Re: [Pgbuildfarm-members] VPN option?

Stefan Kaltenbrunner wrote:
> Andrew Dunstan wrote:
>> I had an idea today that could be useful. How would members feel about
>> providing a VPN using OpenVPN, connecting back to a server with very
>> tightly controlled privileges - maybe Tom Lane and I would be the only
>> people allowed to connect back to the client machines, or maybe
>> committers - at any rate some very small group. This would of course be
>> optional, but it might help to short-circuit problem fixes.
>>
>> Note: OpenVPN supports almost all the platforms we support, which is one
>> reason I picked it, but I am open to other suggestions.
>>
>> Does this seem like a good idea to anyone?
>
> I can see that this might be of help sometimes but i can see some issues
> with that too:
>
> *) not completely sure on that(somebody might correct me) - but I would
> assume that openvpn would require root or similiar privileges since it
> might fiddle with routing or such - until now one was able to run the
> buildfarm script completely as a non-superuser
>
> *) iirc openvpn had a number of security issues over the last years -
> that might add some additional maintainance burden (especially if
> openvpn is not packaged for a certain OS or if the OS is not supported
> any more upstream)
>
> *) it would require to open at least on additional port on a firewall
> (if the box is behind one) outbound whihc might be an issue in some
> environments
>
> *) some of use might already operate openVPN on their network or even
> the buildfarm boxes - might cause some issues ...
>
> *) i suspect that maintaining that VPN (from your POV) might be quite
> some work especially wrt debugging since that might require help from
> your (the server) side.

*) it would still require handing out individual user-accounts to all
"trusted" people or a per host/buildfarm member unique password stored
somewhere on the "server" for the user the script itself runs under ...

Stefan