External #768
closed
Perte du xco Oxymium/Nerim à PA3 le 14/04
Added by Pierre-Louis Bonicoli over 2 years ago.
Updated over 2 years ago.
Category:
System :: Network
Branch:
toushirou_hivane_via_l2tp
Description
On Toushirou, the current link provided by Acontios will end in one week (2022-04-14).
According to the checks made by Acontios about the used bandwith, the Nerim link can be used instead of the current one.
A L2TP tunnel will be required in order to keep/use our current IP.
The requirements:
- ✅ If any issue occurs during the migration, a physical access will be required
- Pilou asked Chojin about it (Pilou will be available 2022-04-11 or 2022-04-13).
- ✅ Duck: contact Acontios to provide the L2TP setup
The required tasks in order to update the configuration:
- ✅ ensure we are able to connect through the Nerim link
- ✅ remove any reference to the hivane network interface
# rgrep -l eth-wan-hivane /etc/
/etc/network/interfaces.d/hivane-link
/etc/network/multihoming
/etc/default/grub
/etc/systemd/network/10_eth-wan-hivane.link
/etc/mp-admin/firewalling
/etc/sysctl.d/90-disable-accept_ra.conf
Notes that the following services aren't listening on nerim IP:
slapd
(TCP ports 389 and 636)
apache2
(TCP ports 80 and 443)
proftpd
(TCP port 21)
- ✅ stop the multihoming setup
- ✅ run the L2TP service
- ✅ start the multihoming setup
✅ poulet
: I have checked that SSH is listening on the IP provided by Nerim (213.215.11.165
)
- Description updated (diff)
- Status changed from New to Feedback
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- % Done changed from 0 to 30
- Branch set to toushirou_hivane_via_l2tp
I prepared a branch with the changes needed to switch to L2TP:
- add L2TP setup
- switch Nerim link to default link
- remove reference to eth-wan-hivane iface: remove iface and adapt firewalling and multihoming config
- switch decrypt iface to Nerim
Things to consider:
- waiting for L2TP/PPP credentials from Hivane NOC
- the decrypt iface setup assumed the link was the default iafce to compute the extra kernel parameters, patched
- the decrypt iface on Toushirou is defined in the multihoming and the gateway is not defined in the default routing table: patched
- we probably need to tweak the systemd config to ensure certain service won't start before the L2TP link to up, and restart them if the link goes down and up
We should be able to reapply the common playbook, reboot, decrypt and regain SSH on the Nerim interface at least. Then we can work on stabilizing the L2TP+services part.
Review needed of course.
I fixed a few unrelated problems around check mode, missing facts etc. I was able to run the common playbook for all hosts and check it still works and the changes for Toushirou look ok. I rebased the branch on top of these fixes.
The output of rm facts_cache/Toushirou && ansible Toushirou -msetup && ansible Toushirou -mdebug -amsg="{{ initramfs_ssh_boot_ip_option }}"
looks fine.
- Description updated (diff)
- Description updated (diff)
- Status changed from Feedback to Resolved
- % Done changed from 30 to 100
Two trips to PA3 were necessary.
- 2022/04/11: an unsuccessful one: i wasn't to locate the server /o\
- 2022/04/13: thanks to the pictures taken during the move from PA2 to PA3, I noticed that Toushirou is located within the rack 0602.
Toushirou was stuck at boot and these freeze occurred multiple times during the reboots made Wednesday
- Related to Bug #769: Toushirou get stuck randomly at boot added
Also available in: Atom
PDF