Hi Before I leave after ~20h of "server migration", here a short summary of what has been achieved so far: * we created a new VLAN and deployed it on all hypervisors incl. routing, jalla, jalla * created 2 new "proxy" machines, that run haproxy and some special firewall rules - acting as frontend for the services behind the internal (let's call it: private) network * created a new "login" machine, that acts as LDAP proxy (authentication backend) for the VMs * created a new openVPN server as central connection point into the private network (not finished yet) * migrated the running VMs via + brctl delif $old_bridge $vm_interface + brctl addif $new_bridge $vm_interface + s/$old_bridge/$new_bridge/g $vm_config => that part went smoothly ;-) * adapt the haproxy config on the old and new proxy servers to have the frontends pointing to the right backends in the right networks * adapt the firewall settings on the proxy servers * adapt the DNS to move together with the machines * after that, we sometimes had a back and forth with some machines, where the firewall rules where to restrictive (as we introduced two new IPs on the haproxy machines) or other stuff did not work in the first run * adapting the NATting rules, testing new stuff (ähe: packages) on our beloved openSUSE distribution and deeply debugging keepalived, apache2, ldap, perl scripts, freeipa and other stuff took another minute or two :-) * ... (anything I forgot) => 31 hosts are now in the new network, updated (sometimes a bit reconfigured ;-) and up and running Please note: those machines are currently NOT reachable from the outside any more (the xinetd redirection of the ssh port is disabled by intention). So the next important step is to finalize the setup of the openVPN server, so we can distribute the openVPN credentials/certificates. After that, I would say that we are ready to go wherever we want (especially in regard of Salt... ;-) Thanks a lot to everyone that helped with the migration and firefighting! There are always a lot of people involved, but this time I want to thank especially *darix* and *bugfinder* for their work and debugging skills. I'm sure that the current state would not have been reached without you guys! with kind regards, Lars -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org