action #116629
closedcoordination #121720: [saga][epic] Migration to QE setup in PRG2+NUE3 while ensuring availability
coordination #116623: [epic] Migration of SUSE Nbg based openQA+QA+QAM systems to new security zones
Preparation planning for migration of SUSE openQA+QA systems to new security zones size:M
0%
Description
Motivation¶
See parent #116623
Acceptance criteria¶
- AC1: A complete list of affected machines and required services is provided usable by Cybersecurity team
Suggestions¶
- Read existing materials and proposals, e.g. above mentioned confluence pages
- okurz suggests to make sure racktables Nuremberg&QA is the complete list for all the machines we need to care about, racktables Nuremberg&QAM respectively. https://gitlab.suse.de/qa-sle/qanet-configs/ has all the DHCP+DNS entries for the QA subnet.
- Come up with a proposal for what network security zones we need and what security rules should apply for those
- Provide a list of all machines with FQDN, MAC, VLAN, IPv4, IPv6 for machines as well as BMCs as required by Lazaros Haleplidis, at best readable directly from Racktables
Out of scope¶
Currently the dedicated openqa.opensuse.org network is not covered by this change. According to Lazaros Haleplidis no public facing machines which is including https://openqa.opensuse.org are touched by this.
Further details¶
What are your requirements that need to be fulfilled?
All inbound traffic needs to be well defined.Do we have any benefits from this change?
Better separation within SUSE networksHow can the security rules be controlled?
Creating a ticket. Automation, e.g. using terraform, etc., is evaluatedDo we need two networks, one for openQA and QA?
Right now we use machines within the Eng-Infra network. We can specify requirementsWe need HTTP communication to various hosts within the .suse.de domain. download.suse.de, gitlab.suse.de, etc.
All of these need to be specifically specified
BMCs are planned to be accessible over jump hosts. It is planned to migrate IP access to machines first and keep IPMI till the end. Jump hosts is planned to be a Linux VM accessible over SSH from where we can access BMCs of the systems.
It is possible to have dedicated "test networks" so equivalent to our QA network where we have machines+BMCs within the same network. It might not be the suggested setup but is possible.
We meet again on 2022-09-22, 1500 CEST. Lazaros Haleplidis will invite us for 2022-09-22.
Updated by openqa_review about 2 years ago
- Due date set to 2022-09-30
Setting due date based on mean cycle time of SUSE QE Tools
Updated by okurz about 2 years ago
- Subject changed from Preparation planning for migration of SUSE openQA+QA systems to new security zones to Preparation planning for migration of SUSE openQA+QA systems to new security zones size:M
Updated by okurz about 2 years ago
- Copied to action #117043: Request DHCP+DNS services for new QE network zones, same as already provided for .qam.suse.de and .qa.suse.cz added
Updated by okurz about 2 years ago
- Due date deleted (
2022-09-30) - Status changed from In Progress to Blocked
We conducted a second meeting with Lazaros. I updated the racktable lists, cleaned out a lot more of decommissioned and obsolete entries and set the "In Stock" status for systems that are currently in "cold storage". Now waiting for response regarding #117043 from Eng-Infra and according reaction from Lazaros Haleplidis about the path to continue.
Updated by okurz almost 2 years ago
- Status changed from Blocked to Resolved
Meeting with Lazaros 2022-10-26. He wants to focus on Nbg SRV1 and start as soon as possible. I suggested to use openqaworker11 https://racktables.nue.suse.com/index.php?page=object&tab=default&object_id=9584 as a test machine. Starting 2022-10-31 08:30Z we will migrate that machine with eth0+eth1+ipmi and after confirmation of everything fully working continue with other machines. DHCP/DNS still to be provided by SUSE-IT Eng-Infra. Lazaros will clarify serving DHCP/DNS with mcaj. As stated by Lazaros the goal is that VLAN 2 in Nuremberg is fully replaced by more team specific zones.
Updated by okurz almost 2 years ago
- Copied to action #119443: Conduct the migration of SUSE openQA systems from Nbg SRV1 to new security zones size:M added