action #120264: Conduct the migration of SUSE QA systems (non-tools-team maintained) from Nbg SRV1 to new security zones size:M - QA (public) - openSUSE Project Management Tool

Actions

Copy link

action #120264

closed

coordination #121720: [saga][epic] Migration to QE setup in PRG2+NUE3 while ensuring availability

coordination #116623: [epic] Migration of SUSE Nbg based openQA+QA+QAM systems to new security zones

Conduct the migration of SUSE QA systems (non-tools-team maintained) from Nbg SRV1 to new security zones size:M

Added by okurz about 2 years ago. Updated over 1 year ago.

Status:

Resolved

Priority:

Normal

Assignee:

okurz

Target version:

openQA Project (public) - Ready

Start date:

2022-09-15

Due date:

% Done:

Estimated time:

Tags:

infra

Description

Motivation¶

See parent #116623

Acceptance criteria¶

AC1: All QA machines not maintained by tools team in Nbg SRV1 are in new security zones
AC2: All QA machines not maintained by tools team in Nbg SRV1 are fully usable in production

Suggestions¶

Coordinate the move among SUSE-IT and machine owners in Slack #discuss-qe-new-security-zones
As necessary document changes in our infrastructure documentation, e.g. https://gitlab.suse.de/openqa/salt-pillars-openqa/-/blob/master/openqa/workerconf.sls
Ensure racktables is up-to-date
Rinse and repeat for the other machines
Ensure machines are usable

Open points¶

Related issues 2 (0 open — 2 closed)

Actions

Copy link

Updated by okurz about 2 years ago

Copied from action #119443: Conduct the migration of SUSE openQA systems from Nbg SRV1 to new security zones size:M added

Actions

Copy link

Updated by okurz about 2 years ago

Copied to action #120267: Conduct the migration of openqa-ses aka. "storage.qa.suse.de" size:M added

Actions

Copy link

Updated by okurz about 2 years ago

Description updated (diff)

Based on https://racktables.nue.suse.com/index.php?andor=and&cft%5B%5D=11&cfe=%7BNuremberg%7D+and+%28%7BQA%7D+or+%7BQAM%7D%29+and+not+%7BOld-Decommissioned%7D+and+not+%7BDecommissioned%7D+and+not+%7BTo+be+decommissioned%7D&page=depot&tab=default for all machines in SRV1 I added a list of machines in the description

openqaw7-hyperv and openqaw8-vmware to be handled in https://suse.slack.com/archives/C0488BZNA5S/p1667994615162659
andromeda+orion according to racktables only has an IPMI connection in VLAN 2, to be handled in https://suse.slack.com/archives/C0488BZNA5S/p1668081848377359

(Oliver Kurz) @Felix Niederwanger @Jose Lausuch andromeda.openqa.opensuse.org and orion.openqa.opensuse.org should have a team mailing list as owner. Can you fix that? And I assume for those two machines we just need to migrate the IPMI interface from VLAN 2, the other ethernet interface could be in o3 VLAN 662 I assume?

Actions

Copy link

Updated by okurz about 2 years ago

Related to action #114697: What are orion and andromeda.o.o added

Actions

Copy link

Updated by okurz about 2 years ago

Assignee deleted (~~okurz~~)
Target version deleted (~~Ready~~)

regarding orion+andromedia

(Martin Loviska) Those machines are dedicated for o3. So as long as they are in that network and also we can reach outside world, I do not see any issues. As of now I have tried to deploy OS there, but according to Yast2 all 4 NICs are disconnected. Generally, those VLAN numbers are chinese for me. they should be o3 xen and (hyperv|vmware) workers
(Oliver Kurz) VLAN 2 is Eng-Infra maintained, VLAN 12 is QA so dhcp/dns would come from qanet.qa.suse.de https://gitlab.suse.de/qa-sle/qanet-configs/ and VLAN 662 is for o3 with dhcp/dns on ariel aka. o3, dnsmasq.

Actions

Copy link

Updated by okurz about 2 years ago

Assignee set to okurz
Target version set to Ready

Actions

Copy link

Updated by openqa_review about 2 years ago

Setting due date based on mean cycle time of SUSE QE Tools

Actions

Copy link

Updated by okurz about 2 years ago

Status changed from In Progress to Feedback

According owners have been informed and triggered, awaiting results

Actions

Copy link

Updated by okurz about 2 years ago

In https://suse.slack.com/archives/C0488BZNA5S/p1669018678496969?thread_ts=1668720128.410659&cid=C0488BZNA5S I reminded Lazaros Haleplidis from SUSE-IT about the current problems which look related:

(Oliver Kurz) @Lazaros Haleplidis could you follow up with adding all traffic between .oqa.suse.de and .qa.suse.de to the passlist? We are still getting issue reports that look related to this
(Lazaros Haleplidis) between systems that have already been migrating? can you please elaborate?
(Oliver Kurz) No, that's between migrated and not yet migrated machines. Machines within one zone shouldn't be filtered. Please see the context of the thread. you asked about the specific traffic that you found blocked, I just generalized from there mentioning the still open old request that the traffic between the new zone to the QA domain is crucial and must not be blocked
(Lazaros Haleplidis) question, all of the machines not yet migrated, do they belong to a specific network that I can summarize? or general in vlan 2 together with everything else?
(Oliver Kurz) This is not about VLAN 2 but .oqa.suse.de, the new zone, don't know the VLAN, and .qa.suse.de aka. VLAN 12. I don't understand how I can be more specific without repeating again what I have written multiple times in this thread
(Lazaros Haleplidis) can you test again please, I have temporary allowed from the whole NUE1 to qa

Actions

Copy link

#10

Updated by livdywan about 2 years ago

Subject changed from Conduct the migration of SUSE QA systems (non-tools-team maintained) from Nbg SRV1 to new security zones to Conduct the migration of SUSE QA systems (non-tools-team maintained) from Nbg SRV1 to new security zones size:M

Actions

Copy link

#11

Updated by okurz about 2 years ago

Status changed from Feedback to Blocked

According to racktables the machines
openqaw7-hyperv.qa.suse.de
openqaw8-vmware.qa.suse.de
andromeda.openqa.opensuse.org
orion.openqa.opensuse.org
are still within VLAN 2 or other not new zones. Waiting …
Also blocked by #120267

Actions

Copy link

#12