action #168177
opencoordination #167054: [epic] Run more workloads in CC-compliant PRG2 to be less affected by CC related network changes
Migrate critical VM based services needing access to CC-services to CC areas
0%
Description
Motivation¶
non-compliant NUE2 based production VMs might become problematic due to #165282 so we should evaluate which VMs we can migrate and where and execute accordingly.
Acceptance criteria¶
- AC1: Critical VM based services needing access to CC-services are running from CC areas where reasonable
- AC2: Users can access the services using location independant CNAME records where applicable as in before
Suggestions¶
- DONE Wait for #168174
- DONE Try out with non-critical changes, e.g. tumblesle
- Decide which VMs and/or services should be migrated considering the alternative #168133. At time of writing we have 10 VMs on osiris+qamaster
- Prepare DHCP+DNS changes in https://gitlab.suse.de/OPS-Service/salt/
See suggestions from #168174-3 about how to migrateMigrate VMs from qamaster to a (temporary) service hypervisor running on a free OSD openQA worker, e.g. w38+w39- Move VMs to openplatform
Updated by okurz 5 months ago
- Copied from action #167057: Run more standard, qemu OSD openQA jobs in CC-compliant PRG2 and none in NUE2 size:S added
Updated by okurz 4 months ago
Just from today https://suse.slack.com/archives/C04S88VCHS7/p1729859212598989
This time it’s about Common Criteria on OpenPlatform
:tldr: : You can now run CC-related workloads on OpenPlatform, if you fulfill the prerequisites :catjam:¶
Please read https://itpe.io.suse.de/open-platform/docs/news/this-sprint-in-openplatform-27 (VPN needed), or https://docs.google.com/document/d/14i2OXdJuFphLpw9CslH3xFDfiZgskSPMsIiWNDMEzPc/edit?usp=sharing (VPN not needed)
Updated by okurz 4 months ago
As today the network access rules have been put in place to prevent access to sensitive data we can see the problems that are linked to that.
Today actually regarding monitoring it seems it's weird that there was a short data outage but by now at least data from OSD itself shows up just fine on https://monitor.qa.suse.de/d/nRDab3Jiz/openqa-jobs-test?orgId=1&from=now-7d&to=now so it's really traffic from OSD (CC) to non-CC monitor is coming through ok it seems. With that it's less critical to move ressources like monitor.qa.suse.de
Updated by okurz 3 months ago
- Subject changed from Migrate critical VM based services needing access to CC-services to CC areas size:M to Migrate critical VM based services needing access to CC-services to CC areas
Based on discussion with szarate we should refine and re-estimate the ticket. Better split into multiple S-sized-tasks, e.g. split into "support migration of other people's VMs" and "our own critical service workloads" excluding any "personal toy VMs" :)
Updated by livdywan about 2 months ago
okurz wrote in #note-17:
https://sd.suse.com/servicedesk/customer/portal/1/SD-171367 still open
Asked in the ticket. Not sure who this is waiting on now.
Updated by livdywan 19 days ago · Edited
livdywan wrote in #note-18:
okurz wrote in #note-17:
https://sd.suse.com/servicedesk/customer/portal/1/SD-171367 still open
Asked in the ticket. Not sure who this is waiting on now.
I distilled specific open questions from the ticket that were not answered as far as I can see, and would suggest to discuss it on the Unblock as well.
Updated by okurz 4 days ago
- Blocked by action #173674: qamaster-independent backup size:S added