | 2006-06-20 22:13:09 | Re: [Pgbuildfarm-members] VPN option? |
Previous Message | Stefan Kaltenbrunner | 2006-06-20 18:54:39 | Re: [Pgbuildfarm-members] VPN option? |