From 99b2bd3ce5760023e5827f2674a40ddf5dff94d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Mon, 13 Mar 2023 17:13:35 -0400
Subject: [PATCH] progress on the move-instance procedure (tpo/tpa/team#40972)

---
 howto/ganeti.md | 37 ++++++++++++++++++++++++++-----------
 1 file changed, 26 insertions(+), 11 deletions(-)

diff --git a/howto/ganeti.md b/howto/ganeti.md
index 2ccc5f02..75b2eb28 100644
--- a/howto/ganeti.md
+++ b/howto/ganeti.md
@@ -2206,8 +2206,7 @@ details.
  3. copy the secret to the destination node
  
         scp chi-node-01.torproject.org:/var/lib/ganeti/cluster-domain-secret dal-node-01.torproject.org:/var/lib/ganeti/cluster-domain-secret
-        ssh dal-node-01 "gnt-cluster renew-crypto"
-        ssh dal-node-01 "gnt-cluster verify"
+        ssh dal-node-01 "gnt-cluster renew-crypto && gnt-cluster redist-conf && gnt-cluster verify"
 
  3. extract the public key from the RAPI certificate on the source cluster:
 
@@ -2217,9 +2216,21 @@ details.
  
         cat > gnt-chi.crt
 
+ 5. disable Puppet, as we'll be messing with files it manages:
+ 
+        puppet agent --disable "messing with RAPI and /etc/hosts, see issue tpo/tpa/team#40972"
+
+ 6. bypass the local DNS records for the "API" names on the
+    destination node (dal-node-01):
+ 
+        echo 38.229.82.104   chignt.torproject.org >> /etc/hosts
+        echo 204.8.99.101    dalgnt.torproject.org >> /etc/hosts
+
+ 7. open firewalls and make RAPI listen public (TODO: document, expand)
+
  5. enable an [API user](https://docs.ganeti.org/docs/ganeti/3.0/html/rapi.html#users-and-passwords) on the source *and* on the target cluster:
 
-        echo gnt-dal $(tr -dc '[:alnum:]' < /dev/urandom | head -c 30) write >> /var/lib/ganeti/rapi_users
+        echo move-instance $(tr -dc '[:alnum:]' < /dev/urandom | head -c 30) write >> /var/lib/ganeti/rapi/users
         systemctl restart ganeti
 
  6. enter the passwords in two files on the target cluster, for
@@ -2241,18 +2252,22 @@ details.
             --dest-ca-file=/var/lib/ganeti/rapi.pem \
             --opportunistic-tries=1 \
             --iallocator=hail \
-            --src-username=gnt-dal \
-            --src-password-file=gnt-chi.users \
-            --dest-username=gnt-chi \
-            --dest-password-file=gnt-dal.users \
-            --src-rapi-port=5081 \
+            --src-username=move-instance \
+            --src-password-file=gnt-chi.password \
+            --dest-username=move-instance \
+            --dest-password-file=gnt-dal.password \
+            --src-rapi-port=5080 \
             --dest-rapi-port=5080 \
             --net 0:ip=pool,network=gnt-dal-01 \
+            --keep-source-instance \
             --debug \
 
-    Note that the `/var/lib/ganeti/rapi/users` files get overwritten
-    by Puppet, so that might be cleaned up after (or during) your
-    attempt. 
+Note that the above procedure depends on a patched version of
+`move-instance`, which was changed after the 3.0 Ganeti release, see
+[this comment](https://github.com/ganeti/ganeti/issues/1696#issuecomment-1465221351) for details.
+
+Also note, that the `/var/lib/ganeti/rapi/users` files get overwritten
+by Puppet, so that might be cleaned up after (or during) your attempt.
 
 Currently fails with:
 
-- 
GitLab