action #68095
Migrate osd workers from SuSEfirewall2 to firewalld
0%
Description
Motivation¶
SuSEfirewall2 is not going to be supported anymore in current versions of openSUSE or SLE distributions. Our o3 workers already run firewalld just fine including multi-machine tests. We can not easily check the firewall status compared to firewalld where the systemd service is more helpful (#68092)
Acceptance criteria¶
- AC1: https://gitlab.suse.de/openqa/salt-states-openqa has rules for setup of firewalld instead of SuSEfirewall2
- AC2: All osd workers managed by salt use firewalld
Suggestions¶
- Read http://open.qa/docs/#_multi_machine_tests_setup
- Ensure good cases exists for multi-machine jobs, e.g. https://openqa.suse.de/tests/latest?arch=aarch64&distri=sle&flavor=Online&machine=aarch64&test=hpc_DELTA_slurm_slave01&version=15-SP2 and related jobs , run clones of these tests to ensure they pass in the current state before migration
- See existing o3 worker configuration for reference
- See pointers in #66236 , #64700 , #62162 , #54785 , #45848 , #43148 , #52499
- On a selected worker without salt overriding configure firewalld, remove SuSEfirewall2 and test with above mentioned openQA test scenarios
- Add corresponding configuration to salt
- Ensure salt removes SuSEfirewall2 and/or remove all references to SuSEfirewall2 in salt recipes
- Test again after all salt recipes have been applied
Related issues
History
#3
Updated by ggardet_arm 4 months ago
This task is blocking all upgrades to Leap 15.2 in CI and in o3. And Leap 15.1 EOL is getting close (November 2020).
Could we move forward?
#5
Updated by okurz 3 months ago
#64700#note-4 has examples for clone-job
calls which sends jobs to another job group and such so that they do not show up intermixed with normal validation hosts.
#7
Updated by mkittler 3 months ago
I've created SR https://gitlab.suse.de/openqa/salt-states-openqa/-/merge_requests/378 which has been tested on openqaworker11 (staging worker) and openqaworker3 (production worker).
TODOs:
- Merge the SR as the pipeline passes now.
- Enable
salt-minion
again on openqaworker3 after the SR has been merged. (I left it disabled so its setup isn't reverted again.) - Uninstall
SuSEfirewall2
from all workers.
#9
Updated by mkittler 3 months ago
- Status changed from In Progress to Feedback
openqaworker3
is online again and I enabled salt-minion
. Looks like it runs MM jobs (e.g. https://openqa.suse.de/tests/4849371#dependencies).
#12
Updated by okurz 2 months ago
- Related to action #73633: OSD partially unresponsive, triggering 500 responses, spotty response visible in monitoring panels but no alert triggered (yet) added