Change example migration to use fsn as source

`--net` argument, a limitation which could eventually be waived.

Before you can launch an instance migration, use the following procedure to

prepare the cluster. In this example, we migrate from

the `gnt-chi` cluster to `gnt-dal`.

prepare the cluster. In this example, we migrate from the `gnt-fsn` cluster to

`gnt-dal`.

 0. ensure a `move-instance` has been deployed to `/var/lib/ganeti/rapi/users`

    and that the cluster domain secret is identical across all nodes of both

    source and destination clusters. This should be handled by Puppet.

 0. Run `gnt-cluster verify` on both clusters.

    Run `gnt-cluster verify` on both clusters.

    (this is now handled by puppet) ensure a `move-instance` user has been

    deployed to `/var/lib/ganeti/rapi/users` and that the cluster domain secret

    is identical across all nodes of both source and destination clusters.

 1. extract the public key from the RAPI certificate on the source cluster:

        ssh chi-node-01 sed -n '/BEGIN CERT/,$p' /var/lib/ganeti/rapi.pem 

        ssh fsn-node-01.torproject.org sed -n '/BEGIN CERT/,$p' /var/lib/ganeti/rapi.pem

 2. paste that in a certificate file on the target cluster:

        ssh dal-node-01 tee gnt-chi.crt

        ssh dal-node-01.torproject.org tee gnt-fsn.crt

 3. enter the RAPI passwords from `/var/lib/ganeti/rapi/users` on both clusters

    in two files on the target cluster, for example:

        cat > gnt-chi.password

        cat > gnt-fsn.password

        cat > gnt-dal.password

 4. disable Puppet, as we'll be messing with files it manages:

 4. disable Puppet on all ganeti nodes, as we'll be messing with files it manages:

        ssh chi-node-01 gnt-cluster command "puppet agent --disable 'firewall

        opened for cross-cluster migration'"

        ssh dal-node-01 gnt-cluster command "puppet agent --disable 'firewall

        opened for cross-cluster migration'"

        ssh fsn-node-01.torproject.org gnt-cluster command "puppet agent --disable 'firewall opened for cross-cluster migration'"

        ssh dal-node-01.torproject.org gnt-cluster command "puppet agent --disable 'firewall opened for cross-cluster migration'"

 5. open up the firewall on all nodes to all nodes, between both

    clusters:

        ssh chi-node-01 gnt-cluster command "iptables-legacy -I ganeti-cluster -j ACCEPT -s 204.8.99.96/27"

        ssh dal-node-01 gnt-cluster command "iptables-legacy -I ganeti-cluster -j ACCEPT -s 38.229.82.104/27"

    to open up to nodes in the gnt-fsn cluster, the command would be:

 5. open up the firewall on all destination nodes to all nodes from the source:

        for n in fsn-node-0{1..8}; do nodeip=$(dig +short ${n}.torproject.org); gnt-cluster command "iptables-legacy -I ganeti-cluster -j ACCEPT -s ${nodeip}/32"; done

### Actual VM migration

Once the above configuration is completed, the following procedure

will move *one* VM, in this example the `test-01` VM from the

(now defunct) `gnt-chi` to the `gnt-dal` cluster:

Once the above configuration is completed, the following procedure will move

_one_ VM, in this example the fictitious `test-01.torproject.org` VM from the

`gnt-fsn` to the `gnt-dal` cluster:

 1. stop the VM, on the source cluster:

 2. move the VM to the new cluster:

        /usr/lib/ganeti/tools/move-instance  \

            chi-node-01.torproject.org \

            fsn-node-01.torproject.org \

            dal-node-01.torproject.org \

            test-01.torproject.org \

            --src-ca-file=gnt-chi.crt \

            --src-ca-file=gnt-fsn.crt \

            --dest-ca-file=/var/lib/ganeti/rapi.pem \

            --src-username=move-instance \

            --src-password-file=gnt-chi.password \

            --src-password-file=gnt-fsn.password \

            --dest-username=move-instance \

            --dest-password-file=gnt-dal.password \

            --src-rapi-port=5080 \

            --net 0:ip=pool,network=gnt-dal-01,mode=,link= \

            --keep-source-instance \

            --dest-disk-template=drbd \

            --verbose \

            --verbose

 3. change the IP address inside the VM:

        fabric-tasks$ ./ganeti -H test-01.torproject.org renumber-instance dal-node-02.torproject.org

        fabric-tasks$ fab -H test-01.torproject.org ganeti.renumber-instance dal-node-02.torproject.org

    Note how we use the name of the Ganeti node where the VM resides,

    *not* the master.

    _not_ the master.

    Also note that this will give you a bunch of instructions on how

    to complete the renumbering. Do *not* follow those steps yet! Wait

    for confirmation that the new VM works *before* changing DNS so we

    to complete the renumbering. Do _not_ follow those steps yet! Wait

    for confirmation that the new VM works _before_ changing DNS so we

    have a chance to catch problems.

 4. test the new VM

 7. schedule destruction of the old VM (7 days)

        fabric-tasks$ ./ganeti -H test-01.torproject.org retire --master-host=chi-node-01.torproject.org 

        fabric-tasks$ fab -H test-01.torproject.org ganeti.retire --master-host=fsn-node-01.torproject.org 

 8. If you're all done with instance migrations, remove the password and

    certificate files that were created in the previous section.