For convenience, we will install additional packages:
$ sudo yum install bash-completion vim
To enable autocompletion of bash-completion commands, switch to bash.
Adding Additional DNS Names
This will be required when you need to connect to the manager using an alternative name (CNAME, alias, or just a short name without a domain suffix). For security reasons, the manager only allows connections to the allowed list of names.
Create a configuration file:
$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-sso-setup.conf
An example of the wizard
$ sudo ovirt-engine-extension-aaa-ldap-setup
Available LDAP implementations:
...
3 - Active Directory
...
Please select: 3
Please enter Active Directory Forest name: example.com
Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): URL
URL: wwwca.example.com/myRootCA.pem
Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): CN=oVirt-Engine,CN=Users,DC=example,DC=com
Enter search user password: *password*
[ INFO ] Attempting to bind using 'CN=oVirt-Engine,CN=Users,DC=example,DC=com'
Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]:
Please specify profile name that will be visible to users [example.com]:
Please provide credentials to test login flow:
Enter username: someAnyUser
Enter user password:
...
[INFO] Login sequence executed successfully
...
Select test sequence to execute (Done, Abort, Login, Search) [Done]:
[INFO] Stage: Transaction setup
...
CONFIGURATION SUMMARY
...
Using the wizard is suitable for most cases. For complex configurations, settings are made manually. More details in the oVirt documentation, Users and Roles. After the Engine is successfully connected to AD, an additional profile will appear in the connection window, and on the Permissions system objects have the ability to grant permissions to AD users and groups. It should be noted that the external directory of users and groups can be not only AD, but also IPA, eDirectory, etc.
Multipathing
In a production environment, the storage system must be connected to the host via multiple, independent, multiple I/O paths. As a rule, in CentOS (and therefore oVirt'e) there are no problems with building multiple paths to the device (find_multipaths yes). Additional settings for FCoE are described in 2. It is worth paying attention to the recommendation of the storage manufacturer - many recommend using the round-robin policy, while by default Enterprise Linux 7 uses service-time.
Rice. 2 - multiple I / O policy after applying the settings.
Power Management Setting
Allows you to perform, for example, a hard reset of the machine if the Engine cannot receive a response from the Host for a long time. Implemented via the Fence Agent.
Compute -> Hosts -> HOST - Edit -> Power Management, then turn on "Enable Power Management" and add an agent - "Add Fence Agent" -> +.
Specify the type (for example, for iLO5, you need to specify ilo4), the name/address of the ipmi interface, and the username/password. It is recommended to create a separate user (for example, oVirt-PM) and, in the case of iLO, give him privileges:
Login
Remote console
Virtual Power and Reset
Virtual media
Configure iLO Settings
Administer User Accounts
Do not ask why it is so, it is chosen empirically. The console fencing agent requires a smaller set of rights.
When setting up access control lists, it should be borne in mind that the agent does not run on the engine, but on the “neighboring” host (the so-called Power Management Proxy), i.e., if there is only one node in the cluster, power management will work will not be.
Setting up SSL
Full official instructions - in documentation, Appendix D: oVirt and SSL - Replacing the oVirt Engine SSL/TLS Certificate.
The certificate can be from our corporate CA or from an external commercial CA.
Important note: the certificate is intended to connect to the manager, will not affect the interaction between the Engine and the nodes - they will use self-signed certificates issued by the Engine.
Requirements:
certificate of the issuing CA in PEM format, with the entire chain to the root CA (from the subordinate issuing at the beginning to the root at the end);
a certificate for Apache issued by the issuing CA (also complete with the entire chain of CA certificates);
private key for Apache, no password.
Let's say our issuing CA is running CentOS, called subca.example.com, and the requests, keys, and certificates are in the /etc/pki/tls/ directory.
Ready! It's time to connect to the manager and check that the connection is secured with a signed SSL certificate.
Archiving
Where without her! In this section, we will talk about archiving the manager, archiving the VM is a separate issue. We will make archive copies once a day and store them over NFS, for example, on the same system where we placed the ISO images — mynfs1.example.com:/exports/ovirt-backup. It is not recommended to store archives on the same machine where the Engine is running.
Now you can connect to the host: https://[Host IP or FQDN]:9090
VLANs
Read more about networks in documentation. There are many possibilities, here we will describe the connection of virtual networks.
To connect other subnets, they must first be described in the configuration: Network -> Networks -> New, here only the name is a required field; the VM Network checkbox, which allows machines to use this network, is enabled, and to connect the tag, you must enable Enable VLAN tagging, enter the VLAN number and click OK.
Now you need to go to the Compute -> Hosts -> kvmNN -> Network Interfaces -> Setup Host Networks hosts. Drag the added network from the right side of Unassigned Logical Networks to the left into Assigned Logical Networks:
Rice. 4 - before adding the network.
Rice. 5 - after adding the network.
For mass connection of several networks to a host, it is convenient to assign label(s) to them when creating networks, and add networks by labels.
After the network is created, the hosts will go into the Non Operational state until the network is added to all cluster nodes. This behavior is triggered by the Require All flag on the Cluster tab when creating a new network. In the case when the network is not needed on all nodes of the cluster, this feature can be disabled, then the network, when adding a host, will be on the right in the Non Required section and you can choose whether to connect it to a specific host.
Rice. 6 — selection of the sign of the network requirement.
HPE specific
Almost all manufacturers have tools that improve the usability of their products. Using HPE as an example, AMS (Agentless Management Service, amsd for iLO5, hp-ams for iLO4) and SSA (Smart Storage Administrator, working with a disk controller), etc. are useful.
Connecting the HPE Repository
Import the key and connect the HPE repositories:
$ sudo rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
$ sudo vim /etc/yum.repos.d/mcp.repo