action #68095
closedMigrate osd workers from SuSEfirewall2 to firewalld
0%
Description
Motivation¶
SuSEfirewall2 is not going to be supported anymore in current versions of openSUSE or SLE distributions. Our o3 workers already run firewalld just fine including multi-machine tests. We can not easily check the firewall status compared to firewalld where the systemd service is more helpful (#68092)
Acceptance criteria¶
- AC1: https://gitlab.suse.de/openqa/salt-states-openqa has rules for setup of firewalld instead of SuSEfirewall2
- AC2: All osd workers managed by salt use firewalld
Suggestions¶
- Read http://open.qa/docs/#_multi_machine_tests_setup
- Ensure good cases exists for multi-machine jobs, e.g. https://openqa.suse.de/tests/latest?arch=aarch64&distri=sle&flavor=Online&machine=aarch64&test=hpc_DELTA_slurm_slave01&version=15-SP2 and related jobs , run clones of these tests to ensure they pass in the current state before migration
- See existing o3 worker configuration for reference
- See pointers in #66236 , #64700 , #62162 , #54785 , #45848 , #43148 , #52499
- On a selected worker without salt overriding configure firewalld, remove SuSEfirewall2 and test with above mentioned openQA test scenarios
- Add corresponding configuration to salt
- Ensure salt removes SuSEfirewall2 and/or remove all references to SuSEfirewall2 in salt recipes
- Test again after all salt recipes have been applied
Updated by okurz about 4 years ago
- Tags changed from caching, openQA, sporadic, arm, ipmi, worker to worker
Updated by ggardet_arm about 4 years ago
This task is blocking all upgrades to Leap 15.2 in CI and in o3. And Leap 15.1 EOL is getting close (November 2020).
Could we move forward?
Updated by okurz about 4 years ago
- Priority changed from Normal to High
yes, this is becoming more important now. Bumping prio to "High".
Updated by okurz almost 4 years ago
#64700#note-4 has examples for clone-job
calls which sends jobs to another job group and such so that they do not show up intermixed with normal validation hosts.
Updated by mkittler almost 4 years ago
- Status changed from Workable to In Progress
- Assignee set to mkittler
I'm going to use our staging setup to test this. Hence I'm currently checking whether MM tests work generally in our staging setup.
Updated by mkittler almost 4 years ago
I've created SR https://gitlab.suse.de/openqa/salt-states-openqa/-/merge_requests/378 which has been tested on openqaworker11 (staging worker) and openqaworker3 (production worker).
TODOs:
- Merge the SR as the pipeline passes now.
- Enable
salt-minion
again on openqaworker3 after the SR has been merged. (I left it disabled so its setup isn't reverted again.) - Uninstall
SuSEfirewall2
from all workers.
Updated by mkittler almost 4 years ago
The SR has been merged and applied on all workers. I've also uninstalled SuSEfirewall2
. It looks good so far. I couldn't enable salt-minion
on openqaworker3
because it is currently offline.
Updated by mkittler almost 4 years ago
- Status changed from In Progress to Feedback
openqaworker3
is online again and I enabled salt-minion
. Looks like it runs MM jobs (e.g. https://openqa.suse.de/tests/4849371#dependencies).
Updated by mkittler almost 4 years ago
- Status changed from Feedback to Resolved
Updated by mkittler almost 4 years ago
No TODOs left. I've seen successful MM tests in production and our monitoring should be sufficient to catch further problems so I'm marking the ticket as resolved.
Updated by okurz almost 4 years ago
- Related to action #73633: OSD partially unresponsive, triggering 500 responses, spotty response visible in monitoring panels but no alert triggered (yet) added