Project

General

Profile

Actions

action #108974

open

Loan Fujitsu server for OpenQA FIPS testing needs

Added by viktors.trubovics almost 2 years ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
2022-07-07
Due date:
% Done:

0%

Estimated time:
(Total: 0.00 h)

Description

Observation

We decided to loan Fujitsu server Fujitsu-x86-1
https://racktables.suse.de/index.php?page=object&object_id=13539
https://confluence.suse.com/display/SecurityCertifications/Certifications+test+environment#Certificationstestenvironment-Fujitsu-x86-1
https://sd.suse.com/servicedesk/customer/portal/1/SD-81362
from Certification test environment for OpenQA FIPS testing needs.
CPU: 4x Intel(R) Xeon(R) Platinum 8268 CPU @ 2.90GHz - 24 Core https://ark.intel.com/content/www/us/en/ark/products/192481/intel-xeon-platinum-8268-processor-35-75m-cache-2-90-ghz.html
RAM: 128GB
Storage: 2x 300 GB SCSI 15K rpm
This should be bare metal testing machine.
IPMI user: openqa
IPMI password: Will be provided separately
Remote console on: https://qemu-kvm-switch.suse.de port 01
User: openqa
PW: same as for IPMI
KVM access to Fujitsu servers: https://confluence.suse.com/display/SecurityCertifications/KVM+access+to+Fujitsu+servers

The machine needs UEFI PXE which is currently not in place within the SUSE Nbg QA subnet, meaning no UEFI PXE support on qanet.qa.suse.de

Acceptance criteria

  • AC1: New fujitsu server is usable Security squad

Subtasks 1 (1 open0 closed)

action #113357: UEFI PXE or "network boot" support within .qa.suse.de size:MWorkable2022-07-07

Actions
Actions #1

Updated by viktors.trubovics almost 2 years ago

Point of contact in QE team is Ben Chou.

Actions #2

Updated by okurz almost 2 years ago

  • Assignee changed from nicksinger to bchou
  • Target version set to future

@bchou over to you

Actions #3

Updated by viktors.trubovics almost 2 years ago

My answers are inline:
I can reach https://qemu-kvm-switch.suse.de/ and pass the invalid certificate and then the web interface times out
Should be question to IT - I can access it using VPN, https://qemu-kvm-switch.suse.de/ need to be added to exception, it has self signed certificate
https://confluence.suse.com/pages/viewpage.action?spaceKey=SecurityCertifications&title=Certifications+test+environment mentions two times "fips-new", one is s390x, so here it's about the other one. Still, can be confusing
There are only one entry for Fujitsu-x86-1.
I can't ping the IPv4 address of the machine nor IPMI, "packet filtered" from ping
Currently server is connected to Cert isolated network 192.168.69.0/24 and has IP 192.168.69.103, IPMI IP 192.168.69.104. Can be accessed only using qemu-devel.opensuse.org
(authentication using ssh keys). Server must be connected to the needed network and IPMI IP reconfigured.

I don't have the IPMI password so can't test with ipmitool myself
Sent IPMI PW to you by e-mail.
racktable entries in https://racktables.suse.de/index.php?page=object&tab=ports&object_id=13539 are incomplete
I also do not have rights to update racktables
I don't have permissions to view https://sd.suse.com/servicedesk/customer/portal/1/SD-81362
Shared ticket with you.

Actions #4

Updated by bchou almost 2 years ago

  • Assignee changed from bchou to viktors.trubovics
  1. Purpose:

    • The certification team(Viktor) requests the intel Bare-metal testing(FIPS related) on Fujitsu-x86-1 and QE-security team plan to run the automation test in openQA via IPMI backend.
  2. Visit https://racktables.suse.de/index.php?page=object&object_id=13539

    • I can access this link with my Bugzilla account with VPN connected.
  3. Visit https://qemu-kvm-switch.suse.de

    • I don't have the password to login to this Remote console.
    • Probably Viktor could provide it to us for testing purposes.
  4. Visit https://sd.suse.com/servicedesk/customer/portal/1/SD-81362

    • I think this ticket(sd.suse.com) is opened as an issue to SUSE IT ticket, they are not responsible for openQA infra.
  5. I don't have the IPMI password either.

  6. For the Fujitsu-x86-1, we also need to provide pubkey to Viktor for authentication using ssh keys, right?

  7. Based on Nick's feedback from mail(Loan Fujitsu server for OpenQA FIPS testing needs), I think this ticket could be helped by qa-tools-team (osd-admins@suse.de)

Thanks.

Actions #5

Updated by okurz almost 2 years ago

bchou wrote:

  1. I don't have the IPMI password either.

shared privately

  1. For the Fujitsu-x86-1, we also need to provide pubkey to Viktor for authentication using ssh keys, right?

You mean for qemu-devel.opensuse.org ? Yes, I guess so

  1. Based on Nick's feedback from mail(Loan Fujitsu server for OpenQA FIPS testing needs), I think this ticket could be helped by qa-tools-team (osd-admins@suse.de)

I am reading your updates on behalf of SUSE QE Tools and can provide help where needed. As the machine is intended to be used as a bare metal testing target according entries in https://gitlab.suse.de/openqa/salt-pillars-openqa would be necessary, e.g. IPMI credentials and IPMI hostname. However as was stated above the machine can only be reached over a ssh bridge which is not possible out of the box with openQA workers so you could run a custom setup somewhere and connect that as worker or connect the machine directly to another openQA instance. As alternative you can try out the possibility to run custom worker engines within openQA workers. For that please see https://github.com/os-autoinst/openQA/pull/4584

Actions #6

Updated by viktors.trubovics almost 2 years ago

Here I see simpler solution - need to move server from out isolated network (192.168.69.0/24) to any engineering network convenient for QE team.
For this purpose I created ticket:
https://sd.suse.com/servicedesk/customer/portal/1/SD-81362

Actions #7

Updated by okurz almost 2 years ago

viktors.trubovics wrote:

Here I see simpler solution - need to move server from out isolated network (192.168.69.0/24) to any engineering network convenient for QE team.
For this purpose I created ticket:
https://sd.suse.com/servicedesk/customer/portal/1/SD-81362

Yes, that's one of the options and likely the most simple one.

EDIT: commented on https://sd.suse.com/servicedesk/customer/portal/1/SD-81362

Actions #9

Updated by rfan1 almost 2 years ago

@viktors.trubovics,
Could you please share the ticket to me?

Actions #10

Updated by viktors.trubovics almost 2 years ago

rfan1 wrote:

@viktors.trubovics,
Could you please share the ticket to me?

Done.

Actions #11

Updated by viktors.trubovics almost 2 years ago

Server moved to needed VLAN.
New IP for SLES12 installed is: 10.162.31.226
IPMI IP address is 10.162.31.209.
Tested - can connect IPMI and login to it.

Actions #12

Updated by okurz almost 2 years ago

@bchou can you confirm the login works for you? With that information I recommend to add the necessary information to salt pillars as mentioned in https://progress.opensuse.org/issues/108974#note-5

Actions #13

Updated by nicksinger almost 2 years ago

for the record: the machine now has a static entry inside qanet: https://gitlab.suse.de/qa-sle/qanet-configs/-/commit/56a9bca6be19c1f7262caff80444e7598cdadb1d

Actions #14

Updated by viktors.trubovics almost 2 years ago

Hello,
thanks for Nick now server has dynamically static IP addresses:
host fujitsu-fips-testhost-sp { hardware ethernet 00:22:4d:d7:3b:ef; fixed-address 10.162.2.134; option host-name "fujitsu-fips-testhost-sp"; filename "pxelinux.0"; }
host fujitsu-fips-testhost { hardware ethernet 00:22:4d:d7:3b:f1; fixed-address 10.162.2.135; option host-name "fujitsu-fips-testhost"; filename "pxelinux.0"; }

Please add fujitsu-fips-testhost host to the PXE installation process.

Actions #15

Updated by okurz almost 2 years ago

  • Assignee changed from viktors.trubovics to bchou

@bchou I think this should go to you then to continue.

Actions #16

Updated by bchou almost 2 years ago

  • Status changed from New to In Progress

Thanks a lot.
We are working in progress now.

Actions #17

Updated by rfan1 almost 2 years ago

@ viktors.trubovics,

I noticed that in dhcp/install server configuration, the NBP file is set to "pxelinux.0", However, current fujitsu server is UEFI boot. can you please double check with this?

I will send a mail to talk about this.

BR//Richard.

Actions #18

Updated by rfan1 almost 2 years ago

@viktors.trubovics,

I checked the Fujitsu server, and I found that the server can only support UEFI mode. I am not able to find a way to switch to Legacy bios mode.

At the same time, currently openQA didn't support UEFI pxe installation for x86_64 BM servers yet [pls let me know if I am wrong].

A pending PR was there to support it - > https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/14684

So, can you please help check with Nick to change the setting on DHCP/Install server? we should set EFI NBP file there.

Actions #19

Updated by nicksinger almost 2 years ago

  • Assignee changed from bchou to nicksinger

I will try to come up with a PXE setup which works with UEFI. https://confluence.suse.com/pages/viewpage.action?pageId=762348151 has some details

Actions #20

Updated by okurz almost 2 years ago

  • Priority changed from Normal to Low
  • Target version changed from future to Ready

Adding to backlog as decided with nicksinger as he is already looking into this as a side-task. Regarding other work currently in the backlog please be aware that we still regard this as Low priority as there are multiple other issues affecting more users that we should prioritize.

Actions #21

Updated by okurz almost 2 years ago

  • Tags set to reactive work
Actions #22

Updated by mkittler almost 2 years ago

  • Status changed from In Progress to New
Actions #23

Updated by okurz over 1 year ago

  • Description updated (diff)
  • Status changed from New to Blocked
Actions #24

Updated by okurz over 1 year ago

blocked by #108974

Actions #25

Updated by okurz over 1 year ago

  • Status changed from Blocked to New
  • Assignee deleted (nicksinger)
  • Target version changed from Ready to future

I meant #113357

Actions #26

Updated by okurz about 1 year ago

  • Tags changed from reactive work to reactive work, infra
Actions

Also available in: Atom PDF