Project

General

Profile

Actions

action #108974

open

Loan Fujitsu server for OpenQA FIPS testing needs size:S

Added by viktors.trubovics over 2 years ago. Updated 4 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
Feature requests
Start date:
2022-07-07
Due date:
% Done:

0%

Estimated time:
(Total: 0.00 h)

Description

Observation

We decided to loan Fujitsu server Fujitsu-x86-1
https://racktables.suse.de/index.php?page=object&object_id=13539
https://confluence.suse.com/display/SecurityCertifications/Certifications+test+environment#Certificationstestenvironment-Fujitsu-x86-1
https://sd.suse.com/servicedesk/customer/portal/1/SD-81362
from Certification test environment for OpenQA FIPS testing needs.
CPU: 4x Intel(R) Xeon(R) Platinum 8268 CPU @ 2.90GHz - 24 Core https://ark.intel.com/content/www/us/en/ark/products/192481/intel-xeon-platinum-8268-processor-35-75m-cache-2-90-ghz.html
RAM: 128GB
Storage: 2x 300 GB SCSI 15K rpm
This should be bare metal testing machine.
IPMI user: openqa
IPMI password: Will be provided separately
Remote console on: https://qemu-kvm-switch.suse.de port 01
User: openqa
PW: same as for IPMI
KVM access to Fujitsu servers: https://confluence.suse.com/display/SecurityCertifications/KVM+access+to+Fujitsu+servers

The machine needs UEFI PXE which is currently not in place within the SUSE Nbg QA subnet, meaning no UEFI PXE support on qanet.qa.suse.de

Acceptance criteria

  • AC1: New fujitsu server is usable for its intended purpose
  • AC2: The information in racktables is ensured to be up-to-date

Suggestions


Subtasks 1 (1 open0 closed)

action #113357: UEFI PXE or "network boot" support within .qa.suse.de size:MWorkable2022-07-07

Actions
Actions #1

Updated by viktors.trubovics over 2 years ago

Point of contact in QE team is Ben Chou.

Actions #2

Updated by okurz over 2 years ago

  • Assignee changed from nicksinger to bchou
  • Target version set to future

@bchou over to you

Actions #3

Updated by viktors.trubovics over 2 years ago

My answers are inline:
I can reach https://qemu-kvm-switch.suse.de/ and pass the invalid certificate and then the web interface times out
Should be question to IT - I can access it using VPN, https://qemu-kvm-switch.suse.de/ need to be added to exception, it has self signed certificate
https://confluence.suse.com/pages/viewpage.action?spaceKey=SecurityCertifications&title=Certifications+test+environment mentions two times "fips-new", one is s390x, so here it's about the other one. Still, can be confusing
There are only one entry for Fujitsu-x86-1.
I can't ping the IPv4 address of the machine nor IPMI, "packet filtered" from ping
Currently server is connected to Cert isolated network 192.168.69.0/24 and has IP 192.168.69.103, IPMI IP 192.168.69.104. Can be accessed only using qemu-devel.opensuse.org
(authentication using ssh keys). Server must be connected to the needed network and IPMI IP reconfigured.

I don't have the IPMI password so can't test with ipmitool myself
Sent IPMI PW to you by e-mail.
racktable entries in https://racktables.suse.de/index.php?page=object&tab=ports&object_id=13539 are incomplete
I also do not have rights to update racktables
I don't have permissions to view https://sd.suse.com/servicedesk/customer/portal/1/SD-81362
Shared ticket with you.

Actions #4

Updated by bchou over 2 years ago

  • Assignee changed from bchou to viktors.trubovics
  1. Purpose:

    • The certification team(Viktor) requests the intel Bare-metal testing(FIPS related) on Fujitsu-x86-1 and QE-security team plan to run the automation test in openQA via IPMI backend.
  2. Visit https://racktables.suse.de/index.php?page=object&object_id=13539

    • I can access this link with my Bugzilla account with VPN connected.
  3. Visit https://qemu-kvm-switch.suse.de

    • I don't have the password to login to this Remote console.
    • Probably Viktor could provide it to us for testing purposes.
  4. Visit https://sd.suse.com/servicedesk/customer/portal/1/SD-81362

    • I think this ticket(sd.suse.com) is opened as an issue to SUSE IT ticket, they are not responsible for openQA infra.
  5. I don't have the IPMI password either.

  6. For the Fujitsu-x86-1, we also need to provide pubkey to Viktor for authentication using ssh keys, right?

  7. Based on Nick's feedback from mail(Loan Fujitsu server for OpenQA FIPS testing needs), I think this ticket could be helped by qa-tools-team (osd-admins@suse.de)

Thanks.

Actions #5

Updated by okurz over 2 years ago

bchou wrote:

  1. I don't have the IPMI password either.

shared privately

  1. For the Fujitsu-x86-1, we also need to provide pubkey to Viktor for authentication using ssh keys, right?

You mean for qemu-devel.opensuse.org ? Yes, I guess so

  1. Based on Nick's feedback from mail(Loan Fujitsu server for OpenQA FIPS testing needs), I think this ticket could be helped by qa-tools-team (osd-admins@suse.de)

I am reading your updates on behalf of SUSE QE Tools and can provide help where needed. As the machine is intended to be used as a bare metal testing target according entries in https://gitlab.suse.de/openqa/salt-pillars-openqa would be necessary, e.g. IPMI credentials and IPMI hostname. However as was stated above the machine can only be reached over a ssh bridge which is not possible out of the box with openQA workers so you could run a custom setup somewhere and connect that as worker or connect the machine directly to another openQA instance. As alternative you can try out the possibility to run custom worker engines within openQA workers. For that please see https://github.com/os-autoinst/openQA/pull/4584

Actions #6

Updated by viktors.trubovics over 2 years ago

Here I see simpler solution - need to move server from out isolated network (192.168.69.0/24) to any engineering network convenient for QE team.
For this purpose I created ticket:
https://sd.suse.com/servicedesk/customer/portal/1/SD-81362

Actions #7

Updated by okurz over 2 years ago

viktors.trubovics wrote:

Here I see simpler solution - need to move server from out isolated network (192.168.69.0/24) to any engineering network convenient for QE team.
For this purpose I created ticket:
https://sd.suse.com/servicedesk/customer/portal/1/SD-81362

Yes, that's one of the options and likely the most simple one.

EDIT: commented on https://sd.suse.com/servicedesk/customer/portal/1/SD-81362

Actions #9

Updated by rfan1 over 2 years ago

@viktors.trubovics,
Could you please share the ticket to me?

Actions #10

Updated by viktors.trubovics over 2 years ago

rfan1 wrote:

@viktors.trubovics,
Could you please share the ticket to me?

Done.

Actions #11

Updated by viktors.trubovics over 2 years ago

Server moved to needed VLAN.
New IP for SLES12 installed is: 10.162.31.226
IPMI IP address is 10.162.31.209.
Tested - can connect IPMI and login to it.

Actions #12

Updated by okurz over 2 years ago

@bchou can you confirm the login works for you? With that information I recommend to add the necessary information to salt pillars as mentioned in https://progress.opensuse.org/issues/108974#note-5

Actions #13

Updated by nicksinger over 2 years ago

for the record: the machine now has a static entry inside qanet: https://gitlab.suse.de/qa-sle/qanet-configs/-/commit/56a9bca6be19c1f7262caff80444e7598cdadb1d

Actions #14

Updated by viktors.trubovics over 2 years ago

Hello,
thanks for Nick now server has dynamically static IP addresses:
host fujitsu-fips-testhost-sp { hardware ethernet 00:22:4d:d7:3b:ef; fixed-address 10.162.2.134; option host-name "fujitsu-fips-testhost-sp"; filename "pxelinux.0"; }
host fujitsu-fips-testhost { hardware ethernet 00:22:4d:d7:3b:f1; fixed-address 10.162.2.135; option host-name "fujitsu-fips-testhost"; filename "pxelinux.0"; }

Please add fujitsu-fips-testhost host to the PXE installation process.

Actions #15

Updated by okurz over 2 years ago

  • Assignee changed from viktors.trubovics to bchou

@bchou I think this should go to you then to continue.

Actions #16

Updated by bchou over 2 years ago

  • Status changed from New to In Progress

Thanks a lot.
We are working in progress now.

Actions #17

Updated by rfan1 over 2 years ago

@ viktors.trubovics,

I noticed that in dhcp/install server configuration, the NBP file is set to "pxelinux.0", However, current fujitsu server is UEFI boot. can you please double check with this?

I will send a mail to talk about this.

BR//Richard.

Actions #18

Updated by rfan1 over 2 years ago

@viktors.trubovics,

I checked the Fujitsu server, and I found that the server can only support UEFI mode. I am not able to find a way to switch to Legacy bios mode.

At the same time, currently openQA didn't support UEFI pxe installation for x86_64 BM servers yet [pls let me know if I am wrong].

A pending PR was there to support it - > https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/14684

So, can you please help check with Nick to change the setting on DHCP/Install server? we should set EFI NBP file there.

Actions #19

Updated by nicksinger over 2 years ago

  • Assignee changed from bchou to nicksinger

I will try to come up with a PXE setup which works with UEFI. https://confluence.suse.com/pages/viewpage.action?pageId=762348151 has some details

Actions #20

Updated by okurz over 2 years ago

  • Priority changed from Normal to Low
  • Target version changed from future to Ready

Adding to backlog as decided with nicksinger as he is already looking into this as a side-task. Regarding other work currently in the backlog please be aware that we still regard this as Low priority as there are multiple other issues affecting more users that we should prioritize.

Actions #21

Updated by okurz over 2 years ago

  • Tags set to reactive work
Actions #22

Updated by mkittler over 2 years ago

  • Status changed from In Progress to New
Actions #23

Updated by okurz over 2 years ago

  • Description updated (diff)
  • Status changed from New to Blocked
Actions #24

Updated by okurz over 2 years ago

blocked by #108974

Actions #25

Updated by okurz over 2 years ago

  • Status changed from Blocked to New
  • Assignee deleted (nicksinger)
  • Target version changed from Ready to future

I meant #113357

Actions #26

Updated by okurz almost 2 years ago

  • Tags changed from reactive work to reactive work, infra
Actions #27

Updated by livdywan 2 months ago

  • Subject changed from Loan Fujitsu server for OpenQA FIPS testing needs to Loan Fujitsu server for OpenQA FIPS testing needs size:S
  • Description updated (diff)
  • Status changed from New to Workable
Actions #28

Updated by okurz about 2 months ago

  • Category set to Feature requests
  • Status changed from Workable to Feedback
  • Assignee set to okurz
  • Target version changed from future to Tools - Next

From Viktor Trubovich in DM https://suse.slack.com/archives/D038Q71BCUT/p1729757522692269

Hello! Regarding https://progress.opensuse.org/issues/108974#change-607925
Do you plan to use this server ? If yes - we need to free space in our rack for the new HW and move it to the openqa rack.
(Oliver Kurz) if you don't have any further use for the menitoned machine then I suggest to move it into https://racktables.nue.suse.com/index.php?page=rack&rack_id=21282 J12 . We can make use of the machine for openSUSE openQA bare-metal tests. Will you handle that with IT and involve me please?

Actions #29

Updated by okurz about 2 months ago

  • Status changed from Feedback to Blocked
Actions #31

Updated by okurz about 1 month ago

  • Status changed from Blocked to Workable
  • Target version changed from Tools - Next to Ready

Asked in https://suse.slack.com/archives/C02AJ1E568M/p1730836148605019

hi, there is a free server which is now in the o3 rack "J12". For context see https://progress.opensuse.org/issues/108974 . Do you have proposals for how to name that server which we could for example use for bare metal testing?

Actions #32

Updated by okurz about 1 month ago

  • Status changed from Workable to Blocked

I wrote in https://sd.suse.com/servicedesk/customer/portal/1/SD-171323

please call the machine “maiden” with according label and FQDN. The current password for the IPMI user “openqa” is “[…]”. I would change that password after we have network access. We are discussing how we want to use the machine and will suggest a name and label later

Actions #33

Updated by okurz 13 days ago

  • Target version changed from Ready to Tools - Next
Actions #34

Updated by okurz 4 days ago · Edited

  • Status changed from Blocked to Feedback
  • Target version changed from Tools - Next to Ready

https://sd.suse.com/servicedesk/customer/portal/1/SD-171323

I can confirm that both interfaces are reachable and that I can control the machine over IPMI. Thank you guys, please resolve the ticket

I used ipmitool -I lanplus -H maiden-sp -U openqa -P … chassis policy always-off

I have not yet added the machine to any o3 worker config. We can consider to add the machine to w23:/opt/ipmi_opensuse/workers.ini

https://gitlab.suse.de/openqa/salt-pillars-openqa/-/merge_requests/951

Actions

Also available in: Atom PDF