🥇oVirt in 2 hours. Part 3. Additional settings

In this article, we will look at a number of optional, but useful settings:

using alternate names for the manager;
connecting authentication through Active Directory;
Mutlipathing;
power management;
SSL certificate replacement;
archiving;
host management interface (cockpit);
VLANs;
HPE specific.

This article is a continuation, start see oVirt in 2 hours Part 1 и Part 2.

Articles

Introduction
Installing the manager (ovirt-engine) and hypervisors (hosts)
Additional settings - We are here

Additional manager settings

For convenience, we will install additional packages:

$ sudo yum install bash-completion vim

To enable autocompletion of bash-completion commands, switch to bash.

Adding Additional DNS Names

This will be required when you need to connect to the manager using an alternative name (CNAME, alias, or just a short name without a domain suffix). For security reasons, the manager only allows connections to the allowed list of names.

Create a configuration file:

$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-sso-setup.conf

the following content:

SSO_ALTERNATE_ENGINE_FQDNS="ovirt.example.com some.alias.example.com ovirt"

and restart the manager:

$ sudo systemctl restart ovirt-engine

Configuring Authentication Through AD

oVirt has a built-in user base, but external LDAP providers are also supported, incl. AD.

The simplest way for a typical configuration is to start the wizard and restart the manager:

$ sudo yum install ovirt-engine-extension-aaa-ldap-setup
$ sudo ovirt-engine-extension-aaa-ldap-setup
$ sudo systemctl restart ovirt-engine

An example of the wizard
$ sudo ovirt-engine-extension-aaa-ldap-setup
Available LDAP implementations:
...
3 - Active Directory
...
Please select: 3
Please enter Active Directory Forest name: example.com

Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): URL
URL: wwwca.example.com/myRootCA.pem
Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): CN=oVirt-Engine,CN=Users,DC=example,DC=com
Enter search user password: *password*
[ INFO ] Attempting to bind using 'CN=oVirt-Engine,CN=Users,DC=example,DC=com'
Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]:
Please specify profile name that will be visible to users [example.com]:
Please provide credentials to test login flow:
Enter username: someAnyUser
Enter user password:
...
[INFO] Login sequence executed successfully
...
Select test sequence to execute (Done, Abort, Login, Search) [Done]:
[INFO] Stage: Transaction setup
...
CONFIGURATION SUMMARY
...

Using the wizard is suitable for most cases. For complex configurations, settings are made manually. More details in the oVirt documentation, Users and Roles. After the Engine is successfully connected to AD, an additional profile will appear in the connection window, and on the Permissions system objects have the ability to grant permissions to AD users and groups. It should be noted that the external directory of users and groups can be not only AD, but also IPA, eDirectory, etc.

Multipathing

In a production environment, the storage system must be connected to the host via multiple, independent, multiple I/O paths. As a rule, in CentOS (and therefore oVirt'e) there are no problems with building multiple paths to the device (find_multipaths yes). Additional settings for FCoE are described in 2. It is worth paying attention to the recommendation of the storage manufacturer - many recommend using the round-robin policy, while by default Enterprise Linux 7 uses service-time.

On the example of 3PAR
and document HPE 3PAR Red Hat Enterprise Linux, CentOS Linux, Oracle Linux, and OracleVM Server Implementation Guide EL is created as a Host with Generic-ALUA Persona 2, for which the following values are entered in the /etc/multipath.conf settings:

defaults {
           polling_interval      10
           user_friendly_names   no
           find_multipaths       yes
          }
devices {
          device {
                   vendor                   "3PARdata"
                   product                  "VV"
                   path_grouping_policy     group_by_prio
                   path_selector            "round-robin 0"
                   path_checker             tur
                   features                 "0"
                   hardware_handler         "1 alua"
                   prio                     alua
                   failback                 immediate
                   rr_weight                uniform
                   no_path_retry            18
                   rr_min_io_rq             1
                   detect_prio              yes
                   fast_io_fail_tmo         10
                   dev_loss_tmo             "infinity"
                 }
}

Then the command to restart is given:

systemctl restart multipathd

Rice. 1 is the default multiple I/O policy.

Rice. 2 - multiple I / O policy after applying the settings.

Power Management Setting

Allows you to perform, for example, a hard reset of the machine if the Engine cannot receive a response from the Host for a long time. Implemented via the Fence Agent.

Compute -> Hosts -> HOST - Edit -> Power Management, then turn on "Enable Power Management" and add an agent - "Add Fence Agent" -> +.

Specify the type (for example, for iLO5, you need to specify ilo4), the name/address of the ipmi interface, and the username/password. It is recommended to create a separate user (for example, oVirt-PM) and, in the case of iLO, give him privileges:

Login
Remote console
Virtual Power and Reset
Virtual media
Configure iLO Settings
Administer User Accounts

Do not ask why it is so, it is chosen empirically. The console fencing agent requires a smaller set of rights.

When setting up access control lists, it should be borne in mind that the agent does not run on the engine, but on the “neighboring” host (the so-called Power Management Proxy), i.e., if there is only one node in the cluster, power management will work will not be.

Setting up SSL

Full official instructions - in documentation, Appendix D: oVirt and SSL - Replacing the oVirt Engine SSL/TLS Certificate.

The certificate can be from our corporate CA or from an external commercial CA.

Important note: the certificate is intended to connect to the manager, will not affect the interaction between the Engine and the nodes - they will use self-signed certificates issued by the Engine.

Requirements:

certificate of the issuing CA in PEM format, with the entire chain to the root CA (from the subordinate issuing at the beginning to the root at the end);
a certificate for Apache issued by the issuing CA (also complete with the entire chain of CA certificates);
private key for Apache, no password.

Let's say our issuing CA is running CentOS, called subca.example.com, and the requests, keys, and certificates are in the /etc/pki/tls/ directory.

Perform backups and create a temporary directory:

$ sudo cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.`date +%F`
$ sudo cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.`date +%F`
$ sudo mkdir /opt/certs
$ sudo chown mgmt.mgmt /opt/certs

Download certificates, execute it from your workstation or transfer it in another convenient way:

[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/cachain.pem [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/private/ovirt.key [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]/etc/pki/tls/certs/ovirt.crt [email protected]:/opt/certs

As a result, you should see all 3 files:

$ ls /opt/certs
cachain.pem  ovirt.crt  ovirt.key

Installing certificates

Copy files and update trust lists:

$ sudo cp /opt/certs/cachain.pem /etc/pki/ca-trust/source/anchors
$ sudo update-ca-trust
$ sudo rm /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/cachain.pem /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/ovirt03.key /etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo cp /opt/certs/ovirt03.crt /etc/pki/ovirt-engine/certs/apache.cer
$ sudo systemctl restart httpd.service

Add/update configuration files:

$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf

ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""

$ sudo vim /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf

SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass

$ sudo vim /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf

# Key file for SSL connections
ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
# Certificate file for SSL connections
ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer

Next, restart all affected services:

$ sudo systemctl restart ovirt-provider-ovn.service
$ sudo systemctl restart ovirt-imageio-proxy
$ sudo systemctl restart ovirt-websocket-proxy
$ sudo systemctl restart ovirt-engine.service

Ready! It's time to connect to the manager and check that the connection is secured with a signed SSL certificate.

Archiving

Where without her! In this section, we will talk about archiving the manager, archiving the VM is a separate issue. We will make archive copies once a day and store them over NFS, for example, on the same system where we placed the ISO images — mynfs1.example.com:/exports/ovirt-backup. It is not recommended to store archives on the same machine where the Engine is running.

Install and enable autofs:

$ sudo yum install autofs
$ sudo systemctl enable autofs
$ sudo systemctl start autofs

Create a script:

$ sudo vim /etc/cron.daily/make.oVirt.backup.sh

the following content:

#!/bin/bash

datetime=`date +"%F.%R"`
backupdir="/net/mynfs01.example.com/exports/ovirt-backup"
filename="$backupdir/`hostname --short`.`date +"%F.%R"`"
engine-backup --mode=backup --scope=all --file=$filename.data --log=$filename.log
#uncomment next line for autodelete files older 30 days 
#find $backupdir -type f -mtime +30 -exec rm -f {} ;

We make the file executable:

$ sudo chmod a+x /etc/cron.daily/make.oVirt.backup.sh

Now every night we will receive an archive of manager settings.

Host management interface

Cockpit is a modern administrative interface for Linux systems. In this case, it performs a role similar to the ESXi web interface.

Rice. 3 - appearance of the panel.

Installation is very simple, you need cockpit packages and the cockpit-ovirt-dashboard plugin:

$ sudo yum install cockpit cockpit-ovirt-dashboard -y

Switching Cockpit:

$ sudo systemctl enable --now cockpit.socket

Firewall setting:

sudo firewall-cmd --add-service=cockpit
sudo firewall-cmd --add-service=cockpit --permanent

Now you can connect to the host: https://[Host IP or FQDN]:9090

VLANs

Read more about networks in documentation. There are many possibilities, here we will describe the connection of virtual networks.

To connect other subnets, they must first be described in the configuration: Network -> Networks -> New, here only the name is a required field; the VM Network checkbox, which allows machines to use this network, is enabled, and to connect the tag, you must enable Enable VLAN tagging, enter the VLAN number and click OK.

Now you need to go to the Compute -> Hosts -> kvmNN -> Network Interfaces -> Setup Host Networks hosts. Drag the added network from the right side of Unassigned Logical Networks to the left into Assigned Logical Networks:

Rice. 4 - before adding the network.

Rice. 5 - after adding the network.

For mass connection of several networks to a host, it is convenient to assign label(s) to them when creating networks, and add networks by labels.

After the network is created, the hosts will go into the Non Operational state until the network is added to all cluster nodes. This behavior is triggered by the Require All flag on the Cluster tab when creating a new network. In the case when the network is not needed on all nodes of the cluster, this feature can be disabled, then the network, when adding a host, will be on the right in the Non Required section and you can choose whether to connect it to a specific host.

Rice. 6 — selection of the sign of the network requirement.

HPE specific

Almost all manufacturers have tools that improve the usability of their products. Using HPE as an example, AMS (Agentless Management Service, amsd for iLO5, hp-ams for iLO4) and SSA (Smart Storage Administrator, working with a disk controller), etc. are useful.

Connecting the HPE Repository
Import the key and connect the HPE repositories:

$ sudo rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
$ sudo vim /etc/yum.repos.d/mcp.repo

the following content:

[mcp]
name=Management Component Pack
baseurl=http://downloads.linux.hpe.com/repo/mcp/centos/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp

[spp]
name=Service Pack for ProLiant
baseurl=http://downloads.linux.hpe.com/SDR/repo/spp/RHEL/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp

View the contents of the repository and information about the package (for reference):

$ sudo yum --disablerepo="*" --enablerepo="mcp" list available
$ yum info amsd

Installation and launch:

$ sudo yum install amsd ssacli
$ sudo systemctl start amsd

An example of the utility for working with a disk controller

That's all for now. In the following articles I plan to cover some basic operations and applications. For example, how to make VDI in oVirt.

Source: habr.com