... | ... | @@ -2208,13 +2208,17 @@ details. |
|
|
scp chi-node-01.torproject.org:/var/lib/ganeti/cluster-domain-secret dal-node-01.torproject.org:/var/lib/ganeti/cluster-domain-secret
|
|
|
ssh dal-node-01 "gnt-cluster renew-crypto && gnt-cluster redist-conf && gnt-cluster verify"
|
|
|
|
|
|
4. start ganeti on the destination node with the new secret:
|
|
|
|
|
|
ssh dal-node-01 systemctl start ganeti
|
|
|
|
|
|
3. extract the public key from the RAPI certificate on the source cluster:
|
|
|
|
|
|
sed -n '/BEGIN CERT/,$p' /var/lib/ganeti/rapi.pem
|
|
|
ssh chi-node-01 sed -n '/BEGIN CERT/,$p' /var/lib/ganeti/rapi.pem
|
|
|
|
|
|
4. paste that in a certificate file on the target cluster:
|
|
|
|
|
|
cat > gnt-chi.crt
|
|
|
ssh dal-node-01 tee gnt-chi.crt
|
|
|
|
|
|
5. disable Puppet, as we'll be messing with files it manages:
|
|
|
|
... | ... | @@ -2226,7 +2230,9 @@ details. |
|
|
echo 38.229.82.104 chignt.torproject.org >> /etc/hosts
|
|
|
echo 204.8.99.101 dalgnt.torproject.org >> /etc/hosts
|
|
|
|
|
|
7. open firewalls and make RAPI listen public (TODO: document, expand)
|
|
|
7. make RAPI listen on the public network, on both master nodes:
|
|
|
|
|
|
echo 'RAPI_ARGS="--require-authentication"' >> /etc/default/ganeti
|
|
|
|
|
|
5. enable an [API user](https://docs.ganeti.org/docs/ganeti/3.0/html/rapi.html#users-and-passwords) on the source *and* on the target cluster:
|
|
|
|
... | ... | @@ -2239,8 +2245,11 @@ details. |
|
|
cat > gnt-chi.password
|
|
|
cat > gnt-dal.password
|
|
|
|
|
|
7. wave your hands around to make a tunnel between the two hosts or
|
|
|
*gasp* open the firewall up
|
|
|
7. open up the firewall on all nodes to all nodes, between both
|
|
|
clusters:
|
|
|
|
|
|
ssh chi-node-01 gnt-cluster command "iptables-legacy -I ganeti-cluster -j ACCEPT -s 204.8.99.96/27"
|
|
|
ssh dal-node-01 gnt-cluster command "iptables-legacy -I ganeti-cluster -j ACCEPT -s 38.229.82.104/27"
|
|
|
|
|
|
8. then this mouthful:
|
|
|
|
... | ... | @@ -2258,7 +2267,7 @@ details. |
|
|
--dest-rapi-port=5080 \
|
|
|
--net 0:ip=pool,network=gnt-dal-01,mode=,link= \
|
|
|
--keep-source-instance \
|
|
|
--debug \
|
|
|
--verbose \
|
|
|
|
|
|
Note that the above procedure depends on a patched version of
|
|
|
`move-instance`, which was changed after the 3.0 Ganeti release, see
|
... | ... | |