-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/build: restrict outbound network access from builds by default #30612
Comments
I agree. Package
And the commit message of CL 153460 that resolved it by @bcmills said:
Edit: Another related open issue is #28856. |
Change https://golang.org/cl/165637 mentions this issue: |
Updates golang/go#30612 Change-Id: Ib13a286d0944a7f4a13b9e93a01533693052858b Reviewed-on: https://go-review.googlesource.com/c/build/+/165637 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Change https://golang.org/cl/165618 mentions this issue: |
Change https://golang.org/cl/165638 mentions this issue: |
Updates golang/go#30612 Change-Id: Id472e753043976b8671c15491b82bb57e3804d95 Reviewed-on: https://go-review.googlesource.com/c/build/+/165638 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Change https://golang.org/cl/165777 mentions this issue: |
Updates golang/go#30612 Change-Id: I752c57f8631025f1784951e701340d2c21ee277c Reviewed-on: https://go-review.googlesource.com/c/build/+/165777 Reviewed-by: Bryan C. Mills <bcmills@google.com>
Change https://golang.org/cl/167039 mentions this issue: |
Updates golang/go#30612 Updates golang/go#30760 Change-Id: I296f4f7a163c1bdd59e839229c0961b21f26da89 Reviewed-on: https://go-review.googlesource.com/c/build/+/167039 Reviewed-by: Bryan C. Mills <bcmills@google.com>
This is sufficiently done. We do it on enough builders now that we catch network usage. |
Change https://golang.org/cl/192317 mentions this issue: |
Issue golang.org/issue/30612 implemented a restriction on outbound network access to help catch unintended uses of internet in tests. We're currently relying on GOPROXY=https://proxy.golang.org for running tests in module mode in Go 1.13+, but proxy.golang.org can serve some module zip files by 302 redirecting to other URLs. Those URLs may not be accessible due to this builder network restriction. Disable the outbound network restriction as the first step to return builders to a working state. The next step will be implement a long term solution, then we can re-enable the network restriction again. Updates golang/go#33928 Updates golang/go#30612 Change-Id: I1a87b8d107df8806753117fc60a3e795e1e1b182 Reviewed-on: https://go-review.googlesource.com/c/build/+/192317 Reviewed-by: Alexander Rakoczy <alex@golang.org>
This is temporarily undone by CL 192317, re-opening so we don't lose track of it. |
Issue golang.org/issue/30612 implemented a restriction on outbound network access to help catch unintended uses of internet in tests. We're currently relying on GOPROXY=https://proxy.golang.org for running tests in module mode in Go 1.13+, but proxy.golang.org can serve some module zip files by 302 redirecting to other URLs. Those URLs may not be accessible due to this builder network restriction. Disable the outbound network restriction as the first step to return builders to a working state. The next step will be implement a long term solution, then we can re-enable the network restriction again. Updates golang/go#33928 Updates golang/go#30612 Change-Id: I1a87b8d107df8806753117fc60a3e795e1e1b182 Reviewed-on: https://go-review.googlesource.com/c/build/+/192317 Reviewed-by: Alexander Rakoczy <alex@golang.org>
We should make sure our tests never do outbound network requests by default, or that we only hit endpoints that we control.
For instance, the longtest builder is often failing now on:
... because we're hitting some Gerrit quota issue it seems.
I'm going to firewall outbound port 443 and port 22 connections for now and set the GOPROXY to our existing private Athens service on GKE to fix the longtest issue above.
/cc @dmitshur @bcmills
The text was updated successfully, but these errors were encountered: