Operations grimoire/DevCentral

DevCentral is the name of our Phabricator instance.

Security

CI access

Jenkins can deploy code. Only trusted users should get access to Jenkins.

Jenkinsfile script can arbitrarily request the node tag they want, so specify secure and non secure nodes isn't enough since the Jenkins 2.0 migration.

To open more our CI, we probably need two Jenkins master, one with access only its own group of non trusted nodes, isolated from the deploy Jenkins.

To secure the access to CI:

• we maintain a group Trusted users with users trusted not to send malicious code to CI
• Herald rules triggering job should check Author's projects include all of Trusted users
• When creating a new build plan, it should only be visible to trusted users (it exposes a Jenkins token to trigger a new job)

Troubleshoot

devcentral.nasqueron.org port 5022: Connection refused

$ git push ssh: connect to host devcentral.nasqueron.org port 5022: Connection refused fatal: Could not read from remote repository.

That requires two things:

• a SSH server launched on the port 22 of the devcentral Docker container, to serve repositories (not a staging area): http://pad.wolfplex.be/p/DevCentral
• an iptables rule to forward ports: iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 5022 -j DNAT --to-destination 172.17.0.5:22
• if the IP changed, check with iptables -t nat -L PREROUTING an old entry (5022 is "mice"):
  • To remove the old: iptables -t nat -D PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 5022 -j DNAT --to-destination 172.17.0.139:22
  • To add the new: iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 5022 -j DNAT --to-destination 172.17.0.5:22
  • To check the rules: iptables -t nat -L PREROUTING | grep mice