ãã®èšäºã§ã¯ãããã€ãã®ãªãã·ã§ã³ã§ãã䟿å©ãªèšå®ã«ã€ããŠèª¬æããŸãã
ãããŒãžã£ãŒã«è¿œå ã®ååã䜿çšãã ;Active Directory çµç±ã§èªèšŒãæ¥ç¶ãã ;å€éå ;ãã¯ãŒç®¡ç ;SSL蚌ææžã眮ãæãã ;ã¢ãŒã«ã€ããã ;ãã¹ã管çã€ã³ã¿ãŒãã§ã€ã¹ (ã³ãã¯ããã) ;VLAN ;HPE åºæ .
ãã®èšäºã¯ç¶ãã§ããæåã¯ã2 æéã® oVirtããåç
§ããŠãã ããã
ç©å
å°å ¥ ãããŒãžã£ãŒ (ovirt-engine) ãšãã€ããŒãã€ã¶ãŒ (ãã¹ã) ã®ã€ã³ã¹ããŒã« - è¿œå èšå® - ããã«ãããŸã
è¿œå ã®ãããŒãžã£ãŒèšå®
䟿å®äžãè¿œå ã®ããã±ãŒãžãã€ã³ã¹ããŒã«ããŸãã
$ sudo yum install bash-completion vim
ã³ãã³ãè£å®ãæå¹ã«ããã«ã¯ãbash è£å®ã§ bash ã«åãæ¿ããå¿ èŠããããŸãã
DNS åã®è¿œå
ããã¯ã代æ¿å (CNAMEããšã€ãªã¢ã¹ããŸãã¯ãã¡ã€ã³ ãµãã£ãã¯ã¹ã®ãªãåãªãçãåå) ã䜿çšããŠãããŒãžã£ãŒã«æ¥ç¶ããå¿ èŠãããå Žåã«å¿ èŠã«ãªããŸãã ã»ãã¥ãªãã£äžã®çç±ããããããŒãžã£ãŒã¯ãèš±å¯ãããååã®ãªã¹ãã䜿çšããæ¥ç¶ã®ã¿ãèš±å¯ããŸãã
æ§æãã¡ã€ã«ãäœæããŸãã
$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-sso-setup.conf
次ã®ã³ã³ãã³ãïŒ
SSO_ALTERNATE_ENGINE_FQDNS="ovirt.example.com some.alias.example.com ovirt"
ãããŠãããŒãžã£ãŒãåèµ·åããŸãã
$ sudo systemctl restart ovirt-engine
ADçµç±ã®èªèšŒãèšå®ãã
oVirt ã«ã¯ãŠãŒã¶ãŒ ããŒã¹ãçµã¿èŸŒãŸããŠããŸãããå€éš LDAP ãããã€ããŒããµããŒããããŠããŸãã åºåã
äžè¬çãªæ§æã®æãç°¡åãªæ¹æ³ã¯ããŠã£ã¶ãŒããèµ·åããŠãããŒãžã£ãŒãåèµ·åããããšã§ãã
$ sudo yum install ovirt-engine-extension-aaa-ldap-setup
$ sudo ovirt-engine-extension-aaa-ldap-setup
$ sudo systemctl restart ovirt-engine
ãã¹ã¿ãŒã®äœåã®äžäŸ
$ sudo ovirt-engine-extension-aaa-ldap-setup
å©çšå¯èœãª LDAP å®è£
:
...
3 - ã¢ã¯ãã£ããã£ã¬ã¯ããª
...
éžãã§ãã ããïŒ 3
Active Directory ãã©ã¬ã¹ãåãå
¥åããŠãã ãã: example.com
䜿çšãããããã³ã«ãéžæããŠãã ãã (startTLSãldapsãplain) [TLSã®éå§]:
PEM ãšã³ã³ãŒãããã CA 蚌ææžãååŸããæ¹æ³ãéžæããŠãã ãã (ãã¡ã€ã«ãURLãã€ã³ã©ã€ã³ãã·ã¹ãã ãå®å
šã§ãªã): URL
URLïŒ
æ€çŽ¢ãŠãŒã¶ãŒ DN ãå
¥åããŸã (äŸ: uid=username,dc=example,dc=comããŸãã¯å¿åã®å Žåã¯ç©ºã®ãŸãŸã«ããŸã)ã CN=oVirt-EngineãCN=ãŠãŒã¶ãŒãDC=äŸãDC=com
æ€çŽ¢ãŠãŒã¶ãŒã®ãã¹ã¯ãŒããå
¥åããŠãã ãã: *ãã¹ã¯ãŒã*
[ æ
å ± ] 'CN=oVirt-Engine,CN=Users,DC=example,DC=com' ã䜿çšããŠãã€ã³ãããããšããŠããŸã
ä»®æ³ãã·ã³ã«ã·ã³ã°ã« ãµã€ã³ãªã³ã䜿çšããŸãã (ã¯ããããã) [ã¯ã]:
ãŠãŒã¶ãŒã«è¡šç€ºããããããã¡ã€ã«åãæå®ããŠãã ãã [äŸ.com]:
ãã°ã€ã³ ãããŒããã¹ãããã«ã¯ãèªèšŒæ
å ±ãå
¥åããŠãã ããã
ãŠãŒã¶ãŒããŒã ãå
¥åããŠãã ããïŒ èª°ãã®ãŠãŒã¶ãŒ
ãŠãŒã¶ãŒã®ãã¹ã¯ãŒããå
¥åããŠãã ãã:
...
[æ
å ±] ãã°ã€ã³ã·ãŒã±ã³ã¹ãæ£åžžã«å®è¡ãããŸãã
...
å®è¡ãããã¹ã ã·ãŒã±ã³ã¹ãéžæããŸã (å®äºãäžæ¢ããã°ã€ã³ãæ€çŽ¢) [çµãã]:
[æ
å ±] ã¹ããŒãž: ãã©ã³ã¶ã¯ã·ã§ã³ã®ã»ããã¢ãã
...
æ§æã®æŠèŠ
...
ãŠã£ã¶ãŒãã®äœ¿çšã¯ãã»ãšãã©ã®å Žåã«é©ããŠããŸãã è€éãªæ§æã®å Žåã¯ãæåã§èšå®ãè¡ããŸãã 詳现ã«ã€ããŠã¯ãoVirt ããã¥ã¡ã³ããåç
§ããŠãã ããã
ãã«ããã¹
å®çšŒåç°å¢ã§ã¯ãã¹ãã¬ãŒãž ã·ã¹ãã ã¯è€æ°ã®ç¬ç«ããè€æ°ã® I/O ãã¹ãä»ããŠãã¹ãã«æ¥ç¶ããå¿
èŠããããŸãã ååãšããŠãCentOS (ãããã£ãŠ oVirt) ã§ã¯ãããã€ã¹ãžã®è€æ°ã®ãã¹ãã¢ã»ã³ãã«ããããšã«åé¡ã¯ãããŸãã (find_multipaths Yes)ã FCoE ã®è¿œå èšå®ã¯æ¬¡ã®å Žæã«æžãããŠããŸãã
äŸãšã㊠3PAR ã䜿çšãã
ãããŠææž
defaults {
polling_interval 10
user_friendly_names no
find_multipaths yes
}
devices {
device {
vendor "3PARdata"
product "VV"
path_grouping_policy group_by_prio
path_selector "round-robin 0"
path_checker tur
features "0"
hardware_handler "1 alua"
prio alua
failback immediate
rr_weight uniform
no_path_retry 18
rr_min_io_rq 1
detect_prio yes
fast_io_fail_tmo 10
dev_loss_tmo "infinity"
}
}
ãã®åŸãåèµ·åããã³ãã³ããäžããããŸãã
systemctl restart multipathd
ç±³ã 1 ã¯ããã©ã«ãã®è€æ° I/O ããªã·ãŒã§ãã
ç±³ã 2 - èšå®ãé©çšããåŸã®è€æ°ã® I/O ããªã·ãŒã
é»æºç®¡çã®èšå®
ããšãã°ããšã³ãžã³ããã¹ãããã®å¿çãé·æéåä¿¡ã§ããªãå Žåã«ããã·ã³ã®ããŒããŠã§ã¢ ãªã»ãããå®è¡ã§ããŸãã Fence Agent ãéããŠå®è£ ãããŸãã
ã³ã³ãã¥ãŒãã£ã³ã° -> ãã¹ã -> HOST â [ç·šé] -> [é»æºç®¡ç] ãéžæãã[é»æºç®¡çãæå¹ã«ãã] ãæå¹ã«ããŠãšãŒãžã§ã³ããè¿œå ããŸãã - [ãã§ã³ã¹ ãšãŒãžã§ã³ãã®è¿œå ] -> +.
ã¿ã€ã (ããšãã°ãiLO5 ã®å Žå㯠ilo4 ãæå®ããå¿ èŠããããŸã)ãipmi ã€ã³ã¿ãŒãã§ã€ã¹ã®åå/ã¢ãã¬ã¹ãããã³ãŠãŒã¶ãŒå/ãã¹ã¯ãŒãã瀺ããŸãã å¥ã®ãŠãŒã¶ãŒ (oVirt-PM ãªã©) ãäœæããiLO ã®å Žåã¯ãã®ãŠãŒã¶ãŒã«æš©éãäžããããšããå§ãããŸãã
- ãã°ã€ã³
- ãªã¢ãŒãã³ã³ãœãŒã«
- ä»®æ³é»æºãšãªã»ãã
- ä»®æ³ã¡ãã£ã¢
- iLO èšå®ã®æ§æ
- ãŠãŒã¶ãŒã¢ã«ãŠã³ãã®ç®¡ç
ãªããããªãã®ãã¯èããªãã§ãã ãããçµéšçã«éžã°ãããã®ã§ãã ã³ã³ãœãŒã«ãã§ã³ã·ã³ã°ãšãŒãžã§ã³ãã«å¿ èŠãªæš©éã¯å°ãªããªããŸãã
ã¢ã¯ã»ã¹ ã³ã³ãããŒã« ãªã¹ããèšå®ãããšãã¯ããšãŒãžã§ã³ãããšã³ãžã³äžã§ã¯ãªãããé£æ¥ããããã¹ã (ããããé»æºç®¡çãããã·) äžã§å®è¡ãããããšã«çæããå¿ èŠããããŸããã€ãŸããã¯ã©ã¹ã¿å ã«ããŒãã XNUMX ã€ãããªãå Žåãé»æºç®¡çã¯æ©èœããŸã ããããŸãã.
SSLã®èšå®
å®å
šãªå
¬åŒèª¬ææž - ã§
蚌ææžã¯ãåœç€Ÿã®äŒæ¥ CA ãŸãã¯å€éšã®åçšèªèšŒå±ããååŸã§ããŸãã
éèŠãªæ³šæäºé : 蚌ææžã¯ãããŒãžã£ãŒã«æ¥ç¶ããããšãç®çãšããŠããããšã³ãžã³ãšããŒãéã®éä¿¡ã«ã¯åœ±é¿ããŸããããšã³ãžã³ã«ãã£ãŠçºè¡ãããèªå·±çœ²å蚌ææžã䜿çšãããŸãã
èŠä»¶ïŒ
- PEM 圢åŒã®çºè¡ CA ã®èšŒææžãã«ãŒã CA ãŸã§ã®ãã§ãŒã³å šäœ (æåã®äžäœçºè¡ CA ããæåŸã®ã«ãŒããŸã§)ã
- çºè¡å CA ã«ãã£ãŠçºè¡ããã Apache ã®èšŒææž (CA 蚌ææžã®ãã§ãŒã³å šäœã«ãã£ãŠãè£è¶³ãããŸã)ã
- Apache ã®ç§å¯ã㌠(ãã¹ã¯ãŒããªã)ã
çºè¡ CA ã subca.example.com ãšãã CentOS ãå®è¡ããŠããããªã¯ãšã¹ããããŒã蚌ææžã /etc/pki/tls/ ãã£ã¬ã¯ããªã«ãããšä»®å®ããŸãã
ããã¯ã¢ãããå®è¡ããäžæãã£ã¬ã¯ããªãäœæããŸãã
$ sudo cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.`date +%F`
$ sudo cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.`date +%F`
$ sudo mkdir /opt/certs
$ sudo chown mgmt.mgmt /opt/certs
蚌ææžãããŠã³ããŒãããŠã¯ãŒã¯ã¹ããŒã·ã§ã³ããå®è¡ããããå¥ã®äŸ¿å©ãªæ¹æ³ã§è»¢éããŸãã
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/cachain.pem [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/private/ovirt.key [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]/etc/pki/tls/certs/ovirt.crt [email protected]:/opt/certs
ãã®çµæã3 ã€ã®ãã¡ã€ã«ããã¹ãŠè¡šç€ºãããã¯ãã§ãã
$ ls /opt/certs
cachain.pem ovirt.crt ovirt.key
蚌ææžã®ã€ã³ã¹ããŒã«
ãã¡ã€ã«ãã³ããŒããä¿¡é Œãªã¹ããæŽæ°ããŸãã
$ sudo cp /opt/certs/cachain.pem /etc/pki/ca-trust/source/anchors
$ sudo update-ca-trust
$ sudo rm /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/cachain.pem /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/ovirt03.key /etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo cp /opt/certs/ovirt03.crt /etc/pki/ovirt-engine/certs/apache.cer
$ sudo systemctl restart httpd.service
æ§æãã¡ã€ã«ãè¿œå /æŽæ°ããŸãã
$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
$ sudo vim /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo vim /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
# Key file for SSL connections
ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
# Certificate file for SSL connections
ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer
次ã«ã圱é¿ãåãããã¹ãŠã®ãµãŒãã¹ãåèµ·åããŸãã
$ sudo systemctl restart ovirt-provider-ovn.service
$ sudo systemctl restart ovirt-imageio-proxy
$ sudo systemctl restart ovirt-websocket-proxy
$ sudo systemctl restart ovirt-engine.service
æºåãã§ããŠïŒ 次ã«ããããŒãžã£ãŒã«æ¥ç¶ããæ¥ç¶ã眲åããã SSL 蚌ææžã«ãã£ãŠä¿è·ãããŠããããšã確èªããŸãã
ã¢ãŒã«ã€ã
圌女ãªãã§ã¯ç§ãã¡ã¯ã©ãã«ããã§ããããïŒ ãã®ã»ã¯ã·ã§ã³ã§ã¯ãããŒãžã£ãŒã®ã¢ãŒã«ã€ãã«ã€ããŠèª¬æããŸãããVM ã®ã¢ãŒã«ã€ãã¯å¥ã®åé¡ã§ãã ã¢ãŒã«ã€ã ã³ããŒã 1 æ¥ã« 01 åäœæããNFS çµç±ã§ãããšãã° ISO ã€ã¡ãŒãžãé 眮ããã®ãšåãã·ã¹ãã (mynfsXNUMX.example.com:/exports/ovirt-backup) ã«ä¿åããŸãã ãšã³ãžã³ãå®è¡ãããŠããã®ãšåããã·ã³ã«ã¢ãŒã«ã€ããä¿åããããšã¯ãå§ãã§ããŸããã
autofs ãã€ã³ã¹ããŒã«ããŠæå¹ã«ããŸãã
$ sudo yum install autofs
$ sudo systemctl enable autofs
$ sudo systemctl start autofs
ã¹ã¯ãªãããäœæããŸãããã
$ sudo vim /etc/cron.daily/make.oVirt.backup.sh
次ã®ã³ã³ãã³ãïŒ
#!/bin/bash
datetime=`date +"%F.%R"`
backupdir="/net/mynfs01.example.com/exports/ovirt-backup"
filename="$backupdir/`hostname --short`.`date +"%F.%R"`"
engine-backup --mode=backup --scope=all --file=$filename.data --log=$filename.log
#uncomment next line for autodelete files older 30 days
#find $backupdir -type f -mtime +30 -exec rm -f {} ;
ãã¡ã€ã«ãå®è¡å¯èœã«ãã:
$ sudo chmod a+x /etc/cron.daily/make.oVirt.backup.sh
ããããã¯æ¯æ©ãããŒãžã£ãŒèšå®ã®ã¢ãŒã«ã€ããåãåãããšã«ãªããŸãã
ãã¹ã管çã€ã³ã¿ãŒãã§ãŒã¹
ç±³ã 3 â ããã«ã®å€èŠ³ã
ã€ã³ã¹ããŒã«ã¯éåžžã«ç°¡åã§ããã³ãã¯ããã ããã±ãŒãžãšã³ãã¯ããã-ovirt-ããã·ã¥ããŒã ãã©ã°ã€ã³ãå¿ èŠã§ãã
$ sudo yum install cockpit cockpit-ovirt-dashboard -y
ã³ãã¯ããããæå¹ã«ãã:
$ sudo systemctl enable --now cockpit.socket
ãã¡ã€ã¢ãŠã©ãŒã«ã®èšå®:
sudo firewall-cmd --add-service=cockpit
sudo firewall-cmd --add-service=cockpit --permanent
ããã§ããã¹ãã«æ¥ç¶ã§ããããã«ãªããŸã: https://[ãã¹ã IP ãŸã㯠FQDN]:9090
VLAN
ãããã¯ãŒã¯ã«ã€ããŠè©³ããã¯ã次ã®èšäºãåç
§ããŠãã ããã
ä»ã®ãµããããã«æ¥ç¶ããã«ã¯ããŸãèšå®ã§ãããã®ãµããããã説æããå¿ èŠããããŸã: [ãããã¯ãŒã¯] -> [ãããã¯ãŒã¯] -> [æ°èŠ]ãããã§ã¯ååã®ã¿ãå¿ é ãã£ãŒã«ãã§ãã ãã·ã³ããã®ãããã¯ãŒã¯ã䜿çšã§ããããã«ãã [VM ãããã¯ãŒã¯] ãã§ãã¯ããã¯ã¹ãæå¹ã«ãªã£ãŠããŸãããæ¥ç¶ããã«ã¯ã¿ã°ãæå¹ã«ããå¿ èŠããããŸã VLAN ã¿ã°ä»ããæå¹ã«ãããVLAN çªå·ãå ¥åãããOKããã¯ãªãã¯ããŸãã
次ã«ã[ã³ã³ãã¥ãŒãã£ã³ã° ãã¹ã] -> [ãã¹ã] -> [kvmNN] -> [ãããã¯ãŒã¯ ã€ã³ã¿ãŒãã§ã€ã¹] -> [ãã¹ã ãããã¯ãŒã¯ã®ã»ããã¢ãã] ã«ç§»åããå¿ èŠããããŸãã è¿œå ãããããã¯ãŒã¯ãã[æªå²ãåœãŠã®è«çãããã¯ãŒã¯] ã®å³åŽããå·ŠåŽã® [å²ãåœãŠæžã¿ã®è«çãããã¯ãŒã¯] ã«ãã©ãã°ããŸãã
ç±³ã 4 - ãããã¯ãŒã¯ãè¿œå ããåã
ç±³ã 5 - ãããã¯ãŒã¯ãè¿œå ããåŸã
è€æ°ã®ãããã¯ãŒã¯ãäžæ¬ããŠãã¹ãã«æ¥ç¶ããã«ã¯ããããã¯ãŒã¯ã®äœææã«ãããã¯ãŒã¯ã«ã©ãã«ãå²ãåœãŠãã©ãã«ããšã«ãããã¯ãŒã¯ãè¿œå ãããšäŸ¿å©ã§ãã
ãããã¯ãŒã¯ãäœæãããåŸããããã¯ãŒã¯ãã¯ã©ââã¹ã¿ãŒå ã®ãã¹ãŠã®ããŒãã«è¿œå ããããŸã§ããã¹ãã¯é皌åç¶æ ã«ãªããŸãã ãã®åäœã¯ãæ°ãããããã¯ãŒã¯ãäœæãããšãã« [ã¯ã©ã¹ã¿ãŒ] ã¿ãã® [ãã¹ãŠå¿ é ] ãã©ã°ãåå ã§çºçããŸãã ã¯ã©ã¹ã¿ãŒã®ãã¹ãŠã®ããŒãã§ãããã¯ãŒã¯ãå¿ èŠãªãå Žåã¯ããã®ãã©ã°ãç¡å¹ã«ããããšãã§ããŸãããããã¯ãŒã¯ããã¹ãã«è¿œå ããããšãå³åŽã®ãäžèŠãã»ã¯ã·ã§ã³ã«è¡šç€ºãããæ¥ç¶ãããã©ãããéžæã§ããŸããç¹å®ã®ãã¹ãã«éä¿¡ããŸãã
ç±³ã 6 - ãããã¯ãŒã¯èŠä»¶å±æ§ãéžæããŸãã
HPE åºæ
ã»ãŒãã¹ãŠã®ã¡ãŒã«ãŒã¯ã補åã®äœ¿ãããããåäžãããããŒã«ãæã£ãŠããŸãã HPE ãäŸã«æãããšãAMS (Agentless Management ServiceãiLO5 ã®å Žå㯠amsdãiLO4 ã®å Žå㯠hp-ams) ã SSA (Smart Storage Administratorããã£ã¹ã¯ ã³ã³ãããŒã©ãŒãšé£æºãã) ãªã©ã䟿å©ã§ãã
HPE ãªããžããªãžã®æ¥ç¶
ããŒãã€ã³ããŒãããHPE ãªããžããªã«æ¥ç¶ããŸãã
$ sudo rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
$ sudo vim /etc/yum.repos.d/mcp.repo
次ã®ã³ã³ãã³ãïŒ
[mcp]
name=Management Component Pack
baseurl=http://downloads.linux.hpe.com/repo/mcp/centos/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp
[spp]
name=Service Pack for ProLiant
baseurl=http://downloads.linux.hpe.com/SDR/repo/spp/RHEL/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp
ãªããžããªã®å 容ãšããã±ãŒãžæ å ±ã衚瀺ããŸã (åèçš)ã
$ sudo yum --disablerepo="*" --enablerepo="mcp" list available
$ yum info amsd
ã€ã³ã¹ããŒã«ãšèµ·å:
$ sudo yum install amsd ssacli
$ sudo systemctl start amsd
ãã£ã¹ã¯ ã³ã³ãããŒã©ãæäœããããã®ãŠãŒãã£ãªãã£ã®äŸ
ããã¯ä»ã®ãšãããã¹ãŠã§ãã 次ã®èšäºã§ã¯ãåºæ¬çãªæäœãšå¿çšã«ã€ããŠèª¬æããäºå®ã§ãã ããšãã°ãoVirt 㧠VDI ãäœæããæ¹æ³ã
åºæïŒ habr.com