Re: [Pgbuildfarm-members] VPN option?

Andrew,

It would actually be useful to set this up and leave the clients
disconnected. That way if Tom or others did need access they could
get it easily.

I"ve got an OpenVPN server running, the protocol can tunnel through
anything.

So setting it up and issuing keys to whomever wanted them would allow
connections to be made easily.

Dave
On 20-Jun-06, at 6:13 PM, Andrew Dunstan wrote:

>
> Tom has told me he prefers to do things on an ad hoc basis anyway.
> so we'll
> just let it drop.
>
> cheers
>
> andrew
>
> Stefan Kaltenbrunner said:
>> Stefan Kaltenbrunner wrote:
>>> Andrew Dunstan wrote:
>>>> I had an idea today that could be useful. How would members feel
>>>> about providing a VPN using OpenVPN, connecting back to a server
>>>> with very tightly controlled privileges - maybe Tom Lane and I
>>>> would
>>>> be the only people allowed to connect back to the client machines,
>>>> or maybe committers - at any rate some very small group. This
>>>> would
>>>> of course be optional, but it might help to short-circuit problem
>>>> fixes.
>>>>
>>>> Note: OpenVPN supports almost all the platforms we support,
>>>> which is
>>>> one reason I picked it, but I am open to other suggestions.
>>>>
>>>> Does this seem like a good idea to anyone?
>>>
>>> I can see that this might be of help sometimes but i can see some
>>> issues with that too:
>>>
>>> *) not completely sure on that(somebody might correct me) - but I
>>> would assume that openvpn would require root or similiar privileges
>>> since it might fiddle with routing or such - until now one was
>>> able to
>>> run the buildfarm script completely as a non-superuser
>>>
>>> *) iirc openvpn had a number of security issues over the last
>>> years -
>>> that might add some additional maintainance burden (especially if
>>> openvpn is not packaged for a certain OS or if the OS is not
>>> supported
>>> any more upstream)
>>>
>>> *) it would require to open at least on additional port on a
>>> firewall
>>> (if the box is behind one) outbound whihc might be an issue in some
>>> environments
>>>
>>> *) some of use might already operate openVPN on their network or
>>> even
>>> the buildfarm boxes - might cause some issues ...
>>>
>>> *) i suspect that maintaining that VPN (from your POV) might be
>>> quite
>>> some work especially wrt debugging since that might require help
>>> from
>>> your (the server) side.
>>
>> *) it would still require handing out individual user-accounts to all
>> "trusted" people or a per host/buildfarm member unique password
>> stored
>> somewhere on the "server" for the user the script itself runs
>> under ...
>>
>>
>> Stefan
>> _______________________________________________
>> Pgbuildfarm-members mailing list
>> Pgbuildfarm-members(at)pgfoundry(dot)org
>> http://pgfoundry.org/mailman/listinfo/pgbuildfarm-members
>
>
>
> _______________________________________________
> Pgbuildfarm-members mailing list
> Pgbuildfarm-members(at)pgfoundry(dot)org
> http://pgfoundry.org/mailman/listinfo/pgbuildfarm-members
>