Project

General

Profile

action #119443

Updated by okurz about 2 years ago

## Motivation 
 See parent #116623 

 ## Acceptance criteria 
 * **AC1:** All QA machines in Nbg SRV1 are in new security zones 
 * **AC2:** All QA machines in Nbg SRV1 are fully usable in production 

 ## Suggestions 
 * Monitor [Slack #discuss-qe-new-security-zones](https://suse.slack.com/archives/C0488BZNA5S) 
 * Starting 2022-10-31 react to Lazaros Haleplidis conducting the migration 
 * Ensure openqaworker11 https://racktables.nue.suse.com/index.php?page=object&object_id=9584 as the primary test machine is reachable over SSH and IPMI 
 * Document changes in our infrastructure documentation, e.g. progress.opensuse.org/projects/openqav3/wiki/, https://wiki.suse.net/index.php/OpenQA, https://gitlab.suse.de/openqa/salt-pillars-openqa/-/blob/master/openqa/workerconf.sls 
 * Rinse and repeat for the other machines 
 * Ensure machines are usable 

 ## Open points 
 * *DONE* ~~Failed to connect to gitlab.suse.de port 443 from both worker11.oqa.suse.de and worker12.oqa.suse.de~~ 
 * *DONE* *TODO*    https://openqa.suse.de/tests/9870589#step/suseconnect_scc/23 failed trying to access scc.suse.com . I thought there would be no restrictions contacting services outside the network zones. What are the actual rules applied? --> Specific rules are managed within the firewall by lhaleplidis and will be documented later on wiki but unfortunately can not currently be dynamically visible to users 
 * *DONE* https://openqa.suse.de/tests/9870976#step/sys_param_check/19 fails to `curl -f -v "qa-css-hq.qa.suse.de/robot.tar.gz"` --> see https://progress.opensuse.org/issues/119443?issue_count=97&issue_position=19&next_issue_id=118660&prev_issue_id=81192#note-17 
 * hosts within the new domain .oqa.suse.de. should search for matches within that domain so that `nslookup $(hostname)` works, e.g. `nslookup worker13` should work. I assume that salt is relying on that to return a proper match for grains.fqdn 
 * worker13 back in production 
 * worker10 back in production 
 * worker2 back in production 
 * worker3 back in production 
 * worker5 back in production 
 * worker6 back in production 
 * worker8 back in production 
 * worker9 back in production 
 * Unpause "Packet loss between worker hosts and other hosts alert" 
 * I try to access VNC services on the hosts. That seems to be blocked as well. 
 * Where can we see which services are blocked ourselves? --> Specific rules are managed within the firewall by lhaleplidis and will be documented later on wiki but unfortunately can not currently be dynamically visible to users 

 ## Out-of-scope 
 * This is not including o3 (openqa.opensuse.org) machines as they are in a dedicated network already

Back