On Wed, Nov 17, 2021 at 01:05:01PM +0100, Bastian Blank wrote: > Hi > > On Wed, Nov 17, 2021 at 08:01:55AM -0300, Antonio Terceiro wrote: > > For ci, we are working with the security team on testing embargoed > > security updates, and for that we need a unique IP address, because it > > will be added to an ACL on the security repository side. > > You mean via https://security-master.debian.org/debian-security-buildd? > > > I would like the central server to have its unique public IPv4 address > > for this. > > None of the IP addresses you can assign are actually stable. The best > approximation comes in form of a complete IPv6 subnet, aka a /64 where > only your stuff with security access runs. What's different in this account from the old one? I don't remember the IP address of ci.debian.net ever needing to change, why is it that we can't get an stable IP address in this account? > > > - IPv4 incoming will _not_ work with a public IP assigned to an > > > instance, and > > > - IPv4-only or (better) dual-stack network load balancers can be used > > > for stuff like HTTP access for users. > > This means that all incoming HTTP access has to go through the admins > > first. Is there a way to do this without creating a bottleneck or a > > SPoF? > > I have not decided how that should work. Actually I added the > permissions required to manage load balancers. We can however also > pre-create it and only let you decide where to route the traffic. I would prefer that we are able to manage any load balancers by ourselves. On the other hand, a problem with this is that we will suddenly be depending on a proprietary piece of infrastructure. i.e. both certificate management and actual http routing are now provided by a opaque box that we have no visibility into. Also I would need to change the ci.debian.net configuration management to handle the fact that it would now be behind a load balancer, and if we ever need to move elsewhere, I need to make changes again.
Attachment:
signature.asc
Description: PGP signature