Move SOS to the portal only
future consideration
Benjamin Jenkins
Change the nature of SOS completely and only allow access from the portal using an Openstack style console. Users should be able to click "console" in the GUI to get a popup SOL console protected inside the portal. That would allow RBAC and other controls to trickle down to this feature. This is becoming a common request from the enterprise space.
Matt Ward
+1 on this, it would offer feature parity with Network Edge devices.
S
Sal Carrasco
future consideration
Sal Carrasco
Merged in a post:
Support Option for disabling SOS Console
M
Michail Angelos Simos
A public endpoint granting access to the console is a concern from a security standpoint.
Issues in the SOS console may introduce severe security concerns.
In this context, option for disabling this feature would be particularly useful.
Marques Johansson
I'd love to see the implementation preserve the existing SOS behaviors and defaults with the new options being discussed here:
* disable SOS (per org, project, node?)
* restrict SOS by remote address (user restriction is already possible)
* a console.equinix.com terminal interface that could similarly be disabled or restricted. (I've worked on similar interfaces taking advantage of websockets and xtermjs.org and it worked really well)
Zain Mujtaba
If we can even limit the connection to specific Source IPs this would be helpful till a long term approach is figured out.
Jason Powers
under review
Hi folks, we're actively looking into this one and evaluating the lift and approach to solving.
D
Derek Radtke
RBAC could trickle down to allowed SSH keys. You're running the SSH server. An actual SSH client works much better than something in the browser.
Benjamin Jenkins
Derek Radtke: The request is to take SOS off the internet completely as an attack vector. This is a very common ask from the enterprise space. Having an always open SSH connection with no ACL, customer monitoring or easy way to manage keys is hard for some enterprises to accept. Open to other ideas here and this is just a suggestion for a way to mitigate a problem that is brought up often in the sales process.
Andrew Hodges
Benjamin Jenkins: It's not "an always open SSH connection", since it only connects to IPMI once you SSH in. As far as access control, it can be as good as you keep control of SSH keys in the portal. You can implement monitoring in SOS just as well as some new browser-based thing. And browsers are still on the internet, as is the portal.
Zain Mujtaba
Yes, please implement this ASAP. If this is a big lift, please allow to limit it based on IP addresses which adds some protection.