Change Details

--- # cloudgw after-migration checklist! - name: "VM (no floating IP) contacting the internet gets NAT'd using routing_source_ip" tests: - cmd: ssh tools-k8s-control-1.tools.eqiad1.wikimedia.cloud "curl -s ifconfig.me ; echo " # this is routing_source_ip stdout: "185.15.56.1" retcode: 0 stderr: "" - name: "VM (no floating IP) contacting an address covered by dmz_cidr doesn't get NAT'd" tests: - cmd: ssh tools-k8s-control-1.tools.eqiad1.wikimedia.cloud "curl -Is https://es.wikipedia.org | grep x-client-ip" # this is the internal VM address stdout: "x-client-ip: 172.16.0.104" retcode: 0 stderr: "" - name: "VM (using floating IP) isn't affected by either routing_source_ip or dmz_cidr" tests: - cmd: ssh dev.toolforge.org "curl -s ifconfig.me ; echo" # this is the VM floating IP address stdout: "185.15.56.50" retcode: 0 stderr: "" - cmd: ssh dev.toolforge.org "curl -Is https://es.wikipedia.org | grep x-client-ip" # this is the VM private address, after the migration, it should be the floating IP stdout: "x-client-ip: 185.15.56.50" retcode: 0 stderr: "" - name: "VM (no floating IP) can contact auth DNS server" tests: - cmd: ssh tools-k8s-control-1.tools.eqiad1.wikimedia.cloud "dig +short toolforge.org @208.80.154.11" # this the A apex record in the toolforge.org DNS domain zone stdout: "185.15.56.11" retcode: 0 stderr: "" - name: "VM (no floating IP) can contact recursor DNS server" tests: - cmd: ssh tools-k8s-control-1.tools.eqiad1.wikimedia.cloud "dig +short www.basket.com @208.80.154.143 | wc -l" # this a somewhat random IPv4 on the internet, so only check that we get "something" stdout: "1" retcode: 0 stderr: "" - name: "VM (using floating IP) can contact auth DNS server" tests: - cmd: ssh dev.toolforge.org "dig +short toolforge.org @208.80.154.11" # this the A apex record in the toolforge.org DNS domain zone stdout: "185.15.56.11" retcode: 0 stderr: "" - name: "VM (using floating IP) can contact recursor DNS server" tests: - cmd: ssh dev.toolforge.org "dig +short www.basket.com @208.80.154.143 | wc -l" # this a somewhat random IPv4 on the internet, so only check that we get "something" stdout: "1" retcode: 0 stderr: "" - name: "VM (using floating IP) can contact LDAP server" tests: - cmd: ssh dev.toolforge.org 'ldapsearch -x whatever | grep -q ^"# numResponses"' # grep is happy, we are too stdout: "" retcode: 0 stderr: "" - name: "VM (not using floating IP) can contact LDAP server" tests: - cmd: ssh ssh tools-k8s-control-1.tools.eqiad1.wikimedia.cloud 'ldapsearch -x whatever | grep -q ^"# numResponses"' # grep is happy, we are too stdout: "" retcode: 0 stderr: ""

--- # cloudgw after-migration checklist! - name: basic ping to cloudgw addresses (raw addresses) tests: # this is cloudgw1001.eqiad1.wikimediacloud.org - cmd: timeout -k5s 10s ping -c1 cloudgw1001.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" # this is cloudgw1002.eqiad1.wikimediacloud.org - cmd: timeout -k5s 10s ping -c1 cloudgw1002.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" # this is virt.cloudgw.eqiad1.wikimediacloud.org - cmd: timeout -k5s 10s ping -c1 virt.cloudgw.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" # this one wont be available until the migration completes, this is # wan.cloudgw.eqiad1.wikimediacloud.org - cmd: timeout -k5s 10s ping -c1 wan.cloudgw.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" - name: VM (no floating IP) contacting the internet gets NAT'd using routing_source_ip tests: - cmd: ssh tools-k8s-control-1.tools.eqiad1.wikimedia.cloud "curl -s ifconfig.me ; echo " # this is routing_source_ip stdout: "185.15.56.1" retcode: 0 stderr: "" - name: VM (no floating IP) contacting an address covered by dmz_cidr doesn't get NAT'd tests: - cmd: ssh tools-k8s-control-1.tools.eqiad1.wikimedia.cloud "curl -Is https://es.wikipedia.org | grep x-client-ip" # this is the internal VM address stdout: "x-client-ip: 172.16.0.104" retcode: 0 stderr: "" - name: VM (using floating IP) isn't affected by either routing_source_ip or dmz_cidr tests: - cmd: ssh dev.toolforge.org "curl -s ifconfig.me ; echo" # this is the VM floating IP address stdout: "185.15.56.50" retcode: 0 stderr: "" - cmd: ssh dev.toolforge.org "curl -Is https://es.wikipedia.org | grep x-client-ip" # this is the VM private address, after the migration, it should be the floating IP stdout: "x-client-ip: 185.15.56.50" retcode: 0 stderr: "" - name: VM (no floating IP) can contact auth DNS server tests: - cmd: ssh tools-k8s-control-1.tools.eqiad1.wikimedia.cloud "dig +short toolforge.org @208.80.154.11" # this the A apex record in the toolforge.org DNS domain zone stdout: "185.15.56.11" retcode: 0 stderr: "" - name: VM (no floating IP) can contact recursor DNS server tests: - cmd: ssh tools-k8s-control-1.tools.eqiad1.wikimedia.cloud "dig +short www.basket.com @208.80.154.143 | wc -l" # this a somewhat random IPv4 on the internet, so only check that we get "something" stdout: "1" retcode: 0 stderr: "" - name: VM (using floating IP) can contact auth DNS server tests: - cmd: ssh dev.toolforge.org "dig +short toolforge.org @208.80.154.11" # this the A apex record in the toolforge.org DNS domain zone stdout: "185.15.56.11" retcode: 0 stderr: "" - name: VM (using floating IP) can contact recursor DNS server tests: - cmd: ssh dev.toolforge.org "dig +short www.basket.com @208.80.154.143 | wc -l" # this a somewhat random IPv4 on the internet, so only check that we get "something" stdout: "1" retcode: 0 stderr: "" - name: VM (using floating IP) can contact LDAP server tests: - cmd: ssh dev.toolforge.org 'ldapsearch -x whatever | grep -q ^"# numResponses"' # grep is happy, we are too stdout: "" retcode: 0 stderr: "" - name: VM (not using floating IP) can contact LDAP server tests: - cmd: ssh tools-k8s-control-1.tools.eqiad1.wikimedia.cloud 'ldapsearch -x whatever | grep -q ^"# numResponses"' # grep is happy, we are too stdout: "" retcode: 0 stderr: "" - name: VM (using floating IP) can connect to wikireplicas tests: - cmd: ssh dev.toolforge.org 'sudo -iu tools.arturo-test-tool sql enwiki "select * from page limit 2;" | grep page_id | wc -l' stdout: "1" retcode: 0 stderr: "" - name: Toolforge webservice can be accessed from the internet tests: - cmd: curl -f --no-progress-meter https://network-tests.toolforge.org/files/1MB.bin --output - | file - stdout: "/dev/stdin: data" retcode: 0 stderr: "" - name: Toolforge bastions see herald file on project NFS tests: - cmd: timeout -k5s 60s ssh dev.toolforge.org "file /mnt/nfs/labstore-secondary-tools-project/herald" stdout: "/mnt/nfs/labstore-secondary-tools-project/herald: ASCII text" retcode: 0 stderr: "" - cmd: timeout -k5s 60s ssh login.toolforge.org "file /mnt/nfs/labstore-secondary-tools-project/herald" stdout: "/mnt/nfs/labstore-secondary-tools-project/herald: ASCII text" retcode: 0 stderr: "" - name: basic ping to cloudgw addresses (DNS names) tests: - cmd: timeout -k5s 10s ping -c1 cloudgw1001.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" - cmd: timeout -k5s 10s ping -c1 cloudgw1002.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" - cmd: timeout -k5s 10s ping -c1 virt.cloudgw.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" # this one wont be available until the migration completes: - cmd: timeout -k5s 10s ping -c1 wan.cloudgw.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" - name: basic ping to neutron addresses (DNS names) tests: - cmd: timeout -k5s 10s ping -c1 cloudinstances2b-gw.openstack.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: ""

--- # cloudgw after-migration checklist! - name: "basic ping to cloudgw addresses (raw addresses) tests: # this is cloudgw1001.eqiad1.wikimediacloud.org - cmd: timeout -k5s 10s ping -c1 cloudgw1001.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" # this is cloudgw1002.eqiad1.wikimediacloud.org - cmd: timeout -k5s 10s ping -c1 cloudgw1002.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" # this is virt.cloudgw.eqiad1.wikimediacloud.org - cmd: timeout -k5s 10s ping -c1 virt.cloudgw.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" # this one wont be available until the migration completes, this is # wan.cloudgw.eqiad1.wikimediacloud.org - cmd: timeout -k5s 10s ping -c1 wan.cloudgw.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" - name: VM (no floating IP) contacting the internet gets NAT'd using routing_source_ip" tests: - cmd: ssh tools-k8s-control-1.tools.eqiad1.wikimedia.cloud "curl -s ifconfig.me ; echo " # this is routing_source_ip stdout: "185.15.56.1" retcode: 0 stderr: "" - name: "VM (no floating IP) contacting an address covered by dmz_cidr doesn't get NAT'd" tests: - cmd: ssh tools-k8s-control-1.tools.eqiad1.wikimedia.cloud "curl -Is https://es.wikipedia.org | grep x-client-ip" # this is the internal VM address stdout: "x-client-ip: 172.16.0.104" retcode: 0 stderr: "" - name: "VM (using floating IP) isn't affected by either routing_source_ip or dmz_cidr" tests: - cmd: ssh dev.toolforge.org "curl -s ifconfig.me ; echo" # this is the VM floating IP address stdout: "185.15.56.50" retcode: 0 stderr: "" - cmd: ssh dev.toolforge.org "curl -Is https://es.wikipedia.org | grep x-client-ip" # this is the VM private address, after the migration, it should be the floating IP stdout: "x-client-ip: 185.15.56.50" retcode: 0 stderr: "" - name: "VM (no floating IP) can contact auth DNS server" tests: - cmd: ssh tools-k8s-control-1.tools.eqiad1.wikimedia.cloud "dig +short toolforge.org @208.80.154.11" # this the A apex record in the toolforge.org DNS domain zone stdout: "185.15.56.11" retcode: 0 stderr: "" - name: "VM (no floating IP) can contact recursor DNS server" tests: - cmd: ssh tools-k8s-control-1.tools.eqiad1.wikimedia.cloud "dig +short www.basket.com @208.80.154.143 | wc -l" # this a somewhat random IPv4 on the internet, so only check that we get "something" stdout: "1" retcode: 0 stderr: "" - name: "VM (using floating IP) can contact auth DNS server" tests: - cmd: ssh dev.toolforge.org "dig +short toolforge.org @208.80.154.11" # this the A apex record in the toolforge.org DNS domain zone stdout: "185.15.56.11" retcode: 0 stderr: "" - name: "VM (using floating IP) can contact recursor DNS server" tests: - cmd: ssh dev.toolforge.org "dig +short www.basket.com @208.80.154.143 | wc -l" # this a somewhat random IPv4 on the internet, so only check that we get "something" stdout: "1" retcode: 0 stderr: "" - name: "VM (using floating IP) can contact LDAP server" tests: - cmd: ssh dev.toolforge.org 'ldapsearch -x whatever | grep -q ^"# numResponses"' # grep is happy, we are too stdout: "" retcode: 0 stderr: "" - name: "VM (not using floating IP) can contact LDAP server" tests: - cmd: ssh ssh tools-k8s-control-1.tools.eqiad1.wikimedia.cloud 'ldapsearch -x whatever | grep -q ^"# numResponses"' # grep is happy, we are too stdout: "" retcode: 0 stderr: "" - name: VM (using floating IP) can connect to wikireplicas tests: - cmd: ssh dev.toolforge.org 'sudo -iu tools.arturo-test-tool sql enwiki "select * from page limit 2;" | grep page_id | wc -l' stdout: "1" retcode: 0 stderr: "" - name: Toolforge webservice can be accessed from the internet tests: - cmd: curl -f --no-progress-meter https://network-tests.toolforge.org/files/1MB.bin --output - | file - stdout: "/dev/stdin: data" retcode: 0 stderr: "" - name: Toolforge bastions see herald file on project NFS tests: - cmd: timeout -k5s 60s ssh dev.toolforge.org "file /mnt/nfs/labstore-secondary-tools-project/herald" stdout: "/mnt/nfs/labstore-secondary-tools-project/herald: ASCII text" retcode: 0 stderr: "" - cmd: timeout -k5s 60s ssh login.toolforge.org "file /mnt/nfs/labstore-secondary-tools-project/herald" stdout: "/mnt/nfs/labstore-secondary-tools-project/herald: ASCII text" retcode: 0 stderr: "" - name: basic ping to cloudgw addresses (DNS names) tests: - cmd: timeout -k5s 10s ping -c1 cloudgw1001.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" - cmd: timeout -k5s 10s ping -c1 cloudgw1002.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" - cmd: timeout -k5s 10s ping -c1 virt.cloudgw.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" # this one wont be available until the migration completes: - cmd: timeout -k5s 10s ping -c1 wan.cloudgw.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: "" - name: basic ping to neutron addresses (DNS names) tests: - cmd: timeout -k5s 10s ping -c1 cloudinstances2b-gw.openstack.eqiad1.wikimediacloud.org >/dev/null stdout: "" retcode: 0 stderr: ""