Project

General

Profile

Actions

action #116629

closed

coordination #121720: [saga][epic] Migration to QE setup in PRG2+NUE3 while ensuring availability

coordination #116623: [epic] Migration of SUSE Nbg based openQA+QA+QAM systems to new security zones

Preparation planning for migration of SUSE openQA+QA systems to new security zones size:M

Added by okurz about 2 years ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
Start date:
2022-09-15
Due date:
% Done:

0%

Estimated time:

Description

Motivation

See parent #116623

Acceptance criteria

  • AC1: A complete list of affected machines and required services is provided usable by Cybersecurity team

Suggestions

  • Read existing materials and proposals, e.g. above mentioned confluence pages
  • okurz suggests to make sure racktables Nuremberg&QA is the complete list for all the machines we need to care about, racktables Nuremberg&QAM respectively. https://gitlab.suse.de/qa-sle/qanet-configs/ has all the DHCP+DNS entries for the QA subnet.
  • Come up with a proposal for what network security zones we need and what security rules should apply for those
  • Provide a list of all machines with FQDN, MAC, VLAN, IPv4, IPv6 for machines as well as BMCs as required by Lazaros Haleplidis, at best readable directly from Racktables

Out of scope

Currently the dedicated openqa.opensuse.org network is not covered by this change. According to Lazaros Haleplidis no public facing machines which is including https://openqa.opensuse.org are touched by this.

Further details

  1. What are your requirements that need to be fulfilled?
    All inbound traffic needs to be well defined.

  2. Do we have any benefits from this change?
    Better separation within SUSE networks

  3. How can the security rules be controlled?
    Creating a ticket. Automation, e.g. using terraform, etc., is evaluated

  4. Do we need two networks, one for openQA and QA?
    Right now we use machines within the Eng-Infra network. We can specify requirements

  5. We need HTTP communication to various hosts within the .suse.de domain. download.suse.de, gitlab.suse.de, etc.
    All of these need to be specifically specified

BMCs are planned to be accessible over jump hosts. It is planned to migrate IP access to machines first and keep IPMI till the end. Jump hosts is planned to be a Linux VM accessible over SSH from where we can access BMCs of the systems.

It is possible to have dedicated "test networks" so equivalent to our QA network where we have machines+BMCs within the same network. It might not be the suggested setup but is possible.

We meet again on 2022-09-22, 1500 CEST. Lazaros Haleplidis will invite us for 2022-09-22.


Related issues 2 (0 open2 closed)

Copied to QA - action #117043: Request DHCP+DNS services for new QE network zones, same as already provided for .qam.suse.de and .qa.suse.czResolvedokurz

Actions
Copied to QA - action #119443: Conduct the migration of SUSE openQA systems from Nbg SRV1 to new security zones size:MResolvedokurz2022-11-17

Actions
Actions #1

Updated by openqa_review about 2 years ago

  • Due date set to 2022-09-30

Setting due date based on mean cycle time of SUSE QE Tools

Actions #2

Updated by okurz about 2 years ago

  • Description updated (diff)
Actions #3

Updated by okurz about 2 years ago

  • Subject changed from Preparation planning for migration of SUSE openQA+QA systems to new security zones to Preparation planning for migration of SUSE openQA+QA systems to new security zones size:M
Actions #4

Updated by okurz about 2 years ago

  • Description updated (diff)
Actions #5

Updated by okurz about 2 years ago

  • Copied to action #117043: Request DHCP+DNS services for new QE network zones, same as already provided for .qam.suse.de and .qa.suse.cz added
Actions #6

Updated by okurz about 2 years ago

  • Due date deleted (2022-09-30)
  • Status changed from In Progress to Blocked

We conducted a second meeting with Lazaros. I updated the racktable lists, cleaned out a lot more of decommissioned and obsolete entries and set the "In Stock" status for systems that are currently in "cold storage". Now waiting for response regarding #117043 from Eng-Infra and according reaction from Lazaros Haleplidis about the path to continue.

Actions #7

Updated by okurz almost 2 years ago

  • Status changed from Blocked to Resolved

Meeting with Lazaros 2022-10-26. He wants to focus on Nbg SRV1 and start as soon as possible. I suggested to use openqaworker11 https://racktables.nue.suse.com/index.php?page=object&tab=default&object_id=9584 as a test machine. Starting 2022-10-31 08:30Z we will migrate that machine with eth0+eth1+ipmi and after confirmation of everything fully working continue with other machines. DHCP/DNS still to be provided by SUSE-IT Eng-Infra. Lazaros will clarify serving DHCP/DNS with mcaj. As stated by Lazaros the goal is that VLAN 2 in Nuremberg is fully replaced by more team specific zones.

Actions #8

Updated by okurz almost 2 years ago

  • Copied to action #119443: Conduct the migration of SUSE openQA systems from Nbg SRV1 to new security zones size:M added
Actions

Also available in: Atom PDF