[openstack-dev] Removing internet access from unit test gates

Jeremy Stanley fungi at yuggoth.org
Tue Nov 21 18:49:42 UTC 2017

On 2017-11-21 13:34:57 -0500 (-0500), Paul Belanger wrote:
> I don't think we'd need to use security groups, we could just
> setup a local firewall ruleset to do this on the node if we
> wanted.

I considered suggesting that in my original reply, but then realized
that we still have steps in the job which are going to need to do
egress (though perhaps only to our mirror servers?) and in
particular between phases of tox itself where we can't easily pause
execution to perform root tasks like injecting iptables rules. I
suppose if someone wants to write up a generic role which restricts
egress access to only allow reaching the mirror server for the
provider where that job is running, we could try adding it to some
copies of unit test jobs in a few projects to see what happens.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171121/2332a867/attachment.sig>

More information about the OpenStack-dev mailing list