action #119443
Updated by okurz over 1 year ago
## Motivation
See parent #116623
## Acceptance criteria
* **AC1:** All openQA machines in Nbg SRV1 are in new security zones
* **AC2:** All openQA machines in Nbg SRV1 are fully usable in production
## Suggestions
* Monitor [Slack #discuss-qe-new-security-zones](https://suse.slack.com/archives/C0488BZNA5S)
* Starting 2022-10-31 react to Lazaros Haleplidis conducting the migration
* Ensure openqaworker11 https://racktables.nue.suse.com/index.php?page=object&object_id=9584 as the primary test machine is reachable over SSH and IPMI
* Document changes in our infrastructure documentation, e.g. progress.opensuse.org/projects/openqav3/wiki/, https://wiki.suse.net/index.php/OpenQA, https://gitlab.suse.de/openqa/salt-pillars-openqa/-/blob/master/openqa/workerconf.sls
* Rinse and repeat for the other machines
* Ensure machines are usable
## Open points
* *DONE* ~~Failed to connect to gitlab.suse.de port 443 from both worker11.oqa.suse.de and worker12.oqa.suse.de~~
* *DONE* https://openqa.suse.de/tests/9870589#step/suseconnect_scc/23 failed trying to access scc.suse.com . I thought there would be no restrictions contacting services outside the network zones. What are the actual rules applied? --> Specific rules are managed within the firewall by lhaleplidis and will be documented later on wiki but unfortunately can not currently be dynamically visible to users
* *DONE* https://openqa.suse.de/tests/9870976#step/sys_param_check/19 fails to `curl -f -v "qa-css-hq.qa.suse.de/robot.tar.gz"` --> see https://progress.opensuse.org/issues/119443?issue_count=97&issue_position=19&next_issue_id=118660&prev_issue_id=81192#note-17
* *DONE* I try to access VNC services on the hosts. That seems to be blocked as well.
* *DONE* Where can we see which services are blocked ourselves? --> Specific rules are managed within the firewall by lhaleplidis and will be documented later on wiki but unfortunately can not currently be dynamically visible to users. Not really done though. Extracted into a new ticket #120145
* *DONE* hosts within the new domain .oqa.suse.de. should search for matches within that domain so that `nslookup $(hostname)` works, e.g. `nslookup worker13` should work. I assume that salt is relying on that to return a proper match for grains.fqdn
* *DONE* worker13 back in production
* *DONE* worker10 back in production
* *DONE* worker3 back in production
* *DONE* worker5 back in production
* *DONE* worker6 back in production
* *DONE* worker8 back in production
* *DONE* worker9 back in production
* *DONE* Unpause "Packet loss between worker hosts and other hosts alert"
* worker2 back in production
* Unpause "job age (scheduled) (max)" and "job age (scheduled) (median)"
## Out-of-scope
* This is not including o3 (openqa.opensuse.org) machines as they are in a dedicated network already
* Not including non-openQA systems, see #120264 about that