openSUSE:Build Service private instance enabling external partners

Jump to: navigation, search

Security consideration

OBS Appliances have not been designed for direct connection to the open Internet. You must protect your appliances if you want to let external partners use them.

The only ports which need to be accessible from the external world are 80, 81 and 82. Internally you will need more ports to communicate with your obs-workers and your backup system.

My solution is to run the obs-appliance in a DMZ with a external firewall. The flexibility of the IP table allows you to limit the open ports as well as restrict the source IP addresses that can be accepted.

If your Firewall runs on a Linux server, you can also add a dedicated OpenVPN to restrict the access to your DMZ.

From version 2.3 OBS will allow to hide projects and make them not readable anymore for other users.

If you need full isolation, you might have to run an independent server for each partner. OBS appliances are also available as WmWare and XEN images which should ease this type of implementation.

Managing Changes

When you work with partners you may not want to give them direct write access to the core project which you provide to build, but you need to offer a method of collecting their changes in order to realign your upstream projects as closely as possible to their needs.

OBS provides a simple solution to being able to request changes to packages from the owner without requiring write access to the target project.

The model is described here and slides describing the process can be found at that link.


Other links