Hi TL;DR: - Provo machines can reach NUE machines via provo-gate.infra.opensuse.org - new provo-ns.infra.opensuse.org machine for DNS - all machines have external IPv6 now - updated/upgraded all machines to Leap 15.1 Long version: We have currently the following machines running in Provo: 192.168.67.1 provo-proxy (IP is on mufasa) 192.168.67.2 mufasa 192.168.67.3 provo-proxy2 (IP is on mufasa) 192.168.67.4 provo-ns (planned for external DNS) 192.168.67.5 narwal4 (static.o.o in Provo) 192.168.67.6 nala (mirrordb for download.o.o in Provo) 192.168.67.7 provo-mirror #192.168.67.8 old keyserver2 (shut down) #192.168.67.9 water2 (wiki - shut down) #192.168.67.10 riesling2 (wiki - shut down) 192.168.67.11 login3 (login service in Provo) 192.168.67.20 provo-gate (new machine, acting as gateway to NUE) 130.57.72.11 status2 (external status.o.o fallback) I setup provo-gate as gateway now (running VPN tunnel to Nuremberg via scar), which allows all Provo machines to reach machines in Nuremberg. Sadly, I did not find the time to establish the route back as well. This needs some adaptions on scar's firewall - and I need to read more about this (or better: find someone who volunteers to help) before this can go live. While I was on it, I setup an additional machine named "provo-ns", which is currently empty (Leap 15.1 admin image only) and is waiting to get an external DNS server for the opensuse.org domain. The two status.opensuse.org machines sync the database and Cachet installation files now once each day, which should allow us a smooth failover and/or fallback in case of trouble. This is documented in the Heroes-Wiki. These points are open: * roll-out DNS on provo-ns * establish the route back from Nuremberg to Provo machines ** add all nodes to Salt ** add all nodes into Monitoring ** add all nodes into Backup With kind regards, Lars -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Hello, thanks for all the status reports, and the work you did in the last weeks! Am Sonntag, 5. Januar 2020, 22:41:32 CET schrieb Lars Vogdt:
We have currently the following machines running in Provo:
192.168.67.5 narwal4 (static.o.o in Provo)
This is probably/AFAIK an "old" narwal, setup manually, and used during the planned NBG power outage ~2 years ago. If we want to have an instance of static.o.o (as hot standby?) running in Provo, it would be a good idea to replace narwal4 with a fully salted VM. Besides the VM setup, this means maybe two minutes to add it in salt, and then running the highstate. Updating and adjusting narwal4 would need much more time. Note that you'll also need to run a highstate on narwal5 so that the rsync'ing includes the new narwal in Provo.
#192.168.67.9 water2 (wiki - shut down) #192.168.67.10 riesling2 (wiki - shut down)
IMHO you can delete the water2 (elasticsearch) and riesling2 (Apache + MediaWiki) VMs. They are a leftover from the planned power outage ~2 years ago, and terribly outdated.
I setup provo-gate as gateway now (running VPN tunnel to Nuremberg via scar), which allows all Provo machines to reach machines in Nuremberg. Sadly, I did not find the time to establish the route back as well. This needs some adaptions on scar's firewall - and I need to read more about this (or better: find someone who volunteers to help) before this can go live.
At the risk of adding more work on top: Is scar still running SuSEfirewall? If so, would it make sense to switch to firewalld before doing more config changes for deprecated software? (I guess/hope that SuSEfirewall will stay in all 15.x releases, which makes this less urgent.)
While I was on it, I setup an additional machine named "provo-ns", which is currently empty (Leap 15.1 admin image only) and is waiting to get an external DNS server for the opensuse.org domain.
Is your plan for it to a) base it on the current setup (FreeIPA + chip.i.o.o) as a quick replacement for ns*.novell.com or b) do it right[tm] with the planned new DNS setup ? Regards, Christian Boltz -- there's clearly a balance between "octopus merges are fine" and "Christ, that's not an octopus, that's a Cthulhu merge". [Linus Torvalds in linux-kernel] -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Am January 6, 2020 5:52:47 PM UTC schrieb Christian Boltz <opensuse@cboltz.de>:
If we want to have an instance of static.o.o (as hot standby?) running in Provo, it would be a good idea to replace narwal4 with a fully salted VM. Besides the VM setup, this means maybe two minutes to add it in salt, and then running the highstate. Updating and adjusting narwal4 would need much more time. Note that you'll also need to run a highstate on narwal5 so that the rsync'ing includes the new narwal in Provo.
Totally agree. We might wait until we have setup geo-based DNS: in this case, the static host in Provo would be preferred from clients in AMER region...
#192.168.67.9 water2 (wiki - shut down) #192.168.67.10 riesling2 (wiki - shut down)
IMHO you can delete the water2 (elasticsearch) and riesling2 (Apache + MediaWiki) VMs. They are a leftover from the planned power outage ~2 years ago, and terribly outdated.
Ok, fine with me. Thanks for confirming.
At the risk of adding more work on top: Is scar still running SuSEfirewall? If so, would it make sense to switch to firewalld before doing more config changes for deprecated software? (I guess/hope that SuSEfirewall will stay in all 15.x releases, which makes this less urgent.)
Yes and yes. Yes: scar run SuSEfirewall2 and yes: migrating all machines to firewalld makes sense.
While I was on it, I setup an additional machine named "provo-ns", which is currently empty (Leap 15.1 admin image only) and is waiting to get an external DNS server for the opensuse.org domain.
Is your plan for it to a) base it on the current setup (FreeIPA + chip.i.o.o) as a quick replacement for ns*.novell.com or b) do it right[tm] with the planned new DNS setup
While I would love to say: we have enough time for b), I currently want to go with a). But that should not really be a problem, as we can always replace the main DNS servers once we 'own' them. I mean: we can replace the servers running the main DNS and re-use their IP addresses for the replacements at any time. I just want to use the time window, where SUSE is happy to hand over the DNS (and Email stuff) to us, as I'm not sure when this window might close. Therefor: If nobody objects, I would setup simple bind servers and add them to chip as slaves for now. Once someone wants to replace them with powerdns or any other DNS server: fine with me. I just don't want to learn too much new stuff at the moment (I've enough in the list with the migration of the other services mentioned in the work reports :-) and want to use the situation as long as it exists. :-)) Regards, Lars -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
participants (2)
-
Christian Boltz -
Lars Vogdt