action #108974
openLoan Fujitsu server for OpenQA FIPS testing needs size:S
0%
Description
Observation¶
We decided to loan Fujitsu server Fujitsu-x86-1
https://racktables.suse.de/index.php?page=object&object_id=13539
https://confluence.suse.com/display/SecurityCertifications/Certifications+test+environment#Certificationstestenvironment-Fujitsu-x86-1
https://sd.suse.com/servicedesk/customer/portal/1/SD-81362
from Certification test environment for OpenQA FIPS testing needs.
CPU: 4x Intel(R) Xeon(R) Platinum 8268 CPU @ 2.90GHz - 24 Core https://ark.intel.com/content/www/us/en/ark/products/192481/intel-xeon-platinum-8268-processor-35-75m-cache-2-90-ghz.html
RAM: 128GB
Storage: 2x 300 GB SCSI 15K rpm
This should be bare metal testing machine.
IPMI user: openqa
IPMI password: Will be provided separately
Remote console on: https://qemu-kvm-switch.suse.de port 01
User: openqa
PW: same as for IPMI
KVM access to Fujitsu servers: https://confluence.suse.com/display/SecurityCertifications/KVM+access+to+Fujitsu+servers
The machine needs UEFI PXE which is currently not in place within the SUSE Nbg QA subnet, meaning no UEFI PXE support on qanet.qa.suse.de
Acceptance criteria¶
- AC1: New fujitsu server is usable for its intended purpose
- AC2: The information in racktables is ensured to be up-to-date
Suggestions¶
- Just check if https://racktables.suse.de/index.php?page=object&tab=default&object_id=13539 is still up to date
- Ask loaners about the current status and clarify
Updated by viktors.trubovics over 2 years ago
Point of contact in QE team is Ben Chou.
Updated by okurz over 2 years ago
- Assignee changed from nicksinger to bchou
- Target version set to future
- I can reach https://qemu-kvm-switch.suse.de/ and pass the invalid certificate and then the web interface times out
- https://confluence.suse.com/pages/viewpage.action?spaceKey=SecurityCertifications&title=Certifications+test+environment mentions two times "fips-new", one is s390x, so here it's about the other one. Still, can be confusing
- I can't ping the IPv4 address of the machine nor IPMI, "packet filtered" from ping
- I don't have the IPMI password so can't test with ipmitool myself
- racktable entries in https://racktables.suse.de/index.php?page=object&tab=ports&object_id=13539 are incomplete
- I don't have permissions to view https://sd.suse.com/servicedesk/customer/portal/1/SD-81362
@bchou over to you
Updated by viktors.trubovics over 2 years ago
My answers are inline:
I can reach https://qemu-kvm-switch.suse.de/ and pass the invalid certificate and then the web interface times out
Should be question to IT - I can access it using VPN, https://qemu-kvm-switch.suse.de/ need to be added to exception, it has self signed certificate
https://confluence.suse.com/pages/viewpage.action?spaceKey=SecurityCertifications&title=Certifications+test+environment mentions two times "fips-new", one is s390x, so here it's about the other one. Still, can be confusing
There are only one entry for Fujitsu-x86-1.
I can't ping the IPv4 address of the machine nor IPMI, "packet filtered" from ping
Currently server is connected to Cert isolated network 192.168.69.0/24 and has IP 192.168.69.103, IPMI IP 192.168.69.104. Can be accessed only using qemu-devel.opensuse.org
(authentication using ssh keys). Server must be connected to the needed network and IPMI IP reconfigured.
I don't have the IPMI password so can't test with ipmitool myself
Sent IPMI PW to you by e-mail.
racktable entries in https://racktables.suse.de/index.php?page=object&tab=ports&object_id=13539 are incomplete
I also do not have rights to update racktables
I don't have permissions to view https://sd.suse.com/servicedesk/customer/portal/1/SD-81362
Shared ticket with you.
Updated by bchou over 2 years ago
- Assignee changed from bchou to viktors.trubovics
Purpose:
- The certification team(Viktor) requests the intel Bare-metal testing(FIPS related) on Fujitsu-x86-1 and QE-security team plan to run the automation test in openQA via IPMI backend.
Visit https://racktables.suse.de/index.php?page=object&object_id=13539
- I can access this link with my Bugzilla account with VPN connected.
Visit https://qemu-kvm-switch.suse.de
- I don't have the password to login to this Remote console.
- Probably Viktor could provide it to us for testing purposes.
Visit https://sd.suse.com/servicedesk/customer/portal/1/SD-81362
- I think this ticket(sd.suse.com) is opened as an issue to SUSE IT ticket, they are not responsible for openQA infra.
I don't have the IPMI password either.
For the Fujitsu-x86-1, we also need to provide pubkey to Viktor for authentication using ssh keys, right?
Based on Nick's feedback from mail(Loan Fujitsu server for OpenQA FIPS testing needs), I think this ticket could be helped by qa-tools-team (osd-admins@suse.de)
Thanks.
Updated by okurz over 2 years ago
bchou wrote:
- I don't have the IPMI password either.
shared privately
- For the Fujitsu-x86-1, we also need to provide pubkey to Viktor for authentication using ssh keys, right?
You mean for qemu-devel.opensuse.org ? Yes, I guess so
- Based on Nick's feedback from mail(Loan Fujitsu server for OpenQA FIPS testing needs), I think this ticket could be helped by qa-tools-team (osd-admins@suse.de)
I am reading your updates on behalf of SUSE QE Tools and can provide help where needed. As the machine is intended to be used as a bare metal testing target according entries in https://gitlab.suse.de/openqa/salt-pillars-openqa would be necessary, e.g. IPMI credentials and IPMI hostname. However as was stated above the machine can only be reached over a ssh bridge which is not possible out of the box with openQA workers so you could run a custom setup somewhere and connect that as worker or connect the machine directly to another openQA instance. As alternative you can try out the possibility to run custom worker engines within openQA workers. For that please see https://github.com/os-autoinst/openQA/pull/4584
Updated by viktors.trubovics over 2 years ago
Here I see simpler solution - need to move server from out isolated network (192.168.69.0/24) to any engineering network convenient for QE team.
For this purpose I created ticket:
https://sd.suse.com/servicedesk/customer/portal/1/SD-81362
Updated by okurz over 2 years ago
viktors.trubovics wrote:
Here I see simpler solution - need to move server from out isolated network (192.168.69.0/24) to any engineering network convenient for QE team.
For this purpose I created ticket:
https://sd.suse.com/servicedesk/customer/portal/1/SD-81362
Yes, that's one of the options and likely the most simple one.
EDIT: commented on https://sd.suse.com/servicedesk/customer/portal/1/SD-81362
Updated by viktors.trubovics over 2 years ago
Created one more ticket https://sd.suse.com/servicedesk/customer/portal/1/SD-82030
Updated by rfan1 over 2 years ago
@viktors.trubovics,
Could you please share the ticket to me?
Updated by viktors.trubovics over 2 years ago
Updated by viktors.trubovics over 2 years ago
Server moved to needed VLAN.
New IP for SLES12 installed is: 10.162.31.226
IPMI IP address is 10.162.31.209.
Tested - can connect IPMI and login to it.
Updated by okurz over 2 years ago
@bchou can you confirm the login works for you? With that information I recommend to add the necessary information to salt pillars as mentioned in https://progress.opensuse.org/issues/108974#note-5
Updated by nicksinger over 2 years ago
for the record: the machine now has a static entry inside qanet: https://gitlab.suse.de/qa-sle/qanet-configs/-/commit/56a9bca6be19c1f7262caff80444e7598cdadb1d
Updated by viktors.trubovics over 2 years ago
Hello,
thanks for Nick now server has dynamically static IP addresses:
host fujitsu-fips-testhost-sp { hardware ethernet 00:22:4d:d7:3b:ef; fixed-address 10.162.2.134; option host-name "fujitsu-fips-testhost-sp"; filename "pxelinux.0"; }
host fujitsu-fips-testhost { hardware ethernet 00:22:4d:d7:3b:f1; fixed-address 10.162.2.135; option host-name "fujitsu-fips-testhost"; filename "pxelinux.0"; }
Please add fujitsu-fips-testhost host to the PXE installation process.
Updated by okurz over 2 years ago
- Assignee changed from viktors.trubovics to bchou
@bchou I think this should go to you then to continue.
Updated by bchou over 2 years ago
- Status changed from New to In Progress
Thanks a lot.
We are working in progress now.
Updated by rfan1 over 2 years ago
@ viktors.trubovics,
I noticed that in dhcp/install server configuration, the NBP file is set to "pxelinux.0", However, current fujitsu server is UEFI boot. can you please double check with this?
I will send a mail to talk about this.
BR//Richard.
Updated by rfan1 over 2 years ago
I checked the Fujitsu server, and I found that the server can only support UEFI mode. I am not able to find a way to switch to Legacy bios mode.
At the same time, currently openQA didn't support UEFI pxe installation for x86_64 BM servers yet [pls let me know if I am wrong].
A pending PR was there to support it - > https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/14684
So, can you please help check with Nick to change the setting on DHCP/Install server? we should set EFI NBP file there.
Updated by nicksinger over 2 years ago
- Assignee changed from bchou to nicksinger
I will try to come up with a PXE setup which works with UEFI. https://confluence.suse.com/pages/viewpage.action?pageId=762348151 has some details
Updated by okurz over 2 years ago
- Priority changed from Normal to Low
- Target version changed from future to Ready
Adding to backlog as decided with nicksinger as he is already looking into this as a side-task. Regarding other work currently in the backlog please be aware that we still regard this as Low priority as there are multiple other issues affecting more users that we should prioritize.
Updated by okurz over 2 years ago
- Description updated (diff)
- Status changed from New to Blocked
Updated by okurz over 2 years ago
- Status changed from Blocked to New
- Assignee deleted (
nicksinger) - Target version changed from Ready to future
I meant #113357
Updated by okurz almost 2 years ago
- Tags changed from reactive work to reactive work, infra
Updated by okurz about 2 months ago
- Category set to Feature requests
- Status changed from Workable to Feedback
- Assignee set to okurz
- Target version changed from future to Tools - Next
From Viktor Trubovich in DM https://suse.slack.com/archives/D038Q71BCUT/p1729757522692269
Hello! Regarding https://progress.opensuse.org/issues/108974#change-607925
Do you plan to use this server ? If yes - we need to free space in our rack for the new HW and move it to the openqa rack.
(Oliver Kurz) if you don't have any further use for the menitoned machine then I suggest to move it into https://racktables.nue.suse.com/index.php?page=rack&rack_id=21282 J12 . We can make use of the machine for openSUSE openQA bare-metal tests. Will you handle that with IT and involve me please?
Updated by okurz about 2 months ago
- Status changed from Feedback to Blocked
Updated by viktors.trubovics about 2 months ago
Created ticket https://sd.suse.com/servicedesk/customer/portal/1/SD-171323 to move sever
Updated by okurz about 1 month ago
- Status changed from Blocked to Workable
- Target version changed from Tools - Next to Ready
Asked in https://suse.slack.com/archives/C02AJ1E568M/p1730836148605019
hi, there is a free server which is now in the o3 rack "J12". For context see https://progress.opensuse.org/issues/108974 . Do you have proposals for how to name that server which we could for example use for bare metal testing?
Updated by okurz about 1 month ago
- Status changed from Workable to Blocked
I wrote in https://sd.suse.com/servicedesk/customer/portal/1/SD-171323
please call the machine “maiden” with according label and FQDN. The current password for the IPMI user “openqa” is “[…]”. I would change that password after we have network access. We are discussing how we want to use the machine and will suggest a name and label later
Updated by okurz 4 days ago · Edited
- Status changed from Blocked to Feedback
- Target version changed from Tools - Next to Ready
https://sd.suse.com/servicedesk/customer/portal/1/SD-171323
I can confirm that both interfaces are reachable and that I can control the machine over IPMI. Thank you guys, please resolve the ticket
I used ipmitool -I lanplus -H maiden-sp -U openqa -P … chassis policy always-off
I have not yet added the machine to any o3 worker config. We can consider to add the machine to w23:/opt/ipmi_opensuse/workers.ini
https://gitlab.suse.de/openqa/salt-pillars-openqa/-/merge_requests/951