OpenStack Core Infrastructure

Remove sensitive files from build slaves

Bug #914432 reported by James E. Blair
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Core Infrastructure
Fix Released
High
Jeremy Stanley
OpenStack Core Infrastructure icehouse

Bug Description

  make sure gerrit trigger plugin runs from master
  gpg key only on master, make ppa upload jobs only run on master
  ssh key only on master, make scp jobs only run on master
  launch new build slaves from master, with secret files (like for glance) in place

James E. Blair (corvus)
Changed in openstack-ci:
importance: Undecided → High
status: New → Triaged
Revision history for this message
Jeremy Stanley (fungi) wrote :

I think most of this is done? I'll see what I can do to confirm and then resolve this and switch to public security.

Jeremy Stanley (fungi)
Changed in openstack-ci:
status: Triaged → In Progress
assignee: nobody → Jeremy Stanley (fungi)
milestone: none → icehouse
Revision history for this message
Jeremy Stanley (fungi) wrote :

The gerrit trigger plugin has been replaced by zuul. At this point we no longer have any OpenPGP keys or GnuPG usage in CI tooling and automation (this will change soon, but when it does we'll do it correctly and safely). We no longer perform automated PPA uploads. The Jenkins SSH keys are only on the puppet master, Jenkins masters (we have several now) and nodepool (which is now responsible for launching new disposable Jenkins slaves). Credentials to third-party systems are currently relegated to single-use slaves (pypi, proposal), or removed (Glance remote service keys).

information type: Private Security → Public Security
Changed in openstack-ci:
status: In Progress → Fix Committed
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.