QA

Motivation¶

SUSE-IT relies heavily on a new firewall configuration separating multiple zones, e.g. "QE" zones from other zones in R&D. In #125450 already some limited access to firewall logs was provided however in many cases that does not help us like in the recent migration of qam.suse.de to PRG2.

After the instance was moved to PRG2 gitlab runners could not reach qam.suse.de as visible in https://gitlab.suse.de/qa-maintenance/bot-ng/-/jobs/1956085 repeatedly

urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='dashboard.qam.suse.de', port=80): Max retries exceeded with url: /api/incidents (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f2730240780>: Failed to establish a new connection: [Errno 110] Connection timed out',))

while this gitlab CI job was running I looked into the firewall logs that I have access to using
qe-debug.suse.de as documented on https://wiki.suse.net/index.php/OpenQA#Firewall_between_different_SUSE_network_zones

tail -f /var/log/remote/gw-infra-log.suse.de.log | grep '\(10.145.0.26\|2a07:de40:b203:8:10:145:0:26\)'

using the IPv4+IPv6 addresses of qam.suse.de which yields no results so this firewall command is either not correctly constructed or does not have access to the corresponding relevant data. As we are critically relying on whatever firewall is impacting all of our services we should ensure that there is enough redundancy in access.

Acceptance criteria¶

• AC1: We can ensure that 2+ persons within EMEA timezones have access to firewalls covering multiple Nbg+Prg locations which actually affect us

Suggestions¶

• Look into what was done in #125450 and https://sd.suse.com/servicedesk/customer/portal/1/SD-113832
• Ask Eng-Infra who has access, why qe-debug.suse.de does not provide the relevant firewall denied messages and what to do to improve
• Ensure whatever we come up with is properly documented and known within the SUSE QE Tools team