αα αααα»αα’αααααααα ααΎαααΉααα·αα·αααααΎαααΆααααααααααα α α·ααα ααα»ααααααΆααααααααααα½αα ααα½αα
αααααααΎααααααααααααααααΆααα’αααααααααααα ;ααααΆααααΆααααααααααΆααααΆαααα Active Directory ;Mutlipathing ;ααΆααααααααααααΆααα ;ααΆααααα½ααα·ααααΆαααααα SSL ;αα»ααααα»ααααααααΆα ;α ααα»α αααααΆααααααααααααααΆαααΈα (ααΆαααΈαααααα αα) ;VLAN ;HPE ααΆααααΆαα .
α’ααααααααααΊααΆααΆααααα ααΌαααΎα oVirt αααα»ααααααα 2 αααααααααΆααααΆαα
αΆααααααΎα
α’ααααα
ααα ααααΈααααΆα ααΆαααα‘αΎααααααα·ααΈααααααααα (αααΆαααΈαα’αΌααα) αα·αα§ααααααααα½ααα·αα·αααααααα (αααΆαααΈα) - ααΆαααααααααααα - ααΎααα ααΈααα
ααΆααααααα’αααααααααααααααααα
ααΎααααΈααΆαααΆααααα½α ααΎαααΉαααα‘αΎααααα ααααααααα
$ sudo yum install bash-completion vim
ααΎααααΈααΎαααΆααααααααΆααααααααΆ ααΆαααααα bash αααααΌαα±ααααααΌααα bash α
ααΆαααααααααααα DNS αααααα
ααΆααΉαααααΌαααΆαααΆαααΆααα ααααααα’αααααααΌαααΆαααααΆαααα α’αααααααααααααααααααΎααααααααα½α (CNAME, alias, α¬ααααΆααααααΆαααααααααΈαααααααΆααα αα ααααα)α αααααΆααα ααα»αααα»ααααα·ααΆα α’ααααααααααααα’αα»ααααΆαααΆαααααΆαααααααααΎαααααααΈααααααααααΆαα’αα»ααααΆαααα»αααααα
αααααΎαα―αααΆαααααααα ααΆααααααααα
$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-sso-setup.conf
ααααΉαααΆαααΆααααααα
SSO_ALTERNATE_ENGINE_FQDNS="ovirt.example.com some.alias.example.com ovirt"
α αΎαα αΆααααααΎαα’ααααααααααααα‘αΎααα·αα
$ sudo systemctl restart ovirt-engine
αααα αααΆααααααααααΆααααΆαααα AD
oVirt ααΆαααΌαααααΆαα’αααααααΎααααΆαααααααααΆααααααΆαα½α ααα»ααααα’ααααααααααααΆ LDAP ααΆααααα ααααααΌαααΆαααΆααααααααα αα½αααΆααα A.D.
αα·ααΈααΆαααααααα»ααααααΆααααΆαααααααα ααΆααααααααααααααΆααΊααααΌαααΎαααααΎαααΆαα’ααααααα½αααΆα α αΎαα αΆααααααΎαα’ααααααααααααα‘αΎααα·αα
$ sudo yum install ovirt-engine-extension-aaa-ldap-setup
$ sudo ovirt-engine-extension-aaa-ldap-setup
$ sudo systemctl restart ovirt-engine
α§ααΆα αααααααΆαααΆαααααα
α
α αααΆαααΆα
$ sudo ovirt-engine-extension-aaa-ldap-setup
ααΆαα’αα»αααα LDAP αααα’αΆα
ααααΎααΆαα
...
3 - ααααααα
...
ααΌαααααΎαααΎαα 3
ααΌααααα
αΌαααααα Active Directory Forestα example.com
ααΌαααααΎαααΎααα·ααΈααΆααααααααΌαααααΎ (startTLS, ldaps, ααααααΆ) [startTLS]:
ααΌαααααΎαααΎααα·ααΈααΆαααααααΎααααΈααα½αααΆααα·ααααΆαααααα CA αααααΆαα’αα·αααΌα PEM (α―αααΆα, URL, αααα»ααααααΆαα, αααααααα, α’ααααα·αα»α)α URL
URL:
αααα
αΌαα’αααααααΎααααΆααααααααα DN (α§ααΆα ααα uid=username,dc=example,dc=com α¬αα»αααααααααΆααα’ααΆαα·α)α CN=oVirt-Engine,CN=Users,DC=example,DC=com
αααα
αΌαααΆααααααααΆααα’αααααααΎααααΆαααααααααα *ααΆααααααααΆαα*
[ INFO ] ααααΆααΆαα
ααααααααΎ 'CN=oVirt-Engine,CN=Users,DC=example,DC=com'
ααΎα’αααααΉαααααΎ Single Sign-On αααααΆαααααΆαααΈααα·αααα·α (ααΆα/α
αΆα αα) [ααΆα]:
ααΌααααααΆααααααααααααααααααΆααααααΉαα’αΆα
ααΎαααΎααααα’αααααααΎααααΆαα [example.com]:
ααΌααααααααααααΆααααααΆααααΎααααΈααΆαααααααα αΌαα
αΌαα
αααα
αΌααααααα’αααααααΎα α’αααααααΎααααΆαααα½αα
ααα½α
αααα
αΌαβααΆαααβαααααΆααβα’αααβααααΎα
...
[ααααααΆα] ααααΎαααΆαααααΆααααααΆαα
αΌαααααΎαααΆαααααααααα
...
ααααΎαααΎαααααΆααααΆαααααααΎααααΈααααα·ααααα· (αα½α
ααΆαα αααααα α
αΌα ααααααα) [αα½α
ααΆαα]:
[ααααααΆα] ααααΆααααΆαα ααΆαααα‘αΎαααααα·ααααα·ααΆα
...
ααα
ααααΈααααααααααΆαααααα
...
ααΆαααααΎααααΆααα’ααααααα½αααΆαααΊαααααααααααΆααααααΈααΆαα
αααΎαα αααααΆααααΆαααααααα
ααΆαααααααααααα»αααααΆα ααΆααααααααααΌαααΆαα’αα»αααααααααα ααααααΆααααα’α·ααααααααα
αααα»αα―αααΆα oVirt,
αα α»αα»α
αα
αααα»αααα·ααΆααΆαααα·ααααα αααααααααααα»αααααΌαααααααΆαααα
αααΆαααΈαααΆααααααααΌα I/O α
αααΎαα―αααΆαααα ααΆααααα½ααα½ααα
αααα»α CentOS (α αΎαααΌα
αααα oVirt) αα·αααΆααααα αΆααΆαα½αααΉαααΆααααααΌααααα»αααααΌαααΆα
αααΎααα
ααΆααα§ααααααα½ααα (find_multipaths yes)α ααΆαααααααααααααααααΆαα FCoE ααααΌαααΆαααααααα
αααα»α
ααΆαααααΎααααΆαα 3PAR ααΆα§ααΆα ααα
αα·αα―αααΆα
defaults {
polling_interval 10
user_friendly_names no
find_multipaths yes
}
devices {
device {
vendor "3PARdata"
product "VV"
path_grouping_policy group_by_prio
path_selector "round-robin 0"
path_checker tur
features "0"
hardware_handler "1 alua"
prio alua
failback immediate
rr_weight uniform
no_path_retry 18
rr_min_io_rq 1
detect_prio yes
fast_io_fail_tmo 10
dev_loss_tmo "infinity"
}
}
αααααΆααααΈαααααΆααααααααΆααΎααααΈα αΆααααααΎαα‘αΎααα·αααααΌαααΆααααααα±αα:
systemctl restart multipathd
α’ααααα 1 ααΊααΆαααααΆααα I/O α
αααΎαααααΆαααΎαα
α’ααααα 2 - αααααΆααα I/O α
αααΎααααααΆααααΈα’αα»ααααααΆααααααα
αααα αααΆααααααααααααΆααα
α’αα»ααααΆαα±ααα’αααα’αα»ααααα§ααΆα ααα ααΆαααααααααααααΉααααααααΆαααΈαα‘αΎααα·α ααααα·αααΎαααΆαααΈααα·αα’αΆα ααα½αααΆαααΆαααααΎαααααΈαααΆαααΈααααα»αααααααααΌαα α’αα»ααααααΆααααααααΆααααΆααααα
αα»αααααΌααα -> αααΆαααΈα -> HOST - ααααααα½α -> ααΆααααααααααααΆααα αααααΆααααααΎα "ααΎαααΆααααααααααααΆααα" α αΎαααααααααααΆααααΆα - "ααααααααααΆααααΆαααα" -> +.
ααΎαα ααα’α»ααααα αΆααααααα (α§ααΆα ααααααααΆαα iLO5 α’αααααααΌααααααΆαα ilo4) ααααα/α’αΆααααααΆαααα ααα»α αααααΆαα ipmi ααααΌα ααΆαααααα’αααααααΎααααΆαα/ααΆααααααααΆααα ααΆααααΌαααΆαααααΆαα±αααααααΎαα’αααααααΎααααΆααααΆα ααααα‘αα (α§ααΆα ααα oVirt-PM) α αΎααααα»αααααΈ iLO ααααααα·αααα·α±ααααΆααα
- α αΌαααααΎααααΈ
- αα»αααΌαααΈα ααααΆα
- ααΆααααα·αααα·α αα·ααααααα‘αΎααα·α
- ααααααααααααααααααΆααα·αααα·α
- ααααααα ααΆααααααααααΆαααααα iLO
- αααααααααααααΈα’αααααααΎααααΆαα
αα»ααα½αααΆα ααα»α’αααΈααΆαααΆααΌα αααα, ααΆααααΌαααΆαααααΎαααΎαααΆαααααααα ααααΆααααΆαα αα»αααααααα»αααΌαααΆαααΆααα·αααα·αα·α ααΆααα»αα
αα ααααααα ααααααΈαααα½ααα·αα·αααααΆαα αΌαααααΎ α’ααααα½αααα αα αΆαααΆααααΆααααΆααα·αααααΎαααΆαααΎαααΆαααΈααα ααα»αααααα ααΎαααΆαααΈα "α’ααααα·αααΆα" (α α ααΆ Power Management Proxy) αααααΊααααα·αααΎααΆαααααΆαααααα½ααα αααα»αα αααααα ααΆααααααααααααΆαααααΉαααααΎαααΆα ααΉααα·α.
ααΆαααα‘αΎα SSL
ααα
ααααΈααααΆαααααΌαααΆααααααα - αααα»α
αα·ααααΆααααααα’αΆα ααααΈ CA ααΆααΈαααααααααααΎα α¬ααΈα’αΆααααΆαααα·ααααΆααααααααΆαα·αααααααααΆααααα α
α αααΆαααααΆααα αα·ααααΆααααααααααΌαααΆαααααα»ααα»ααααααΆααααααΆαααα α’αααααααααααα α αΎαααΉααα·ααααααΆαααααααααΆαααααααααΆααααΆαααΈα αα·αααααΆαααα αα½αααααΉαααααΎαα·ααααΆαααααααααα α»αα αααααααΆααααααα½αα―ααααα ααααααααΆαααΈαα
αααααΌαααΆαα
- αα·ααααΆααααααααααΆαα αα CA αααα»ααααααα PEM ααΆαα½αααΉααααααααααΆααααΆααααΌααα αΌααααα«α CA (ααΈα’αααααααααααααΆαααααα αα CA αα ααΎααααα«ααα α α»ααααα αα);
- αα·ααααΆαααααααααααΆαα Apache αααα ααααα CA αααα αα (ααααααααααααααααααΆααααΆααααΌααααα·ααααΆαααααα CA);
- ααΌαααα―ααααααααΆαα Apache αααααααΆαααΆααααααααΆααα
α§αααΆααΆ CA αααα ααααααααΎααααα»αααααΎαααΆα CentOS αααα α ααΆ subca.example.com α αΎαααααΎ αα αα·ααα·ααααΆααααααααΆαααΈααΆαααα αααα»ααα /etc/pki/tls/ α
ααΎαααααΎααΆαααααα»ααα»α αα·ααααααΎαααααααααα’αΆααααα
$ sudo cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.`date +%F`
$ sudo cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.`date +%F`
$ sudo mkdir /opt/certs
$ sudo chown mgmt.mgmt /opt/certs
ααΆααααα·ααααΆαααααα α’αα»ααααααΆααΈααααΆααΈαααΆαααΆαααααα’ααα α¬αααααααΆααΆααααααααΆαααΆααααα½αααααααααα
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/cachain.pem [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/private/ovirt.key [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]/etc/pki/tls/certs/ovirt.crt [email protected]:/opt/certs
ααΆαααααα α’ααααα½αααααΎαα―αααΆαααΆαα α£α
$ ls /opt/certs
cachain.pem ovirt.crt ovirt.key
ααΆαααα‘αΎααα·ααααΆαααααα
α ααααα―αααΆα αα·αααααΎαα αα α»ααααααααΆααααααΈαα»αα α·αααα
$ sudo cp /opt/certs/cachain.pem /etc/pki/ca-trust/source/anchors
$ sudo update-ca-trust
$ sudo rm /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/cachain.pem /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/ovirt03.key /etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo cp /opt/certs/ovirt03.crt /etc/pki/ovirt-engine/certs/apache.cer
$ sudo systemctl restart httpd.service
αααααα/ααααΎαα αα α»ααααααααΆαα―αααΆαααααααα ααΆααααααααα
$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
$ sudo vim /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo vim /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
# Key file for SSL connections
ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
# Certificate file for SSL connections
ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer
αααααΆαααα α αΆααααααΎαααααΆααααααααααααααααΆααααΆααα’ααα‘αΎααα·αα
$ sudo systemctl restart ovirt-provider-ovn.service
$ sudo systemctl restart ovirt-imageio-proxy
$ sudo systemctl restart ovirt-websocket-proxy
$ sudo systemctl restart ovirt-engine.service
αα½α ααΆααα αΎα! ααΆαααααααααααααΌαααααΆαααα α’αααααααααααα α αΎααα·αα·αααααΎαααΆααΆααααααΆααααααΌαααΆαααΆαααΆαααααα·ααααΆαααααα SSL αααααΆαα α»αα αααααααΆα
ααααααΆα
ααΎααΎαααΉααα α―ααΆαααααααΆαααΆα? αα αααα»ααααααααα ααΎαααΉααα·ααΆαα’αααΈααΆααααααΆαα»αα’αααααααααααα ααΆααααααΆαα»α VM ααΊααΆαααα αΆααΆα ααααα‘αααα½αα ααΎαααΉαααααΎα αααΆααα αααααααααααΆααααααααα»ααα½ααααα α αΎααααααΆαα»αααΆααΆαααα NFS ααΆα§ααΆα ααα αα ααΎααααααααααΌα ααααΆαααααΎαααΆαααΆααααΌαααΆα ISO - mynfs1.example.com:/exports/ovirt-backupα ααΆαα·αααααΌαααΆαααααΆαα’αααααααΆαα»αααααααΆααα ααΎαααΆαααΈαααΌα ααααΆααααααΆαααΈααααα»αααααΎαααΆααααααα
ααα‘αΎα αα·αααΎαααααΎαααΆα autofsα
$ sudo yum install autofs
$ sudo systemctl enable autofs
$ sudo systemctl start autofs
ααααααααΎαααααααΈαα
$ sudo vim /etc/cron.daily/make.oVirt.backup.sh
ααααΉαααΆαααΆααααααα
#!/bin/bash
datetime=`date +"%F.%R"`
backupdir="/net/mynfs01.example.com/exports/ovirt-backup"
filename="$backupdir/`hostname --short`.`date +"%F.%R"`"
engine-backup --mode=backup --scope=all --file=$filename.data --log=$filename.log
#uncomment next line for autodelete files older 30 days
#find $backupdir -type f -mtime +30 -exec rm -f {} ;
ααααΎα±ααα―αααΆαα’αΆα ααααα·ααααα·ααΆαα
$ sudo chmod a+x /etc/cron.daily/make.oVirt.backup.sh
α₯α‘αΌααααααΆαααααΆααααα ααΎαααΉαααα½αααΆαααααααΆαααααΆααααααα’ααααααααααααα
α ααα»α αααααΆααααααααααααααΆαααΈα
α’ααααα 3 - ααΌαααΆααααααααα
ααΆαβααα‘αΎαβααΊβααΆααααβααΆαα α’αααβααααΌαβααΆαβαααα ααβααΆαααΈαβααααα αα αα·αβαααααα·ααΈβαααα½αβααΆαααΈαβααΆαααΈα-α’αΌααΈα-ααααΆαααααααααααα
$ sudo yum install cockpit cockpit-ovirt-dashboard -y
ααΆαααΎαααΆαααΈαααααα ααα
$ sudo systemctl enable --now cockpit.socket
ααΆαααα‘αΎααααααΆααααααΎαα
sudo firewall-cmd --add-service=cockpit
sudo firewall-cmd --add-service=cockpit --permanent
α₯α‘αΌααααα’αααα’αΆα ααααΆαααα ααΆαααααΆαααΈαα https://[Host IP α¬ FQDN]:9090
VLAN
α’ααααα½αααα’αΆαααααααα’αααΈαααααΆααα
αααα»α
ααΎααααΈααααΆαααααααΆααααααααααα ααααΌααα½αααααααΌαααααααΌαααΆααα·αααααΆαα αααα»αααΆαααααααα ααΆααααααααα αααααΆα -> αααααΆα -> ααααΈ αα ααΈαααααΆααααααααααα»ααααααααααΆααΆααααααααΌαααΆαα αααα’ααααΈα VM Network αααα’αα»ααααΆαα±αααααΆαααΈαααααΎαααααΆααααααααΌαααΆαααΎα ααα»ααααααΎααααΈααααΆααααααΆαααααΌαααααΎα ααΎαααααΎαααΆαααααΆα VLANαααα αΌαααα VLAN α αΎαα α»α OK α
α₯α‘αΌαα’αααααααΌαα αΌααα ααΆαα Compute hosts -> Hosts -> kvmNN -> Network Interfaces -> Setup Host Networks α α’αΌααααααΆαααααααααΈαααααααΆαααααΆααααααααΆαα‘αΌααΈααααααα·αααΆαααααααα ααΆααααααα αΌααα αααα»ααααααΆααααααα·ααααΆαααααΆααααααα
α’ααααα 4 - αα»αααααααααααααααΆαα
α’ααααα 5 - αααααΆααααΈαααααααααααΆαα
ααΎααααΈααααΆαααααααΆαα αααΎααα αααΆαααΈααα½ααααα»αα ααα½αα αααΎα ααΆααΆααααα½ααααα»αααΆααααααααααΆααα½ααα αα½ααααα ααααααααΎααααααΆα αα·ααααααααααααΆααααααααΆαα
αααααΆααααΈαααααΆαααααΌαααΆααααααΎα hosts ααΉαα αΌααα αααα»αααααΆαααΆααα·αααααΎαααΆααα αΌαααααααααΆαααααΌαααΆααααααααα nodes ααΆααα’αααα αααα»α cluster α α₯αα·ααΆααααααααααΆαααααΈαααααΆαααΆαααΆααα’αααα ααΎααααΆαα Cluster αα ααααααααΎααααααΆαααααΈα αααα»αααααΈααααααααΆααα·αααααΌαααΆααα ααΎααααΆααααΆααα’ααααα ααααα ααααααα’αΆα ααααΌαααΆααα·α αααααΆαααααα αααααααααααΆαααααΌαααΆααααααααα αααΆαααΈα ααΆααΉααααα·ααα ααΆαααααΆααααα»ααααααααααα·αα αΆαααΆα α α αΎαα’αααα’αΆα ααααΎαααΎαααΆααΎααααΌαααααΆαα ααΆαα αααΆαααΈαααΆααααΆααα
α’ααααα 6- ααααΎαααΎααα»ααααααααααααΌαααΆααααααΆαα
HPE ααΆααααΆαα
αααα»αα αα»αααα·αααααΎαααααΆααα’ααααΆαα§ααααααααααααΎα’αααααααΎαα‘αΎαααΌαααααααΆαααααΎααααΆααααααα·ααααααααα½αααα ααΆαααααΎααααΆαα HPE ααΆα§ααΆα ααα AMS (Agentless Management Service, amsd for iLO5, hp-ams for iLO4) αα·α SSA (Smart Storage Administrator, ααααΎααΆαααΆαα½αα§ααααααααααΆααΆα) ααΆααΎαααΊααΆαααααααααα
ααΆαααααΆααααααΆαα HPE
ααΎαααΆαα
αΌααα αα·αααααΆααααααΆαα HPEα
$ sudo rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
$ sudo vim /etc/yum.repos.d/mcp.repo
ααααΉαααΆαααΆααααααα
[mcp]
name=Management Component Pack
baseurl=http://downloads.linux.hpe.com/repo/mcp/centos/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp
[spp]
name=Service Pack for ProLiant
baseurl=http://downloads.linux.hpe.com/SDR/repo/spp/RHEL/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp
ααΎαααΆαα·ααΆααααΆαα αα·αααααααΆααααα αα (αααααΆααααΆα―αααΆαααα)α
$ sudo yum --disablerepo="*" --enablerepo="mcp" list available
$ yum info amsd
ααΆαααα‘αΎα αα·αααΎαααααΎαααΆαα
$ sudo yum install amsd ssacli
$ sudo systemctl start amsd
α§ααΆα αααααα§αααααααααΎααααΆαααααααΆααααααΎααΆαααΆαα½αα§ααααααααααΆααΆα
αααα αΎαααΆααΆααα’αααααααΆααααααααα αα αααα»αα’αααααααΆαααααα αααα»αααΆααααααααα·ααΆαα’αααΈααααα·ααααα·ααΆα αα·ααααααα·ααΈααΆααΌαααααΆααα½αα ααα½αα α§ααΆα ααα αααααααααΎα VDI αααα»α oVirt α
ααααα: www.habr.com