progress on the move-instance procedure (team#40972)

99b2bd3c · anarcat · b55b0193 · 99b2bd3c
Verified Commit 99b2bd3c authored 2 years ago by anarcat
--- a/howto/ganeti.md
+++ b/howto/ganeti.md
@@ -2206,8 +2206,7 @@ details.
 3. copy the secret to the destination node
 
        scp chi-node-01.torproject.org:/var/lib/ganeti/cluster-domain-secret dal-node-01.torproject.org:/var/lib/ganeti/cluster-domain-secret
-        ssh dal-node-01 "gnt-cluster renew-crypto"
-        ssh dal-node-01 "gnt-cluster verify"
+        ssh dal-node-01 "gnt-cluster renew-crypto && gnt-cluster redist-conf && gnt-cluster verify"

 3. extract the public key from the RAPI certificate on the source cluster:

@@ -2217,9 +2216,21 @@ details.
 
        cat > gnt-chi.crt

+ 5. disable Puppet, as we'll be messing with files it manages:
+ 
+        puppet agent --disable "messing with RAPI and /etc/hosts, see issue tpo/tpa/team#40972"
+
+ 6. bypass the local DNS records for the "API" names on the
+    destination node (dal-node-01):
+ 
+        echo 38.229.82.104   chignt.torproject.org >> /etc/hosts
+        echo 204.8.99.101    dalgnt.torproject.org >> /etc/hosts
+
+ 7. open firewalls and make RAPI listen public (TODO: document, expand)
+
 5. enable an [API user](https://docs.ganeti.org/docs/ganeti/3.0/html/rapi.html#users-and-passwords) on the source *and* on the target cluster:

-        echo gnt-dal $(tr -dc '[:alnum:]' < /dev/urandom | head -c 30) write >> /var/lib/ganeti/rapi_users
+        echo move-instance $(tr -dc '[:alnum:]' < /dev/urandom | head -c 30) write >> /var/lib/ganeti/rapi/users
        systemctl restart ganeti

 6. enter the passwords in two files on the target cluster, for
@@ -2241,18 +2252,22 @@ details.
            --dest-ca-file=/var/lib/ganeti/rapi.pem \
            --opportunistic-tries=1 \
            --iallocator=hail \
-            --src-username=gnt-dal \
-            --src-password-file=gnt-chi.users \
-            --dest-username=gnt-chi \
-            --dest-password-file=gnt-dal.users \
-            --src-rapi-port=5081 \
+            --src-username=move-instance \
+            --src-password-file=gnt-chi.password \
+            --dest-username=move-instance \
+            --dest-password-file=gnt-dal.password \
+            --src-rapi-port=5080 \
            --dest-rapi-port=5080 \
            --net 0:ip=pool,network=gnt-dal-01 \
+            --keep-source-instance \
            --debug \

-    Note that the `/var/lib/ganeti/rapi/users` files get overwritten
-    by Puppet, so that might be cleaned up after (or during) your
-    attempt. 
+Note that the above procedure depends on a patched version of
+`move-instance`, which was changed after the 3.0 Ganeti release, see
+[this comment](https://github.com/ganeti/ganeti/issues/1696#issuecomment-1465221351) for details.
+
+Also note, that the `/var/lib/ganeti/rapi/users` files get overwritten
+by Puppet, so that might be cleaned up after (or during) your attempt.

 Currently fails with: