action #124119
closedQA - coordination #121720: [saga][epic] Migration to QE setup in PRG2+NUE3 while ensuring availability
QA - coordination #116623: [epic] Migration of SUSE Nbg based openQA+QA+QAM systems to new security zones
Conduct the migration of remaining SUSE openQA systems IPMI to new security zones
0%
Description
Motivation¶
This is a follow-up of #20270 for the remaining systems (as #20270 only covered machines in SRV1), also see parent #116623
The remaining hosts (as of the creation of this ticket are):
- Hosts used for bare-metal testing: sp.openqaw5-xen.qa.suse.de
- Prague located: openqaworker14-ipmi.qa.suse.cz, openqaworker15-ipmi.qa.suse.cz, openqaworker16-ipmi.qa.suse.cz, openqaworker17-ipmi.qa.suse.cz, openqaworker18-ipmi.qa.suse.cz
- PowerPC machines: qa-power8-4.qa.suse.de, qa-power8-5.qa.suse.de, fsp1-powerqaworker-qam.qa.suse.de, malbec.arch.suse.de
- ARM machines: openqaworker-arm-1-ipmi.suse.de, openqaworker-arm-2-ipmi.suse.de, openqaworker-arm-4-ipmi.suse.de, openqaworker-arm-4-ipmi.suse.de, openqaworker-arm-5-ipmi.suse.de
Technically, also the following hosts are remaining -however, they are not used anymore anyways or are broken: openqaworker1, imagetester, power8
So those hosts should supposedly be excluded.
Acceptance criteria¶
- AC1: All IPMI interfaces of openQA machines listed in workerconf.sls are in new security zones
- AC2: All IPMI interfaces of openQA machines listed in workerconf.sls are fully usable in production
- AC3: All documentation referencing O3+OSD ipmi interfaces are up-to-date
- AC4: Our automated tools using O3+OSD ipmi interfaces are up-to-date e.g. GitLab pipelines and salt states
Suggestions¶
- Create an SD ticket similar to https://sd.suse.com/servicedesk/customer/portal/1/SD-109299 (which has been created for #20270)
- Monitor Slack #discuss-qe-new-security-zones
- Ensure access over the new way is possible
- Document changes in our infrastructure documentation, e.g. progress.opensuse.org/projects/openqav3/wiki/, https://wiki.suse.net/index.php/OpenQA, https://gitlab.suse.de/openqa/salt-pillars-openqa/-/blob/master/openqa/workerconf.sls
- Ensure https://gitlab.suse.de/openqa/salt-pillars-openqa#get-ipmi-definition-aliases works the new way
- Update https://gitlab.suse.de/openqa/grafana-webhook-actions
Open points¶
- Where is the documentation by SUSE-IT?
- Where is the git repo handling ssh keys?
- Fix the multi-second login time over ssh (workaround: use
ssh -4)
Updated by mkittler over 1 year ago
- Copied from action #120270: Conduct the migration of SUSE openQA systems IPMI from Nbg SRV1 to new security zones size:M added
Updated by okurz over 1 year ago
- Tags set to infra
- Subject changed from Conduct the migration of remaining SUSE openQA systems IPMI to new security zones size:M to Conduct the migration of remaining SUSE openQA systems IPMI to new security zones
- Assignee deleted (
mkittler) - Priority changed from High to Normal
- Target version changed from Ready to future
Thank you for creating that ticket. It wasn't estimated so I will remove the size:M. I also assume you are not insisting on staying assigned or the priority. Also I think we can keep this outside the backlog for now.
Updated by livdywan about 1 year ago
I assume malbec host up alerts are related to this ticket as per the description?
http://stats.openqa-monitor.qa.suse.de/alerting/grafana/host_up_alert_malbec/view?orgId=1
Updated by okurz about 1 year ago
livdywan wrote in #note-3:
I assume malbec host up alerts are related to this ticket as per the description?
http://stats.openqa-monitor.qa.suse.de/alerting/grafana/host_up_alert_malbec/view?orgId=1
No. But #135515
Updated by okurz 11 months ago
- Status changed from New to Resolved
- Assignee set to okurz
- Target version changed from future to Ready
With NUE1 decommissioned all active systems are in new security zones and I guess machines that are brought (back) into production will also end up in new security zones. No specific work for improving error reporting here was done and I don't think we need to improve that further. We need to rely on SUSE-IT to monitor their firewall accordingly.