Project

General

Profile

Actions

action #120264

closed

coordination #121720: [saga][epic] Migration to QE setup in PRG2+NUE3 while ensuring availability

coordination #116623: [epic] Migration of SUSE Nbg based openQA+QA+QAM systems to new security zones

Conduct the migration of SUSE QA systems (non-tools-team maintained) from Nbg SRV1 to new security zones size:M

Added by okurz over 1 year ago. Updated 11 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
Start date:
2022-09-15
Due date:
% Done:

0%

Estimated time:
Tags:

Description

Motivation

See parent #116623

Acceptance criteria

  • AC1: All QA machines not maintained by tools team in Nbg SRV1 are in new security zones
  • AC2: All QA machines not maintained by tools team in Nbg SRV1 are fully usable in production

Suggestions

Open points


Related issues 2 (0 open2 closed)

Related to openQA Infrastructure - action #114697: What are orion and andromeda.o.oResolvedokurz2022-07-26

Actions
Copied from QA - action #119443: Conduct the migration of SUSE openQA systems from Nbg SRV1 to new security zones size:MResolvedokurz2022-11-17

Actions
Actions #1

Updated by okurz over 1 year ago

  • Copied from action #119443: Conduct the migration of SUSE openQA systems from Nbg SRV1 to new security zones size:M added
Actions #2

Updated by okurz over 1 year ago

  • Copied to action #120267: Conduct the migration of openqa-ses aka. "storage.qa.suse.de" size:M added
Actions #3

Updated by okurz over 1 year ago

  • Description updated (diff)

Based on https://racktables.nue.suse.com/index.php?andor=and&cft%5B%5D=11&cfe=%7BNuremberg%7D+and+%28%7BQA%7D+or+%7BQAM%7D%29+and+not+%7BOld-Decommissioned%7D+and+not+%7BDecommissioned%7D+and+not+%7BTo+be+decommissioned%7D&page=depot&tab=default for all machines in SRV1 I added a list of machines in the description

Actions #4

Updated by okurz over 1 year ago

Actions #5

Updated by okurz over 1 year ago

  • Assignee deleted (okurz)
  • Target version deleted (Ready)

regarding orion+andromedia

(Martin Loviska) Those machines are dedicated for o3. So as long as they are in that network and also we can reach outside world, I do not see any issues. As of now I have tried to deploy OS there, but according to Yast2 all 4 NICs are disconnected. Generally, those VLAN numbers are chinese for me. they should be o3 xen and (hyperv|vmware) workers
(Oliver Kurz) VLAN 2 is Eng-Infra maintained, VLAN 12 is QA so dhcp/dns would come from qanet.qa.suse.de https://gitlab.suse.de/qa-sle/qanet-configs/ and VLAN 662 is for o3 with dhcp/dns on ariel aka. o3, dnsmasq.

Actions #6

Updated by okurz over 1 year ago

  • Assignee set to okurz
  • Target version set to Ready
Actions #7

Updated by openqa_review over 1 year ago

Setting due date based on mean cycle time of SUSE QE Tools

Actions #8

Updated by okurz over 1 year ago

  • Status changed from In Progress to Feedback

According owners have been informed and triggered, awaiting results

Actions #9

Updated by okurz over 1 year ago

In https://suse.slack.com/archives/C0488BZNA5S/p1669018678496969?thread_ts=1668720128.410659&cid=C0488BZNA5S I reminded Lazaros Haleplidis from SUSE-IT about the current problems which look related:

(Oliver Kurz) @Lazaros Haleplidis could you follow up with adding all traffic between .oqa.suse.de and .qa.suse.de to the passlist? We are still getting issue reports that look related to this
(Lazaros Haleplidis) between systems that have already been migrating? can you please elaborate?
(Oliver Kurz) No, that's between migrated and not yet migrated machines. Machines within one zone shouldn't be filtered. Please see the context of the thread. you asked about the specific traffic that you found blocked, I just generalized from there mentioning the still open old request that the traffic between the new zone to the QA domain is crucial and must not be blocked
(Lazaros Haleplidis) question, all of the machines not yet migrated, do they belong to a specific network that I can summarize? or general in vlan 2 together with everything else?
(Oliver Kurz) This is not about VLAN 2 but .oqa.suse.de, the new zone, don't know the VLAN, and .qa.suse.de aka. VLAN 12. I don't understand how I can be more specific without repeating again what I have written multiple times in this thread
(Lazaros Haleplidis) can you test again please, I have temporary allowed from the whole NUE1 to qa

Actions #10

Updated by livdywan over 1 year ago

  • Subject changed from Conduct the migration of SUSE QA systems (non-tools-team maintained) from Nbg SRV1 to new security zones to Conduct the migration of SUSE QA systems (non-tools-team maintained) from Nbg SRV1 to new security zones size:M
Actions #11

Updated by okurz over 1 year ago

  • Status changed from Feedback to Blocked

According to racktables the machines
openqaw7-hyperv.qa.suse.de
openqaw8-vmware.qa.suse.de
andromeda.openqa.opensuse.org
orion.openqa.opensuse.org
are still within VLAN 2 or other not new zones. Waiting …
Also blocked by #120267

Actions #12

Updated by okurz over 1 year ago

  • Status changed from Blocked to In Progress

Lazaros Haleplidis informed me in https://suse.slack.com/archives/C0488BZNA5S/p1669635761846859

after sync with Nan Zhang, we have successfully migrated, openqaw7-hyperv.qa.suse.de and worker8-vmware.oqa.suse.de and their ipmi interfaces

As I received no timely response I created now myself
https://gitlab.suse.de/openqa/salt-pillars-openqa/-/merge_requests/468

According to racktables andromeda IPMI was migrated but orion not yet.

Actions #13

Updated by okurz over 1 year ago

  • Status changed from In Progress to Feedback

Brought the topic up in chat, waiting for update

Actions #14

Updated by okurz over 1 year ago

  • Status changed from Feedback to Blocked
Actions #15

Updated by okurz over 1 year ago

  • Description updated (diff)
  • Category set to Infrastructure
  • Status changed from Blocked to Workable
  • Assignee deleted (okurz)

#120267 is not a subtask anymore as we mixed up "openqa-ses" aka. storage.qa.suse.de, now handled elsewhere. Leaves

Actions #16

Updated by okurz over 1 year ago

  • Status changed from Workable to Resolved
  • Assignee set to okurz

All mentioned for machines are in the new security zone including IPMI.

Actions

Also available in: Atom PDF