... | ... | @@ -2206,8 +2206,7 @@ details. |
|
|
3. copy the secret to the destination node
|
|
|
|
|
|
scp chi-node-01.torproject.org:/var/lib/ganeti/cluster-domain-secret dal-node-01.torproject.org:/var/lib/ganeti/cluster-domain-secret
|
|
|
ssh dal-node-01 "gnt-cluster renew-crypto"
|
|
|
ssh dal-node-01 "gnt-cluster verify"
|
|
|
ssh dal-node-01 "gnt-cluster renew-crypto && gnt-cluster redist-conf && gnt-cluster verify"
|
|
|
|
|
|
3. extract the public key from the RAPI certificate on the source cluster:
|
|
|
|
... | ... | @@ -2217,9 +2216,21 @@ details. |
|
|
|
|
|
cat > gnt-chi.crt
|
|
|
|
|
|
5. disable Puppet, as we'll be messing with files it manages:
|
|
|
|
|
|
puppet agent --disable "messing with RAPI and /etc/hosts, see issue tpo/tpa/team#40972"
|
|
|
|
|
|
6. bypass the local DNS records for the "API" names on the
|
|
|
destination node (dal-node-01):
|
|
|
|
|
|
echo 38.229.82.104 chignt.torproject.org >> /etc/hosts
|
|
|
echo 204.8.99.101 dalgnt.torproject.org >> /etc/hosts
|
|
|
|
|
|
7. open firewalls and make RAPI listen public (TODO: document, expand)
|
|
|
|
|
|
5. enable an [API user](https://docs.ganeti.org/docs/ganeti/3.0/html/rapi.html#users-and-passwords) on the source *and* on the target cluster:
|
|
|
|
|
|
echo gnt-dal $(tr -dc '[:alnum:]' < /dev/urandom | head -c 30) write >> /var/lib/ganeti/rapi_users
|
|
|
echo move-instance $(tr -dc '[:alnum:]' < /dev/urandom | head -c 30) write >> /var/lib/ganeti/rapi/users
|
|
|
systemctl restart ganeti
|
|
|
|
|
|
6. enter the passwords in two files on the target cluster, for
|
... | ... | @@ -2241,18 +2252,22 @@ details. |
|
|
--dest-ca-file=/var/lib/ganeti/rapi.pem \
|
|
|
--opportunistic-tries=1 \
|
|
|
--iallocator=hail \
|
|
|
--src-username=gnt-dal \
|
|
|
--src-password-file=gnt-chi.users \
|
|
|
--dest-username=gnt-chi \
|
|
|
--dest-password-file=gnt-dal.users \
|
|
|
--src-rapi-port=5081 \
|
|
|
--src-username=move-instance \
|
|
|
--src-password-file=gnt-chi.password \
|
|
|
--dest-username=move-instance \
|
|
|
--dest-password-file=gnt-dal.password \
|
|
|
--src-rapi-port=5080 \
|
|
|
--dest-rapi-port=5080 \
|
|
|
--net 0:ip=pool,network=gnt-dal-01 \
|
|
|
--keep-source-instance \
|
|
|
--debug \
|
|
|
|
|
|
Note that the `/var/lib/ganeti/rapi/users` files get overwritten
|
|
|
by Puppet, so that might be cleaned up after (or during) your
|
|
|
attempt.
|
|
|
Note that the above procedure depends on a patched version of
|
|
|
`move-instance`, which was changed after the 3.0 Ganeti release, see
|
|
|
[this comment](https://github.com/ganeti/ganeti/issues/1696#issuecomment-1465221351) for details.
|
|
|
|
|
|
Also note, that the `/var/lib/ganeti/rapi/users` files get overwritten
|
|
|
by Puppet, so that might be cleaned up after (or during) your attempt.
|
|
|
|
|
|
Currently fails with:
|
|
|
|
... | ... | |