action #120264: Conduct the migration of SUSE QA systems (non-tools-team maintained) from Nbg SRV1 to new security zones size:M - QA - openSUSE Project Management Tool

Custom queries

may-sprint
new immediate tickets
openQA Infrastructure Project
openqa-review - Closed tickets last updated by openqa-review, last 30 days
QA roadmap long-term
QA SLE functional
QA SLE Functional - closed in last 14 days
QA SLE Functional - High, need to be refined
QA SLE Functional - over cycle time median
QA SLE u
QA SLE y
QA tools (tag not necessary in openQA and subprojects)
QA tools tag (tag not necessary in openQA and subprojects; excluding tickets in "Ready" version as they are already on the backlog)
QAC - Backlog
QE tools team - backlog (dev)
QE tools team - backlog (ready issues)
QE tools team - backlog SLA high
QE tools team - backlog SLA immediate
QE tools team - backlog SLA no immediate/urgent in feedback/blocked
QE tools team - backlog SLA normal
QE tools team - backlog SLA urgent
QE tools team - backlog SLO high
QE tools team - backlog SLO normal
QE tools team - backlog SLO urgent
QE tools team - backlog, high-level view (epics and higher)
QE tools team - backlog, non-reactive work, needs parent
QE tools team - backlog, top-level view (all sagas)
QE tools team - closed within last 14 days
QE tools team - closed within last 60 days
QE tools team - closed yesterday
QE Tools Team - Collaborative Session
QE tools team - due date forecast
QE tools team - exceeding due-date
QE tools team - infrastructure backlog
QE tools team - next - sorted by update time
QE tools team - next issues
QE tools team - non-estimated (unblocked) issues (dev)
QE tools team - non-estimated (unblocked) issues (infra)
QE tools team - ready issues - Workable
QE tools team - ready, not assigned/blocked/low
QE tools team - SLO high forecast
QE tools team - triage: untriaged issues
QE tools team - update forecast
QE tools team - updated by priority
QE tools team - what members of the team are working on - Feedback (not-low)
QE Tools Team Backlog By Assignee
Tools Team Retrospective
Tools Team Retrospective (not estimated or assigned)

Actions

Copy link

action #120264

closed

coordination #121720: [saga][epic] Migration to QE setup in PRG2+NUE3 while ensuring availability

coordination #116623: [epic] Migration of SUSE Nbg based openQA+QA+QAM systems to new security zones

Conduct the migration of SUSE QA systems (non-tools-team maintained) from Nbg SRV1 to new security zones size:M

Added by okurz over 1 year ago. Updated about 1 year ago.

Status:

Resolved

Priority:

Normal

Assignee:

okurz

Target version:

openQA Project - Ready

Start date:

2022-09-15

Due date:

% Done:

Estimated time:

Tags:

infra

Description

Motivation¶

See parent #116623

Acceptance criteria¶

AC1: All QA machines not maintained by tools team in Nbg SRV1 are in new security zones
AC2: All QA machines not maintained by tools team in Nbg SRV1 are fully usable in production

Suggestions¶

Coordinate the move among SUSE-IT and machine owners in Slack #discuss-qe-new-security-zones
As necessary document changes in our infrastructure documentation, e.g. https://gitlab.suse.de/openqa/salt-pillars-openqa/-/blob/master/openqa/workerconf.sls
Ensure racktables is up-to-date
Rinse and repeat for the other machines
Ensure machines are usable

Open points¶

openqaw7-hyperv.qa.suse.de
openqaw8-vmware.qa.suse.de
andromeda.openqa.opensuse.org
orion.openqa.opensuse.org

Related issues 2 (0 open — 2 closed)

Related to openQA Infrastructure - action #114697: What are orion and andromeda.o.o

Resolved

okurz

2022-07-26

Actions

Copied from QA - action #119443: Conduct the migration of SUSE openQA systems from Nbg SRV1 to new security zones size:M

Resolved

okurz

2022-11-17

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by okurz over 1 year ago

Copied from action #119443: Conduct the migration of SUSE openQA systems from Nbg SRV1 to new security zones size:M added

Actions

Copy link

Updated by okurz over 1 year ago

Copied to action #120267: Conduct the migration of openqa-ses aka. "storage.qa.suse.de" size:M added

Actions

Copy link

Updated by okurz over 1 year ago

Description updated (diff)

Based on https://racktables.nue.suse.com/index.php?andor=and&cft%5B%5D=11&cfe=%7BNuremberg%7D+and+%28%7BQA%7D+or+%7BQAM%7D%29+and+not+%7BOld-Decommissioned%7D+and+not+%7BDecommissioned%7D+and+not+%7BTo+be+decommissioned%7D&page=depot&tab=default for all machines in SRV1 I added a list of machines in the description

openqaw7-hyperv and openqaw8-vmware to be handled in https://suse.slack.com/archives/C0488BZNA5S/p1667994615162659
andromeda+orion according to racktables only has an IPMI connection in VLAN 2, to be handled in https://suse.slack.com/archives/C0488BZNA5S/p1668081848377359

(Oliver Kurz) @Felix Niederwanger @Jose Lausuch andromeda.openqa.opensuse.org and orion.openqa.opensuse.org should have a team mailing list as owner. Can you fix that? And I assume for those two machines we just need to migrate the IPMI interface from VLAN 2, the other ethernet interface could be in o3 VLAN 662 I assume?

Actions

Copy link

Updated by okurz over 1 year ago

Related to action #114697: What are orion and andromeda.o.o added

Actions

Copy link

Updated by okurz over 1 year ago

Assignee deleted (~~okurz~~)
Target version deleted (~~Ready~~)

regarding orion+andromedia

(Martin Loviska) Those machines are dedicated for o3. So as long as they are in that network and also we can reach outside world, I do not see any issues. As of now I have tried to deploy OS there, but according to Yast2 all 4 NICs are disconnected. Generally, those VLAN numbers are chinese for me. they should be o3 xen and (hyperv|vmware) workers
(Oliver Kurz) VLAN 2 is Eng-Infra maintained, VLAN 12 is QA so dhcp/dns would come from qanet.qa.suse.de https://gitlab.suse.de/qa-sle/qanet-configs/ and VLAN 662 is for o3 with dhcp/dns on ariel aka. o3, dnsmasq.

Actions

Copy link

Updated by okurz over 1 year ago

Assignee set to okurz
Target version set to Ready

Actions

Copy link

Updated by openqa_review over 1 year ago

Setting due date based on mean cycle time of SUSE QE Tools

Actions

Copy link

Updated by okurz over 1 year ago

Status changed from In Progress to Feedback

According owners have been informed and triggered, awaiting results

Actions

Copy link

Updated by okurz over 1 year ago

In https://suse.slack.com/archives/C0488BZNA5S/p1669018678496969?thread_ts=1668720128.410659&cid=C0488BZNA5S I reminded Lazaros Haleplidis from SUSE-IT about the current problems which look related:

(Oliver Kurz) @Lazaros Haleplidis could you follow up with adding all traffic between .oqa.suse.de and .qa.suse.de to the passlist? We are still getting issue reports that look related to this
(Lazaros Haleplidis) between systems that have already been migrating? can you please elaborate?
(Oliver Kurz) No, that's between migrated and not yet migrated machines. Machines within one zone shouldn't be filtered. Please see the context of the thread. you asked about the specific traffic that you found blocked, I just generalized from there mentioning the still open old request that the traffic between the new zone to the QA domain is crucial and must not be blocked
(Lazaros Haleplidis) question, all of the machines not yet migrated, do they belong to a specific network that I can summarize? or general in vlan 2 together with everything else?
(Oliver Kurz) This is not about VLAN 2 but .oqa.suse.de, the new zone, don't know the VLAN, and .qa.suse.de aka. VLAN 12. I don't understand how I can be more specific without repeating again what I have written multiple times in this thread
(Lazaros Haleplidis) can you test again please, I have temporary allowed from the whole NUE1 to qa

Actions

Copy link

#10

Updated by livdywan over 1 year ago

Subject changed from Conduct the migration of SUSE QA systems (non-tools-team maintained) from Nbg SRV1 to new security zones to Conduct the migration of SUSE QA systems (non-tools-team maintained) from Nbg SRV1 to new security zones size:M

Actions

Copy link

#11

Updated by okurz over 1 year ago

Status changed from Feedback to Blocked

According to racktables the machines
openqaw7-hyperv.qa.suse.de
openqaw8-vmware.qa.suse.de
andromeda.openqa.opensuse.org
orion.openqa.opensuse.org
are still within VLAN 2 or other not new zones. Waiting …
Also blocked by #120267

Actions

Copy link

#12