... | @@ -1706,56 +1706,32 @@ Once those patches have been deployed, use the following procedure to |
... | @@ -1706,56 +1706,32 @@ Once those patches have been deployed, use the following procedure to |
|
migrate a VM. In this example, we migrate a VM named
|
|
migrate a VM. In this example, we migrate a VM named
|
|
`test-01.torproject.org` from the gnt-chi cluster to gnt-dal.
|
|
`test-01.torproject.org` from the gnt-chi cluster to gnt-dal.
|
|
|
|
|
|
1. create a new secret on the source cluster:
|
|
0. ensure a `move-instance` has been deployed to `/var/lib/ganeti/rapi/users`
|
|
|
|
and that the cluster domain secret is identical across all nodes of both
|
|
|
|
source and destination clusters. This should be handled by Puppet.
|
|
|
|
|
|
chi-node-01# gnt-cluster renew-crypto --new-cluster-domain-secret
|
|
1. extract the public key from the RAPI certificate on the source cluster:
|
|
|
|
|
|
2. stop ganeti on the destination node:
|
|
|
|
|
|
|
|
dal-node-01# systemctl stop ganeti
|
|
|
|
|
|
|
|
3. copy the secret to the destination node
|
|
|
|
|
|
|
|
scp chi-node-01.torproject.org:/var/lib/ganeti/cluster-domain-secret dal-node-01.torproject.org:/var/lib/ganeti/cluster-domain-secret
|
|
|
|
ssh dal-node-01 "gnt-cluster renew-crypto && gnt-cluster redist-conf && gnt-cluster verify"
|
|
|
|
|
|
|
|
4. start ganeti on the destination node with the new secret:
|
|
|
|
|
|
|
|
ssh dal-node-01 systemctl start ganeti
|
|
|
|
|
|
|
|
3. extract the public key from the RAPI certificate on the source cluster:
|
|
|
|
|
|
|
|
ssh chi-node-01 sed -n '/BEGIN CERT/,$p' /var/lib/ganeti/rapi.pem
|
|
ssh chi-node-01 sed -n '/BEGIN CERT/,$p' /var/lib/ganeti/rapi.pem
|
|
|
|
|
|
4. paste that in a certificate file on the target cluster:
|
|
2. paste that in a certificate file on the target cluster:
|
|
|
|
|
|
ssh dal-node-01 tee gnt-chi.crt
|
|
ssh dal-node-01 tee gnt-chi.crt
|
|
|
|
|
|
5. disable Puppet, as we'll be messing with files it manages:
|
|
3. enter the RAPI passwords from `/var/lib/ganeti/rapi/users` on both clusters
|
|
|
|
in two files on the target cluster, for example:
|
|
puppet agent --disable "messing with RAPI, see issue tpo/tpa/team#40972"
|
|
|
|
|
|
|
|
7. make RAPI listen on the public network, on both master nodes:
|
|
|
|
|
|
|
|
echo 'RAPI_ARGS="--require-authentication"' >> /etc/default/ganeti
|
|
|
|
|
|
|
|
TODO: add a flag in Puppet to make this configurable, so that we
|
|
|
|
don't have to stop Puppet.
|
|
|
|
|
|
|
|
5. enable an [API user](https://docs.ganeti.org/docs/ganeti/3.0/html/rapi.html#users-and-passwords) on the source *and* on the target cluster:
|
|
|
|
|
|
|
|
echo move-instance $(tr -dc '[:alnum:]' < /dev/urandom | head -c 30) write >> /var/lib/ganeti/rapi/users
|
|
|
|
systemctl restart ganeti
|
|
|
|
|
|
|
|
TODO: add to Puppet
|
|
|
|
|
|
|
|
6. enter the passwords in two files on the target cluster, for
|
|
|
|
example:
|
|
|
|
|
|
|
|
cat > gnt-chi.password
|
|
cat > gnt-chi.password
|
|
cat > gnt-dal.password
|
|
cat > gnt-dal.password
|
|
|
|
|
|
7. open up the firewall on all nodes to all nodes, between both
|
|
4. disable Puppet, as we'll be messing with files it manages:
|
|
|
|
|
|
|
|
ssh chi-node-01 gnt-cluster command "puppet agent --disable 'firewall
|
|
|
|
opened for cross-cluster migration'"
|
|
|
|
ssh dal-node-01 gnt-cluster command "puppet agent --disable 'firewall
|
|
|
|
opened for cross-cluster migration'"
|
|
|
|
|
|
|
|
5. open up the firewall on all nodes to all nodes, between both
|
|
clusters:
|
|
clusters:
|
|
|
|
|
|
ssh chi-node-01 gnt-cluster command "iptables-legacy -I ganeti-cluster -j ACCEPT -s 204.8.99.96/27"
|
|
ssh chi-node-01 gnt-cluster command "iptables-legacy -I ganeti-cluster -j ACCEPT -s 204.8.99.96/27"
|
... | | ... | |