Page MenuHomePhabricator

move/setup/install frauth2001.frack.codfw.wmnet
Closed, ResolvedPublic

Description

This task will track the allocation, relocation of rack, setup, and installation of the new fundraising auth server for codfw, frauth2001.codfw.wmnet. Spare system being used is wmf6652.

Racking Proposal: This needs to be moved from D8 to C8, which is frack-codfw.

  • - move system from D8 to C8
  • - update racktables with new hostname 'frauth2001' and apply hostname labels.
  • - bios/drac/serial setup/testing
  • - mgmt dns entries added for hostname, test mgmt in new location
  • - Connect both ports to fasw-c-codfw:ge-[0|1]/0/17
    • end on-site specific steps
  • - network port setup (description, vlan)
  • - production dns entries added -
    • remainder of steps will be in frack puppet repo, so assign to fundraising-tech-ops for completion of this task
  • - operations/puppet update (install_server at minimum, other files if possible)
  • - OS installation
  • - puppet accept/initial run
  • - handoff for service implementation
  • - fight with krb5 and new freeradius 3.x config

Event Timeline

RobH triaged this task as Medium priority.Sep 11 2018, 6:07 PM
RobH created this task.
RobH mentioned this in Unknown Object (Task).Sep 11 2018, 6:08 PM

Change 460042 had a related patch set uploaded (by Papaul; owner: Papaul):
[operations/dns@master] DNS: Add mgmt DNS for frauth2001 and remove old asset tag entries

https://gerrit.wikimedia.org/r/460042

Change 460042 merged by Dzahn:
[operations/dns@master] DNS: Add mgmt DNS for frauth2001 and remove old asset tag entries

https://gerrit.wikimedia.org/r/460042

Change 460127 had a related patch set uploaded (by Papaul; owner: Papaul):
[operations/dns@master] DNS: Add production dns entries for frauth2001

https://gerrit.wikimedia.org/r/460127

papaul@fasw-c-codfw# show | compare 
[edit interfaces interface-range disabled]
-    member ge-0/0/16;
-    member ge-1/0/16;
[edit interfaces interface-range vlan-administration]
     member "ge-[0-1]/0/8" { ... }
+    member "ge-[0-1]/0/16";
[edit interfaces]
+   ge-0/0/16 {
+       description frauth2001:eth0;
+   }
+   ge-1/0/16 {
+       description frauth2001:eth1;
+   }
papaul@fasw-c-codfw> show interfaces ge-0/0/16 
Physical interface: ge-0/0/16, Enabled, Physical link is Up

papaul@fasw-c-codfw> show interfaces ge-1/0/16    
Physical interface: ge-1/0/16, Enabled, Physical link is Up

@Jgreen @Dzahn has a comment on https://gerrit.wikimedia.org/r/#/c/operations/dns/+/460127/ the network 10.195.0.72/29 can only hold 6 hosts (2 at the power 3 ) - 2 = 6 . the first usable IP address for that network is 10.195.0.73 and the last usable address is 10.195.0.78 so we can not use 10.195.0.79

Yep, with a /29 netmask and 10.195.0.72 as the network address, .79 is the broadcast address. It looks like .73 is not used though and we can use it instead, but after that the subnet will be full. Unless you want to change that it's a /29.

And as Arzhel points out .73 is already the router IP, so afraid this network is already full now and the host can't be added. And changing it to a /28 would overlap with 10.195.0.64/29. It will need changes by network-ops.

10.195.0.73 is the router IP, it's missing from DNS, I'll add it (and the other ones).
And indeed, it can't be extended to a /28.

Short time solution, if this host replaces an existing host in the same subnet, is to re-allocate directly its IP.
Or have it in a different vlan.

The cleanest option is to move all the hosts to a different (and larger) subnet: 10.195.0.128/28 or /27 (eg. frack-administration2-codfw).
To make it a bit easier, we can have both subnets in parallel during the transition (and in the same security zone).

(Edit: or enable IPv6 and only use v6 IPs from now on in that vlan) :)

Dzahn renamed this task from move/setup/install frauth2001.codfw.wmnet to move/setup/install frauth2001.frack.codfw.wmnet.Sep 13 2018, 12:53 AM
Dzahn changed Risk Rating from N/A to default.

Short time solution, if this host replaces an existing host in the same subnet, is to re-allocate directly its IP.

This host replaces betelgeuse, so that would work short term.

Regarding moving subnets around, would it be easier to move the single host out of 10.195.0.64/29 to a new subnet, and refactor 10.195.0.72/28 to 10.195.0.64/28? I dunno. Both options are messy.

I talked with @Jgreen on IRC, he said to use the IP address of frmon2001 for frauth2001 for now since frmon2001 is not installed yet.

Change 460127 merged by Jgreen:
[operations/dns@master] DNS: Reuse IP of frmon2001 for frauth2001

https://gerrit.wikimedia.org/r/460127

Papaul added a subscriber: Papaul.

@Jgreen it is all yours. Ping me when you are ready to do the install so you can show me how you do it. Will like to help with install in the future. Thanks.

frmon2001 is already on fasw-c-codfw:ge-[0|1]/0/16 so I move frauth2001 on fasw-c-codfw:ge-[0|1]/0/17

Thanks @Papaul and @ayounsi - server is up and accessible.

I tried changing to the bonded ethernet config w/o restarting (only kicked networking service as the puppet module supposedly does) but ended up with the IP on both interfaces (bond0 and en0) which a restart fixed. Maybe manually hacking en0 down would work but it doesn't seem like a bad thing to reboot for.

Next will be the auth dbs and services.

Jgreen updated the task description. (Show Details)