Page MenuHomePhabricator
Create Task
Maniphest T232137

rack/setup/install frnetmon1001.frack.eqiad.wmnet
Closed, ResolvedPublic
Actions

Description

This task will track the racking, setup, and installation of a new netsec host (replacing bismuth) in eqiad with the hostname of frnetmon1001.

Please note that this is a fundraising host, and doesn't follow all the normal steps of a production host.

  • - receive in system on procurement task T230082
  • - rack system in fundraising rack & update netbox (include all system info plus location, state of planned)
  • - bios/drac/serial setup/testing
  • - mgmt dns entries added for both asset tag (wmf5253) and hostname (10.64.40.207)
  • - network port setup (description, enable, vlan) - 1G port to each fasw (@Cmjohnson is familiar with this setup)
  • end on-site specific steps - may want to hand off to @Jgreen for the remainder.
  • - production dns entries added (10.64.40.67)
  • - OS installation
  • - calling into frack puppet
  • - host state in netbox set to staged (please don't forget this)
  • - pushed into service
  • - service implementer changes from 'staged' status to 'active' status in netbox'

Details

SubjectRepoBranchLines +/-
Add frnetmon1001 as a host to checkoperations/puppetproduction+13 -0
add frban1001 and frnetmon1001operations/dnsmaster+11 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

RobH triaged this task as Medium priority.Sep 5 2019, 6:21 PM
RobH created this task.
Restricted Application added a project: SRE. · View Herald TranscriptSep 5 2019, 6:21 PM
RobH renamed this task from rack/setup/install new eqiad netsec server to rack/setup/install frnetmon1001.Sep 5 2019, 6:21 PM
RobH added a parent task: Unknown Object (Task).
RobH updated the task description. (Show Details)
Cmjohnson moved this task from Backlog to Racking Tasks on the ops-eqiad board.Sep 18 2019, 11:15 PM
Jgreen added a subtask: Restricted Task.Oct 7 2019, 5:25 PM
gerritbot added a comment.Oct 7 2019, 8:11 PM

Change 541362 had a related patch set uploaded (by Jgreen; owner: Jgreen):
[operations/dns@master] add frban1001 and frnetmon1001

https://gerrit.wikimedia.org/r/541362

gerritbot added a project: Patch-For-Review.Oct 7 2019, 8:12 PM
gerritbot added a comment.Oct 7 2019, 8:27 PM

Change 541362 merged by Jgreen:
[operations/dns@master] add frban1001 and frnetmon1001

https://gerrit.wikimedia.org/r/541362

Maintenance_bot removed a project: Patch-For-Review.Oct 7 2019, 9:12 PM
Jgreen closed subtask Restricted Task as Resolved.Oct 11 2019, 5:14 PM
Cmjohnson updated the task description. (Show Details)Nov 13 2019, 5:23 PM
Jgreen renamed this task from rack/setup/install frnetmon1001 to rack/setup/install frnetmon1001.frack.eqiad.wmnet.Nov 15 2019, 6:54 PM
Cmjohnson claimed this task.Nov 18 2019, 4:40 PM

I will work on network setup

wiki_willy renamed this task from rack/setup/install frnetmon1001.frack.eqiad.wmnet to (No Need By Date Provided) rack/setup/install frnetmon1001.frack.eqiad.wmnet.Nov 22 2019, 9:01 PM
Jgreen renamed this task from (No Need By Date Provided) rack/setup/install frnetmon1001.frack.eqiad.wmnet to (ASAP) rack/setup/install frnetmon1001.frack.eqiad.wmnet.Jan 7 2020, 9:32 PM
Jgreen raised the priority of this task from Medium to High.
Jgreen updated the task description. (Show Details)
Jgreen updated the task description. (Show Details)Jan 7 2020, 9:58 PM
Jgreen updated the task description. (Show Details)
Jgreen added a parent task: T242257: 2019-2020 Q3 fundraising hardware refresh and capex.Jan 8 2020, 7:29 PM
Jgreen added a comment.Feb 13 2020, 3:09 PM

@Cmjohnson this hasn't moved since November, does it just need network port setup?

faidon mentioned this in T245161: Track down and replace very old HW.Feb 13 2020, 3:36 PM
RobH unsubscribed.Feb 13 2020, 5:49 PM
Jgreen removed Cmjohnson as the assignee of this task.Feb 13 2020, 10:09 PM

Moving task back to the untriaged pool

Cmjohnson added a comment.Feb 18 2020, 5:05 PM

eth0 c1a port 6
eth1 c1b port 6

Jgreen moved this task from Triage to Watching on the fundraising-tech-ops board.Feb 19 2020, 10:48 PM
RobH renamed this task from (ASAP) rack/setup/install frnetmon1001.frack.eqiad.wmnet to (Need by: ASAP) rack/setup/install frnetmon1001.frack.eqiad.wmnet.Feb 24 2020, 9:10 PM
Jgreen added a comment.Feb 28 2020, 3:25 PM

@Cmjohnson @Jclark-ctr could someone do the final bits on this task so we can finish the deploy? This host arrived nearly 6 months ago!

Jclark-ctr updated the task description. (Show Details)Feb 28 2020, 4:49 PM

configured bios set password @Jgreen

RobH added a comment.Feb 28 2020, 5:22 PM

So I'm not familiar with the frack vlans and bonding setup for interfaces. However, if someone can point out a server this should duplicate in vlan/network settings, I can attempt to duplicate it for this system.

There are a number of vlans on the fsaw: frack-DMZ1-c-eqiad, frack-administration1-c-eqiad, frack-bastion1-c-eqiad (doubt this one), frack-fundraising1-c-eqiad, frack-listenerdmz1-c-eqiad, frack-management1-c-eqiad, frack-payments1-c-eqiad

I've gone ahead and labeled port 6 for this server, so its clearly defined on the switch. However, I did not remove it from the disabled group, as there is no vlan to put it in until I know which one.

RobH added a comment.Feb 28 2020, 5:33 PM

Ok, updated the switch (Thanks Arzhel) and put things into the admin vlan to match dns that was already setup.

This should be good to from the network side.

RobH updated the task description. (Show Details)Feb 28 2020, 5:33 PM
Jclark-ctr assigned this task to Jgreen.Feb 28 2020, 5:35 PM
Jgreen lowered the priority of this task from High to Medium.Mar 2 2020, 7:40 PM
Jgreen moved this task from Watching to In Progress on the fundraising-tech-ops board.
Jgreen added a comment.Mar 2 2020, 9:36 PM

I'm not able to access the management IP, can you check it out?

jgreen@frbast1001:~$ dig frnetmon1001.mgmt.frack.eqiad.wmnet

; <<>> DiG 9.10.3-P4-Debian <<>> frnetmon1001.mgmt.frack.eqiad.wmnet
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34842
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;frnetmon1001.mgmt.frack.eqiad.wmnet. IN A

;; ANSWER SECTION:
frnetmon1001.mgmt.frack.eqiad.wmnet. 3600 IN A 10.64.40.207

;; Query time: 0 msec
;; SERVER: 10.3.0.1#53(10.3.0.1)
;; WHEN: Mon Mar 02 21:35:16 UTC 2020
;; MSG SIZE rcvd: 80

jgreen@frbast1001:~$ ping 10.64.40.207
PING 10.64.40.207 (10.64.40.207) 56(84) bytes of data.
^C

  • 10.64.40.207 ping statistics ---

2 packets transmitted, 0 received, 100% packet loss, time 1000ms

Jgreen removed Jgreen as the assignee of this task.Mar 2 2020, 9:39 PM

@Cmjohnson @Jclark-ctr can someone take a look at the management interface situation? It's not accessible via network as far as I can tell.

Jgreen renamed this task from (Need by: ASAP) rack/setup/install frnetmon1001.frack.eqiad.wmnet to rack/setup/install frnetmon1001.frack.eqiad.wmnet.Mar 4 2020, 6:59 PM
Jgreen moved this task from In Progress to Up Next on the fundraising-tech-ops board.

Management interface network config had some issues, fixed now.

Cmjohnson assigned this task to Jgreen.Mar 4 2020, 9:18 PM
Cmjohnson removed a project: ops-eqiad.

Removing ops-eqiad tag and assigning to @Jgreen

Jgreen moved this task from Up Next to In Progress on the fundraising-tech-ops board.Mar 11 2020, 7:02 PM
Jgreen added a comment.Mar 11 2020, 7:16 PM
  • enabled console redirection after boot
Jgreen updated the task description. (Show Details)Mar 11 2020, 7:49 PM
Jgreen moved this task from In Progress to Up Next on the fundraising-tech-ops board.Mar 11 2020, 8:54 PM
Jgreen removed Jgreen as the assignee of this task.Mar 12 2020, 1:21 PM
Dwisehaupt claimed this task.Mar 17 2020, 3:57 PM
Dwisehaupt moved this task from Up Next to In Progress on the fundraising-tech-ops board.Mar 17 2020, 4:54 PM
Dwisehaupt added a comment.Mar 17 2020, 6:20 PM

Updates to iptables rulesets completed. frnetmon1001 added to configs where bismuth is present.

Dwisehaupt added a comment.Mar 17 2020, 11:48 PM

Migrated nessus code, config and reports from bismuth to frnetmon1001 using the instructions here: https://community.tenable.com/s/article/Migrating-Nessus-to-new-Server-Linux

Only change is that the setting of the proxy bits couldn't be done 'secure' until the server was registered so I ran them without the --secure flag for now.

Running a test internal PCI scan and credentialed audit scan to verify functionality.

Dwisehaupt added a comment.Mar 18 2020, 12:07 AM

Internal PCI scan and credentialed audit scan run as expected.

Dwisehaupt added a comment.Mar 18 2020, 9:20 PM

Need to add to icinga once T247855 refactor is done.

Dwisehaupt added a comment.Mar 19 2020, 12:21 AM

Nessus package removed from bismuth and /opt/nessus removed. the tar.gz backup that was used during the transfer is still present on the host, just in case.

gerritbot added a comment.Mar 23 2020, 9:12 PM

Change 582912 had a related patch set uploaded (by Dwisehaupt; owner: Dwisehaupt):
[operations/puppet@production] Add frnetmon1001 as a host to check

https://gerrit.wikimedia.org/r/582912

gerritbot added a project: Patch-For-Review.Mar 23 2020, 9:12 PM
gerritbot added a comment.Mar 25 2020, 3:54 PM

Change 582912 merged by Jgreen:
[operations/puppet@production] Add frnetmon1001 as a host to check

https://gerrit.wikimedia.org/r/582912

Maintenance_bot removed a project: Patch-For-Review.Mar 25 2020, 4:10 PM
Dwisehaupt added a comment.Mar 25 2020, 7:32 PM

Monitoring enabled. Just need to update netbox and we can close this out.

Jgreen closed this task as Resolved.Mar 26 2020, 9:29 PM
Jgreen updated the task description. (Show Details)
Jgreen moved this task from In Progress to Done on the fundraising-tech-ops board.
Jgreen closed subtask T252882: set up offhost_backups for fundraising frnetmon role as Resolved.May 15 2020, 1:56 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL