SPECS: GIT+SSH access from devel nodes?

[HenrikBengtsson]

Inherited from Wynton, https://ucsf-cbi.github.io/c4/about/specs.html says:

(*) GIT+SSH access on development nodes is restricted to git.bioconductor.org, bitbucket.org, gitea.com, github.com / gist.github.com, gitlab.com, and git.ucsf.edu.

• [x] @hgputnam, again, what's the SSH/internet access from the devel nodes? Is the above (a) correct, (b) incorrect, or (c) needs to be updated?

[HenrikBengtsson]

Closely related:

• [x] What about the following?

Feature	Login Nodes	Transfer Nodes	Development Nodes	Compute Nodes
Outbound access	Within UCSF only: SSH and SFTP	HTTP/HTTPS, FTP/FTPS, SSH, SFTP, GIT+SSH	Via proxy: HTTP/HTTPS, GIT+SSH(*)	no
Network speed	1 Gbps	10 Gbps	1 Gbps	1,10 Gbps
--	--	--	--	--

[hgputnam]

Dev nodes have public interfaces on the campus WAN. The Centos firewall on all 3 is blocking incoming ssh from all networks except 10.10.10/24 (aka the internal C4 network). The dev nodes are using the proxy server for http/s but this is only because we all have the proxy environmental variables. A savvy user could unset those and bypass the proxy. That would not work on compute nodes because they have no physical links to external networks.

If you want to restrict ssh to just certain sites or networks, that would probably also need to be done with the Centos firewalls. We would need to be certain of our book-keeping. Example, the above Wynton example doesn't include docker or singularity hubs...

[hgputnam]

Login nodes have outbound access with no restrictions. Again, they have public interfaces so the only thing enforcing the use of the proxy server are environmental variables. Same is true for dt node.

[hgputnam]

Updated those docs.