A cikin wannan labarin za mu dubi wasu saitunan zaɓi amma masu amfani:
- ;
- ;
- ;
- ;
- ;
- ;
- ;
- ;
- .
Wannan labarin ci gaba ne, duba oVirt a cikin awanni 2 don farawa и .
Articles
- Ƙarin saituna - Muna nan
Ƙarin saitunan mai gudanarwa
Don dacewa, za mu shigar da ƙarin fakiti:
$ sudo yum install bash-completion vimDon kunna kammala umarni, kammala bash yana buƙatar canzawa zuwa bash.
Ƙara ƙarin sunayen DNS
Ana buƙatar wannan lokacin da kuke buƙatar haɗawa da mai sarrafa ta amfani da madadin suna (CNAME, alias, ko gajeriyar suna ba tare da ƙaranci na yanki ba). Don dalilai na tsaro, mai sarrafa yana ba da damar haɗi kawai ta amfani da jerin sunayen da aka yarda.
Ƙirƙiri fayil ɗin daidaitawa:
$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-sso-setup.confabun ciki mai zuwa:
SSO_ALTERNATE_ENGINE_FQDNS="ovirt.example.com some.alias.example.com ovirt"kuma sake kunna manajan:
$ sudo systemctl restart ovirt-engineƘaddamar da tabbaci ta hanyar AD
oVirt yana da ginanniyar tushen mai amfani, amma ana tallafawa masu samar da LDAP na waje, gami da. A.D.
Hanya mafi sauƙi don daidaitawa na yau da kullun shine ƙaddamar da maye kuma sake kunna manajan:
$ sudo yum install ovirt-engine-extension-aaa-ldap-setup
$ sudo ovirt-engine-extension-aaa-ldap-setup
$ sudo systemctl restart ovirt-engineMisalin aikin maigida
$ sudo ovirt-engine-extension-aaa-ldap-saitin
Akwai aiwatar da LDAP:
...
3 - Littafin Jagora
...
Da fatan za a zaɓi: 3
Da fatan za a shigar da Active Directory Forest sunan: Misali.com
Da fatan za a zaɓi yarjejeniya don amfani (startTLS, ldaps, bayyananne) [startTLS]:
Da fatan za a zaɓi hanya don samun takaddun shaida na CA PEM (Fayil, URL, Layi, Tsari, Mara tsaro): URL
URL:
Shigar da mai amfani DN (misali uid=sunan mai amfani,dc=misali,dc=com ko barin komai don wanda ba a sani ba): CN=oVirt-Engine,CN=Masu amfani,DC=misali,DC=com
Shigar da kalmar sirrin mai amfani: *Password*
[INFO] Ƙoƙarin ɗaure ta amfani da 'CN=oVirt-Engine,CN=Users,DC=misali,DC=com'
Shin za ku yi amfani da Sign-On guda ɗaya don Injin Farko (Ee, A'a) [I]:
Da fatan za a saka sunan bayanin martaba wanda zai ganuwa ga masu amfani [misali.com]:
Da fatan za a ba da takaddun shaida don gwada kwararar shiga:
Shigar da sunan mai amfani: Wani Mai amfani
Shigar da kalmar wucewa ta mai amfani:
...
[INFO] An aiwatar da jerin shiga cikin nasara
...
Zaɓi jerin gwaji don aiwatarwa (An yi, Zubar da ciki, Shiga, Bincike) [An gama]:
[INFO] Mataki: Saitin ciniki
...
TAKAITACCEN TSIRA
...
Amfani da mayen ya dace da yawancin lokuta. Don hadaddun saiti, ana yin saituna da hannu. Ƙarin cikakkun bayanai a cikin takardun oVirt, . Bayan an yi nasarar haɗa Injin zuwa AD, ƙarin bayanin martaba zai bayyana a cikin taga haɗin gwiwa, da kuma akan shafin izini Abubuwan tsarin suna da ikon ba da izini ga masu amfani da AD da ƙungiyoyi. Ya kamata a lura cewa bayanan waje na masu amfani da ƙungiyoyi na iya zama ba kawai AD ba, har ma IPA, eDirectory, da sauransu.
Haɗuwa da yawa
A cikin yanayin samarwa, dole ne a haɗa tsarin ajiya zuwa mai watsa shiri ta hanyar masu zaman kansu da yawa, hanyoyin I / O da yawa. A matsayinka na mai mulki, a cikin CentOS (sabili da haka oVirt) babu matsaloli tare da haɗa hanyoyi da yawa zuwa na'ura (find_multipaths eh). An rubuta ƙarin saituna don FCoE a ciki . Yana da kyau a kula da shawarwarin masana'antun tsarin ajiya - da yawa suna ba da shawarar yin amfani da manufofin zagaye-robin, amma ta tsohuwa a cikin Enterprise Linux 7 ana amfani da lokacin sabis.
Yin amfani da 3PAR a matsayin misali
da takarda An ƙirƙiri EL azaman Mai watsa shiri tare da Generic-ALUA Persona 2, wanda aka shigar da waɗannan dabi'u cikin saitunan /etc/multipath.conf:
defaults {
polling_interval 10
user_friendly_names no
find_multipaths yes
}
devices {
device {
vendor "3PARdata"
product "VV"
path_grouping_policy group_by_prio
path_selector "round-robin 0"
path_checker tur
features "0"
hardware_handler "1 alua"
prio alua
failback immediate
rr_weight uniform
no_path_retry 18
rr_min_io_rq 1
detect_prio yes
fast_io_fail_tmo 10
dev_loss_tmo "infinity"
}
}Bayan haka an ba da umarnin sake farawa:
systemctl restart multipathd
Shinkafa 1 shine tsohuwar manufofin I/O da yawa.
Shinkafa 2 - Manufofin I/O da yawa bayan amfani da saituna.
Saita sarrafa wutar lantarki
Yana ba ku damar yin, misali, sake saitin na'ura mai ƙarfi idan Injin ba zai iya samun amsa daga Mai watsa shiri na dogon lokaci ba. An aiwatar ta hanyar Wakilin Fence.
Yi lissafi -> Mai watsa shiri -> HOST - Shirya -> Gudanar da Wuta, sannan kunna "Enable Power Management" kuma ƙara wakili - "Ƙara Wakilin Fence" -> +.
Muna nuna nau'in (misali, don iLO5 kana buƙatar saka ilo4), sunan / adireshin ipmi interface, da sunan mai amfani / kalmar sirri. Ana ba da shawarar ƙirƙirar mai amfani daban (misali, oVirt-PM) kuma, a cikin yanayin iLO, a ba shi gata:
- Shiga
- Console mai nisa
- Ƙarfin Ƙarfi da Sake saiti
- Kafofin watsa labarai na gani
- Saita saitunan iLO
- Gudanar da Asusun Masu Amfani
Kada ku tambayi dalilin da yasa wannan yake haka, an zaɓe shi da gaske. Wakilin shinge na wasan bidiyo yana buƙatar ƙananan haƙƙoƙi.
Lokacin kafa jerin abubuwan sarrafawa, ya kamata ku tuna cewa wakili ba yana gudana akan injin ba, amma akan mai masaukin “maƙwabta” (wanda ake kira Proxy Management Proxy), watau idan akwai kumburi ɗaya kawai a cikin tari, sarrafa wutar lantarki zai yi aiki ba zai.
Saita SSL
Cikakken umarnin hukuma - in , Shafi D: oVirt da SSL - Maye gurbin oVirt Engine SSL/TLS Certificate.
Takaddun shaida na iya zama ko dai daga CA na kamfani ko kuma daga ikon takardar shedar kasuwanci ta waje.
Muhimmiyar sanarwa: takardar shaidar an yi niyya don haɗawa da manajan, ba zai shafi hulɗar da ke tsakanin Injin da nodes ba - za su yi amfani da takaddun shaida da Injin ya bayar.
Bukatun:
- takardar shaidar CA a cikin tsarin PEM, tare da dukan sarkar zuwa tushen CA (daga ƙaddamarwa a farkon zuwa tushen a karshen);
- takardar shaida don Apache da CA mai bayarwa ta bayar (kuma an haɗa ta da dukkanin jerin takaddun shaida na CA);
- maɓalli na sirri don Apache, ba tare da kalmar sirri ba.
Bari mu ɗauka cewa fitar da CA ɗinmu tana gudana CentOS, wanda ake kira subca.example.com, kuma buƙatun, maɓallai, da takaddun shaida suna cikin /etc/pki/tls/ directory.
Muna yin ajiyar ajiya kuma muna ƙirƙirar kundin adireshi na ɗan lokaci:
$ sudo cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.`date +%F`
$ sudo cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.`date +%F`
$ sudo mkdir /opt/certs
$ sudo chown mgmt.mgmt /opt/certsZazzage takaddun shaida, yi ta daga wurin aikinku ko canza shi ta wata hanya mai dacewa:
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/cachain.pem [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/private/ovirt.key [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]/etc/pki/tls/certs/ovirt.crt [email protected]:/opt/certsA sakamakon haka, ya kamata ku ga duk fayilolin 3:
$ ls /opt/certs
cachain.pem ovirt.crt ovirt.keyShigar da takaddun shaida
Kwafi fayilolin kuma sabunta jerin amintattun:
$ sudo cp /opt/certs/cachain.pem /etc/pki/ca-trust/source/anchors
$ sudo update-ca-trust
$ sudo rm /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/cachain.pem /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/ovirt03.key /etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo cp /opt/certs/ovirt03.crt /etc/pki/ovirt-engine/certs/apache.cer
$ sudo systemctl restart httpd.serviceƘara / sabunta fayilolin sanyi:
$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-truststore.confENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""$ sudo vim /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.confSSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass$ sudo vim /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf# Key file for SSL connections
ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
# Certificate file for SSL connections
ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cerNa gaba, sake kunna duk ayyukan da abin ya shafa:
$ sudo systemctl restart ovirt-provider-ovn.service
$ sudo systemctl restart ovirt-imageio-proxy
$ sudo systemctl restart ovirt-websocket-proxy
$ sudo systemctl restart ovirt-engine.serviceShirya! Lokaci ya yi da za a haɗa zuwa manajan kuma duba cewa haɗin yana da kariya ta takardar shaidar SSL da aka sa hannu.
Yin ajiya
Ina za mu kasance ba tare da ita ba? A cikin wannan sashe za mu yi magana game da adana kayan aiki; VM archiving batu ne na daban. Za mu yi kwafin ajiya sau ɗaya a rana kuma mu adana su ta hanyar NFS, alal misali, akan tsarin guda ɗaya inda muka sanya hotunan ISO - mynfs1.example.com:/exports/ovirt-backup. Ba'a ba da shawarar adana ma'ajin ajiya akan na'ura ɗaya inda Injin ke aiki ba.
Shigar kuma kunna autofs:
$ sudo yum install autofs
$ sudo systemctl enable autofs
$ sudo systemctl start autofsBari mu ƙirƙiri rubutun:
$ sudo vim /etc/cron.daily/make.oVirt.backup.shabun ciki mai zuwa:
#!/bin/bash
datetime=`date +"%F.%R"`
backupdir="/net/mynfs01.example.com/exports/ovirt-backup"
filename="$backupdir/`hostname --short`.`date +"%F.%R"`"
engine-backup --mode=backup --scope=all --file=$filename.data --log=$filename.log
#uncomment next line for autodelete files older 30 days
#find $backupdir -type f -mtime +30 -exec rm -f {} ;Yin fayil ɗin aiwatarwa:
$ sudo chmod a+x /etc/cron.daily/make.oVirt.backup.shYanzu kowane dare za mu sami Archive na saitunan manaja.
Mai watsa shiri management dubawa
- tsarin gudanarwa na zamani don tsarin Linux. A wannan yanayin, yana aiwatar da rawar da ya dace da ƙirar gidan yanar gizon ESXi.
Shinkafa 3 - bayyanar panel.
Shigarwa abu ne mai sauqi qwarai, kuna buƙatar fakitin kokfit da kayan aikin cockpit-ovirt-dashboard:
$ sudo yum install cockpit cockpit-ovirt-dashboard -yKunna Cockpit:
$ sudo systemctl enable --now cockpit.socketSaitin Firewall:
sudo firewall-cmd --add-service=cockpit
sudo firewall-cmd --add-service=cockpit --permanentYanzu zaku iya haɗawa da mai watsa shiri: https://[ Mai watsa shiri IP ko FQDN ]:9090
VLANs
Ya kamata ku karanta ƙarin game da cibiyoyin sadarwa a ciki . Akwai yuwuwar da yawa, anan za mu bayyana haɗa hanyoyin sadarwar kama-da-wane.
Don haɗa wasu ƙananan hanyoyin sadarwa, dole ne a fara bayyana su a cikin tsarin: Network -> Networks -> Sabo, a nan sunan kawai filin da ake bukata; Akwatin rajistan cibiyar sadarwa ta VM, wanda ke ba injina damar amfani da wannan hanyar sadarwar, an kunna, amma don haɗa alamar dole ne a kunna. Kunna VLAN tagging, shigar da lambar VLAN kuma danna Ok.
Yanzu kuna buƙatar zuwa Lissafin runduna -> Runduna -> kvmNN -> Hanyoyin Sadarwar Sadarwar -> Saita Cibiyar Sadarwar Mai watsa shiri. Jawo ƙarar hanyar sadarwar daga gefen dama na hanyoyin sadarwa masu ma'ana waɗanda ba a sanya su ba zuwa hagu cikin hanyoyin sadarwa masu ma'ana:
Shinkafa 4- kafin a kara network.
Shinkafa 5-bayan kara network.
Don haɗa cibiyoyin sadarwa da yawa zuwa mai masaukin baki a girma, ya dace a sanya musu lakabi (s) lokacin ƙirƙirar cibiyoyin sadarwa, da ƙara cibiyoyin sadarwa ta lakabi.
Bayan an ƙirƙiri hanyar sadarwar, masu watsa shirye-shiryen za su shiga cikin yanayin da ba na aiki ba har sai an ƙara hanyar sadarwar zuwa duk nodes a cikin gungu. Wannan hali yana faruwa ta hanyar Buƙatar Duk Tuta akan shafin tari lokacin ƙirƙirar sabuwar hanyar sadarwa. A cikin yanayin lokacin da ba a buƙatar hanyar sadarwa akan duk nodes na gungu, wannan tuta za a iya kashe shi, sannan lokacin da aka ƙara hanyar sadarwar zuwa mai watsa shiri, zai kasance a hannun dama a sashin da ba a buƙata kuma zaku iya zaɓar ko kuna haɗawa. shi zuwa ga wani mai gida na musamman.
Shinkafa 6-zaba sifa ta hanyar sadarwa.
HPE na musamman
Kusan duk masana'antun suna da kayan aikin da ke inganta amfanin samfuran su. Yin amfani da HPE a matsayin misali, AMS (Sabis na Gudanar da Agent, amsd don iLO5, hp-ams don iLO4) da SSA (Mai Gudanar da Ma'ajiyar Ajiye, aiki tare da mai sarrafa diski), da sauransu suna da amfani.
Haɗa Ma'ajiyar HPE
Muna shigo da maɓallin kuma muna haɗa ma'ajiyar HPE:
$ sudo rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
$ sudo vim /etc/yum.repos.d/mcp.repoabun ciki mai zuwa:
[mcp]
name=Management Component Pack
baseurl=http://downloads.linux.hpe.com/repo/mcp/centos/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp
[spp]
name=Service Pack for ProLiant
baseurl=http://downloads.linux.hpe.com/SDR/repo/spp/RHEL/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcpDuba abubuwan ajiya da bayanan fakiti (don tunani):
$ sudo yum --disablerepo="*" --enablerepo="mcp" list available
$ yum info amsdShigarwa da ƙaddamarwa:
$ sudo yum install amsd ssacli
$ sudo systemctl start amsdMisalin mai amfani don aiki tare da mai sarrafa faifai
Shi ke nan a yanzu. A cikin kasidu masu zuwa na yi shirin rufe wasu mahimman ayyuka da aikace-aikace. Misali, yadda ake yin VDI a cikin oVirt.
source: www.habr.com