Project

General

Profile

action #108974

Loan Fujitsu server for OpenQA FIPS testing needs

Added by viktors.trubovics 3 months ago. Updated about 1 month ago.

Status:
New
Priority:
Low
Assignee:
Target version:
Start date:
2022-03-25
Due date:
% Done:

0%

Estimated time:

Description

We decided to loan Fujitsu server Fujitsu-x86-1
https://racktables.suse.de/index.php?page=object&object_id=13539
https://confluence.suse.com/display/SecurityCertifications/Certifications+test+environment#Certificationstestenvironment-Fujitsu-x86-1
https://sd.suse.com/servicedesk/customer/portal/1/SD-81362
from Certification test environment for OpenQA FIPS testing needs.
CPU: 4x Intel(R) Xeon(R) Platinum 8268 CPU @ 2.90GHz - 24 Core https://ark.intel.com/content/www/us/en/ark/products/192481/intel-xeon-platinum-8268-processor-35-75m-cache-2-90-ghz.html
RAM: 128GB
Storage: 2x 300 GB SCSI 15K rpm
This should be bare metal testing machine.
IPMI user: openqa
IPMI password: Will be provided separately
Remote console on: https://qemu-kvm-switch.suse.de port 01
User: openqa
PW: same as for IPMI
KVM access to Fujitsu servers: https://confluence.suse.com/display/SecurityCertifications/KVM+access+to+Fujitsu+servers

History

#1 Updated by viktors.trubovics 3 months ago

Point of contact in QE team is Ben Chou.

#2 Updated by okurz 3 months ago

  • Assignee changed from nicksinger to bchou
  • Target version set to future

bchou over to you

#3 Updated by viktors.trubovics 3 months ago

My answers are inline:
I can reach https://qemu-kvm-switch.suse.de/ and pass the invalid certificate and then the web interface times out
Should be question to IT - I can access it using VPN, https://qemu-kvm-switch.suse.de/ need to be added to exception, it has self signed certificate
https://confluence.suse.com/pages/viewpage.action?spaceKey=SecurityCertifications&title=Certifications+test+environment mentions two times "fips-new", one is s390x, so here it's about the other one. Still, can be confusing
There are only one entry for Fujitsu-x86-1.
I can't ping the IPv4 address of the machine nor IPMI, "packet filtered" from ping
Currently server is connected to Cert isolated network 192.168.69.0/24 and has IP 192.168.69.103, IPMI IP 192.168.69.104. Can be accessed only using qemu-devel.opensuse.org
(authentication using ssh keys). Server must be connected to the needed network and IPMI IP reconfigured.

I don't have the IPMI password so can't test with ipmitool myself
Sent IPMI PW to you by e-mail.
racktable entries in https://racktables.suse.de/index.php?page=object&tab=ports&object_id=13539 are incomplete
I also do not have rights to update racktables
I don't have permissions to view https://sd.suse.com/servicedesk/customer/portal/1/SD-81362
Shared ticket with you.

#4 Updated by bchou 3 months ago

  • Assignee changed from bchou to viktors.trubovics
  1. Purpose:

    • The certification team(Viktor) requests the intel Bare-metal testing(FIPS related) on Fujitsu-x86-1 and QE-security team plan to run the automation test in openQA via IPMI backend.
  2. Visit https://racktables.suse.de/index.php?page=object&object_id=13539

    • I can access this link with my Bugzilla account with VPN connected.
  3. Visit https://qemu-kvm-switch.suse.de

    • I don't have the password to login to this Remote console.
    • Probably Viktor could provide it to us for testing purposes.
  4. Visit https://sd.suse.com/servicedesk/customer/portal/1/SD-81362

    • I think this ticket(sd.suse.com) is opened as an issue to SUSE IT ticket, they are not responsible for openQA infra.
  5. I don't have the IPMI password either.

  6. For the Fujitsu-x86-1, we also need to provide pubkey to Viktor for authentication using ssh keys, right?

  7. Based on Nick's feedback from mail(Loan Fujitsu server for OpenQA FIPS testing needs), I think this ticket could be helped by qa-tools-team (osd-admins@suse.de)

Thanks.

#5 Updated by okurz 3 months ago

bchou wrote:

  1. I don't have the IPMI password either.

shared privately

  1. For the Fujitsu-x86-1, we also need to provide pubkey to Viktor for authentication using ssh keys, right?

You mean for qemu-devel.opensuse.org ? Yes, I guess so

  1. Based on Nick's feedback from mail(Loan Fujitsu server for OpenQA FIPS testing needs), I think this ticket could be helped by qa-tools-team (osd-admins@suse.de)

I am reading your updates on behalf of SUSE QE Tools and can provide help where needed. As the machine is intended to be used as a bare metal testing target according entries in https://gitlab.suse.de/openqa/salt-pillars-openqa would be necessary, e.g. IPMI credentials and IPMI hostname. However as was stated above the machine can only be reached over a ssh bridge which is not possible out of the box with openQA workers so you could run a custom setup somewhere and connect that as worker or connect the machine directly to another openQA instance. As alternative you can try out the possibility to run custom worker engines within openQA workers. For that please see https://github.com/os-autoinst/openQA/pull/4584

#6 Updated by viktors.trubovics 3 months ago

Here I see simpler solution - need to move server from out isolated network (192.168.69.0/24) to any engineering network convenient for QE team.
For this purpose I created ticket:
https://sd.suse.com/servicedesk/customer/portal/1/SD-81362

#7 Updated by okurz 3 months ago

viktors.trubovics wrote:

Here I see simpler solution - need to move server from out isolated network (192.168.69.0/24) to any engineering network convenient for QE team.
For this purpose I created ticket:
https://sd.suse.com/servicedesk/customer/portal/1/SD-81362

Yes, that's one of the options and likely the most simple one.

EDIT: commented on https://sd.suse.com/servicedesk/customer/portal/1/SD-81362

#9 Updated by rfan1 3 months ago

viktors.trubovics,
Could you please share the ticket to me?

#10 Updated by viktors.trubovics 3 months ago

rfan1 wrote:

viktors.trubovics,
Could you please share the ticket to me?

Done.

#11 Updated by viktors.trubovics 3 months ago

Server moved to needed VLAN.
New IP for SLES12 installed is: 10.162.31.226
IPMI IP address is 10.162.31.209.
Tested - can connect IPMI and login to it.

#12 Updated by okurz 3 months ago

bchou can you confirm the login works for you? With that information I recommend to add the necessary information to salt pillars as mentioned in https://progress.opensuse.org/issues/108974#note-5

#13 Updated by nicksinger 3 months ago

for the record: the machine now has a static entry inside qanet: https://gitlab.suse.de/qa-sle/qanet-configs/-/commit/56a9bca6be19c1f7262caff80444e7598cdadb1d

#14 Updated by viktors.trubovics 3 months ago

Hello,
thanks for Nick now server has dynamically static IP addresses:
host fujitsu-fips-testhost-sp { hardware ethernet 00:22:4d:d7:3b:ef; fixed-address 10.162.2.134; option host-name "fujitsu-fips-testhost-sp"; filename "pxelinux.0"; }
host fujitsu-fips-testhost { hardware ethernet 00:22:4d:d7:3b:f1; fixed-address 10.162.2.135; option host-name "fujitsu-fips-testhost"; filename "pxelinux.0"; }

Please add fujitsu-fips-testhost host to the PXE installation process.

#15 Updated by okurz 3 months ago

  • Assignee changed from viktors.trubovics to bchou

bchou I think this should go to you then to continue.

#16 Updated by bchou 2 months ago

  • Status changed from New to In Progress

Thanks a lot.
We are working in progress now.

#17 Updated by rfan1 2 months ago

@ viktors.trubovics,

I noticed that in dhcp/install server configuration, the NBP file is set to "pxelinux.0", However, current fujitsu server is UEFI boot. can you please double check with this?

I will send a mail to talk about this.

BR//Richard.

#18 Updated by rfan1 2 months ago

viktors.trubovics,

I checked the Fujitsu server, and I found that the server can only support UEFI mode. I am not able to find a way to switch to Legacy bios mode.

At the same time, currently openQA didn't support UEFI pxe installation for x86_64 BM servers yet [pls let me know if I am wrong].

A pending PR was there to support it - > https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/14684

So, can you please help check with Nick to change the setting on DHCP/Install server? we should set EFI NBP file there.

#19 Updated by nicksinger about 2 months ago

  • Assignee changed from bchou to nicksinger

I will try to come up with a PXE setup which works with UEFI. https://confluence.suse.com/pages/viewpage.action?pageId=762348151 has some details

#20 Updated by okurz about 2 months ago

  • Priority changed from Normal to Low
  • Target version changed from future to Ready

Adding to backlog as decided with nicksinger as he is already looking into this as a side-task. Regarding other work currently in the backlog please be aware that we still regard this as Low priority as there are multiple other issues affecting more users that we should prioritize.

#21 Updated by okurz about 1 month ago

  • Tags set to reactive work

#22 Updated by mkittler about 1 month ago

  • Status changed from In Progress to New

Also available in: Atom PDF