action #68095
Migrate osd workers from SuSEfirewall2 to firewalld
0%
Description
Motivation¶
SuSEfirewall2 is not going to be supported anymore in current versions of openSUSE or SLE distributions. Our o3 workers already run firewalld just fine including multi-machine tests. We can not easily check the firewall status compared to firewalld where the systemd service is more helpful (#68092)
Acceptance criteria¶
- AC1: https://gitlab.suse.de/openqa/salt-states-openqa has rules for setup of firewalld instead of SuSEfirewall2
- AC2: All osd workers managed by salt use firewalld
Suggestions¶
- Read http://open.qa/docs/#_multi_machine_tests_setup
- Ensure good cases exists for multi-machine jobs, e.g. https://openqa.suse.de/tests/latest?arch=aarch64&distri=sle&flavor=Online&machine=aarch64&test=hpc_DELTA_slurm_slave01&version=15-SP2 and related jobs , run clones of these tests to ensure they pass in the current state before migration
- See existing o3 worker configuration for reference
- See pointers in #66236 , #64700 , #62162 , #54785 , #45848 , #43148 , #52499
- On a selected worker without salt overriding configure firewalld, remove SuSEfirewall2 and test with above mentioned openQA test scenarios
- Add corresponding configuration to salt
- Ensure salt removes SuSEfirewall2 and/or remove all references to SuSEfirewall2 in salt recipes
- Test again after all salt recipes have been applied
Related issues
History
#1
Updated by okurz over 1 year ago
Updated by - Description updated (diff)
#2
Updated by okurz about 1 year ago
- Tags changed from caching, openQA, sporadic, arm, ipmi, worker to worker
#3
Updated by ggardet_arm about 1 year ago
Updated by This task is blocking all upgrades to Leap 15.2 in CI and in o3. And Leap 15.1 EOL is getting close (November 2020).
Could we move forward?
#4
Updated by okurz about 1 year ago
- Priority changed from Normal to High
yes, this is becoming more important now. Bumping prio to "High".
#5
Updated by okurz about 1 year ago
#64700#note-4 has examples for clone-job calls which sends jobs to another job group and such so that they do not show up intermixed with normal validation hosts.
#6
Updated by mkittler about 1 year ago
Updated by - Status changed from Workable to In Progress
- Assignee set to mkittler
I'm going to use our staging setup to test this. Hence I'm currently checking whether MM tests work generally in our staging setup.
#7
Updated by mkittler about 1 year ago
I've created SR https://gitlab.suse.de/openqa/salt-states-openqa/-/merge_requests/378 which has been tested on openqaworker11 (staging worker) and openqaworker3 (production worker).
TODOs:
- Merge the SR as the pipeline passes now.
- Enable
salt-minionagain on openqaworker3 after the SR has been merged. (I left it disabled so its setup isn't reverted again.) - Uninstall
SuSEfirewall2from all workers.
#9
Updated by mkittler 12 months ago
- Status changed from In Progress to Feedback
openqaworker3 is online again and I enabled salt-minion. Looks like it runs MM jobs (e.g. https://openqa.suse.de/tests/4849371#dependencies).
#12
Updated by okurz 11 months ago
- Related to action #73633: OSD partially unresponsive, triggering 500 responses, spotty response visible in monitoring panels but no alert triggered (yet) added