Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

add option to disable networking (or have it off by default)

Description

Add option to disable networking (or have it off by default). Basically, we want to prevent a job from accessing the internet if we want repeatable builds and/or are doing a downstream build somewhere else. Other/downstream build environments often have networking off. Copr has an option: (See: https://lists.fedorahosted.org/archives/list/copr-devel@lists.fedorahosted.org/thread/LZZPJ534ZDRD7YYFDC3BXDUVVPF5B735/ )

In particular, the ovirt-engine-nodejs-modules build-artifacts job tries to stay offline, but an evil node module called 'phantomjs' connects to the internet in a post-offline-install hook. I'd like the option to disallow that and have the build fail.

Activity

Show:

Eyal Edri September 28, 2017 at 7:58 AM

No reply on this ticket, if it will be needed in the future, please reopen it with relevant info.

Eyal Edri August 8, 2017 at 2:20 PM

ping

Greg Sheremeta March 20, 2017 at 3:05 PM

Yes, still need this. I just haven't gotten back to it yet. I'll test soon.

Eyal Edri March 20, 2017 at 2:43 PM

Do we still need it?
If it didn't work out in check-patch, another option is to add an OST test for it.

Greg Sheremeta February 21, 2017 at 6:26 PM

Nod, I'll test it.

Barak Korren February 21, 2017 at 5:57 PM

Oh sorry that should have been:

Or perhaps more safely:

This should be safe enough, and will block anything that does not use direct IP addresses to access outside resources.

Greg Sheremeta February 21, 2017 at 5:47 PM

I'm not familiar with what removing /etc/hosts would do (I would have guessed nothing helpful)

Shutting off access to known problematic domains is helpful, but won't catch when we pull in new dependencies that access domains we don't know about. So I'm afraid this won't really help anything.

Barak Korren February 21, 2017 at 8:41 AM

Could this be resolved at the automation script level with something like:

Or

?

Hermetically shutting off the connection is not easily achievable at this point because we need the connection to talk back to Jenkins, and the automation scripts are not running in their own network namespace (Until we get around to implementing )

Done

Details

Assignee

Reporter

Blocked By

Priority

Parent

Created February 20, 2017 at 10:49 PM
Updated October 1, 2017 at 10:57 AM
Resolved September 28, 2017 at 7:58 AM