ProHoster > Blog > administratio > oVirt in 2 horis. Pars 3. Additional occasus

oVirt in 2 horis. Pars 3. Additional occasus

In hoc articulo plures obitus libitum sed utiles videbimus:

Hic articulus est continuatio, vide oVirt in 2 horis ad initium Part 1 и pars 2.

Articles

  1. introduction
  2. Institutionem curatoris (ovirt-engine) et hypervisores (exercitus)
  3. Additional occasus - Sumus hic

Additional procurator occasus

Pro commodo, additas sarcinas instituemus:

$ sudo yum install bash-completion vim

Ut imperium peractio efficiat, bash-completio postulat commutatione ad bash.

Addito DNS nomina

Hoc requiretur cum procuratori vel nomine alio utente coniungere debes (CNAME, alias, vel breve nomen sine ditione suffixo). Procurator hospites ad rationes securitatis permittit tantum utens indice nominum permisso.

Configuratione file creare:

$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-sso-setup.conf

sequenti contentus:

SSO_ALTERNATE_ENGINE_FQDNS="ovirt.example.com some.alias.example.com ovirt"

et procurator sileo;

$ sudo systemctl restart ovirt-engine

Ad authenticas via usque profecta

oVirt in basi usoris constructum habet, provisores autem externi LDAP adiuvantur, incl. A.D.

Simplicissima via figurae typicae est magum deducere et procuratorem sileo:

$ sudo yum install ovirt-engine-extension-aaa-ldap-setup
$ sudo ovirt-engine-extension-aaa-ldap-setup
$ sudo systemctl restart ovirt-engine

Exemplum operis domini
$ sudo ovirt-engine-extensio-aaa-ldap-setup
Praesto LDAP implementations:
...
III - Active Directory
...
Placere eligere; 3
Please enter Active Directory silvae nomen; example.com

Placere eligere protocollo ad usum (startTLS, ldaps, patet) [startTLS]:
Placere eligere modum obtinendi PEM certificatorium encoded CA (File, URL, Inline, System, Insecure); URL
URL: wwwca.example.com/myRootCA.pem
Intrant inquisitionem usoris DN (exempli gratia uid=usoris, dc=exempli, dc=com vel uacui pro anonymo); CN=oVirt-Engine, CN=Users,DC=exemple,DC=com
Intra quaerere usor password: * Password
[ INFO ] Ligare conanti utens 'CN=oVirt-Engine,CN=Users,DC=exemplum,DC=com'
Tu ad Single Sign-De ad Virtual Machinis (Ita, No) [Sic]:
Quaeso, nomen profile quod visibilis erit users [example.com]:
Quaeso providere documentorum ut login fluxus test:
Intra user nomen tuum: someAnyUser
Intra user password:
...
[INFO] Login series feliciter supplicium
...
Lego test series ad faciendum (Fio, Abort, Login, Quaerere) [Actum]:
[INFO] Scaena: Transactio setup
...
CONFIGURATIO SUMMARIUM
...

Utens magus pluribus aptus est. Nam figurationes complexae, occasus manually peraguntur. Plura in documentis oVirt; Users et muneribus. Postquam Engine cum AD feliciter connectitur, profile additus patebit in nexu fenestra, et in tab permissionibus Ratio obiecti facultatem licentias AD usorum et coetuum concedendi habent. Animadvertendum est directorium externum utentium et coetuum non solum AD, sed etiam IPA, eDirectorium, etc.

Multipathing

In ambitu productionis, systema repositionis cum hospite per plures vias independentes I/O multiplices coniungi debet. Typice, in CentOS (et propterea oVirt'e) nullae difficultates sunt cum multis viis ad instrumentum componendis (find_multipaths, ita). Optiones additionales pro FCoE describuntur in 2nd partOperae pretium est commendationibus fabricatoris systematis repositionis attendere—multi commendant ut politicam "round-robin" adhibeant, dum "Enterprise" utitur ratione implicita. Linux Tempus servitii 7 adhibetur.

Per 3PAR ad exemplum
et documentum HPE 3PAR Red Hat Enterprise Linux, CentOS Linux, Oracle Linuxet Dux Implementationis Servi OracleVM EL creatur Hostia cum Generic-ALUA Persona 2, pro qua sequentes valores in uncinis /etc/multipath.conf ingrediuntur:

defaults {
           polling_interval      10
           user_friendly_names   no
           find_multipaths       yes
          }
devices {
          device {
                   vendor                   "3PARdata"
                   product                  "VV"
                   path_grouping_policy     group_by_prio
                   path_selector            "round-robin 0"
                   path_checker             tur
                   features                 "0"
                   hardware_handler         "1 alua"
                   prio                     alua
                   failback                 immediate
                   rr_weight                uniform
                   no_path_retry            18
                   rr_min_io_rq             1
                   detect_prio              yes
                   fast_io_fail_tmo         10
                   dev_loss_tmo             "infinity"
                 }
}

Post quod mandatum ut sileo datur;

systemctl restart multipathd

oVirt in 2 horis. Pars 3. Additional occasus
Renatus. 1 default multiplex I/O consilium est.

oVirt in 2 horis. Pars 3. Additional occasus
Renatus. 2 - multiplex consilium I/O adhibitis occasus.

Imperium administratione profecta sunt

Permittit tibi ut facias, exempli gratia, ferramenta machinae retexere, si Engine responsum ab Hostia diu recipere non potest. Impletur per Fence Agent.

Computo -> Hostes -> POPULUS - Edit -> Potestas Procuratio, deinde "Admitte Potestatem Management" et adde procuratorem - "Adde Fence Agentem" -> +.

Genus indicamus (exempli gratia, pro iLO5 ilo4 designare debes), nomen/inscriptio interfacii ipmi, necnon nomen usoris/password. Commendatur ut usorem separatum (exempli gratia oVirt-PM) creare et, in casu iLO, ei privilegia dare;

  • login
  • Remota Console
  • Virtus et Reset
  • Virtual Media
  • Configurare iLO Optiones
  • Administrare User Rationes

Noli quaerere cur ita sit, empirice electa est. Solarium agentis rudium iura pauciora requirit.

Cum accessum moderandi tabulas constituas, memineris procuratorem non in machinam currere, sed exercitum "propinquum" (proxy Power sic dictum), i.e., si una tantum nodi in botro est; potestas administratione operari nolo.

Occasus SSL

Plena mandata publica - in documentumAppendice D: oVirt et SSL — Repositoque Engine oVirt SSL/TLS Quisque.

Testimonium certificatorium esse potest vel ex nostra corporato CA vel ab externa auctoritate certificatorium commercialium.

Praecipua nota: certificatorium destinatur ad connexionem curatori et communicationem inter Engine et nodos non afficit - libellorum auto-signatorum a Engine editis utentur.

requisita:

  • certificatorium exeuntis CA in forma PEM cum tota catena usque ad radicem CA (ab subordinatis CA exeuntibus in initio ad radicem in fine);
  • libellum de Apache ab editis CA editis (adiciunt etiam per totam catenam CA libellorum);
  • privata clavis pro Apache, sine tessera.

Ponamus auctoritatem auctoritatis nostram emittentem currere CentOS, subca.example.com appellatur, et petitiones, claves et certificata in directorio /etc/pki/tls/ inveniuntur.

Praestare tergum et creare tempus presul:

$ sudo cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.`date +%F`
$ sudo cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.`date +%F`
$ sudo mkdir /opt/certs
$ sudo chown mgmt.mgmt /opt/certs

Exhibe testimoniales, illud ex officina tua fac vel alio modo convenienti transfer;

[myuser@mydesktop] $ scp -3 causer@subca.example.com:/etc/pki/tls/cachain.pem mgmt@ovirt.example.com:/opt/certs
[myuser@mydesktop] $ scp -3 causer@subca.example.com:/etc/pki/tls/private/ovirt.key mgmt@ovirt.example.com:/opt/certs
[myuser@mydesktop] $ scp -3 causer@subca.example.com/etc/pki/tls/certs/ovirt.crt mgmt@ovirt.example.com:/opt/certs

Quam ob rem omnia 3 tabularia videre debes:

$ ls /opt/certs
cachain.pem  ovirt.crt  ovirt.key

installing libellorum

Effingo lima ac update fiducia lists:

$ sudo cp /opt/certs/cachain.pem /etc/pki/ca-trust/source/anchors
$ sudo update-ca-trust
$ sudo rm /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/cachain.pem /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/ovirt03.key /etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo cp /opt/certs/ovirt03.crt /etc/pki/ovirt-engine/certs/apache.cer
$ sudo systemctl restart httpd.service

Adde / update configuratione files:

$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
$ sudo vim /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo vim /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
# Key file for SSL connections
ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
# Certificate file for SSL connections
ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer

Deinde sileo omnia officia affectata:

$ sudo systemctl restart ovirt-provider-ovn.service
$ sudo systemctl restart ovirt-imageio-proxy
$ sudo systemctl restart ovirt-websocket-proxy
$ sudo systemctl restart ovirt-engine.service

Paratus! Tempus est ad procuratorem coniungere et reprimendam nexum a testimonio SSL signato munitum esse.

archiving

Ubi essemus sine ea? In hac sectione loquemur de procuratore archivi: VM archivorum est exitus separatus. Exemplar archivi semel in die ponemus et ea per NFS reponamus, exempli gratia, in eadem ratione ubi imagines ISO collocavimus - mynfs1.example.com:/exports/ovirt-backup. Non commendatur ut in eadem machina reponendi archivi ubi Engine currit.

Install et enable autofs:

$ sudo yum install autofs
$ sudo systemctl enable autofs
$ sudo systemctl start autofs

Faciamus scriptum:

$ sudo vim /etc/cron.daily/make.oVirt.backup.sh

sequenti contentus:

#!/bin/bash

datetime=`date +"%F.%R"`
backupdir="/net/mynfs01.example.com/exports/ovirt-backup"
filename="$backupdir/`hostname --short`.`date +"%F.%R"`"
engine-backup --mode=backup --scope=all --file=$filename.data --log=$filename.log
#uncomment next line for autodelete files older 30 days 
#find $backupdir -type f -mtime +30 -exec rm -f {} ;

Faciens tabella exsecutabile:

$ sudo chmod a+x /etc/cron.daily/make.oVirt.backup.sh

Nunc omni nocte archivum procuratoris recipiemus.

Militiae procuratio interface

cockpit - interfacies administrativa moderna pro Linux systemata. Hoc in casu, munus simile interfaciei interretialis ESXi agit.

oVirt in 2 horis. Pars 3. Additional occasus
Renatus. 3 — tabulae species.

Simplex instructio est, debes fasciculis cockpiti et orami-ovirt-dashboard plugin:

$ sudo yum install cockpit cockpit-ovirt-dashboard -y

Cockpit enabling:

$ sudo systemctl enable --now cockpit.socket

Firewall setup:

sudo firewall-cmd --add-service=cockpit
sudo firewall-cmd --add-service=cockpit --permanent

Nunc ad exercitum coniungere potes: https://[ IP vel FQDN]:9090

VLANs

Plus legere debes de retiacula in documentum. Multae possibilitates hic connectens virtualis retiacula describemus.

Ad alia subneta iungenda, primum in schemate describi debent: Network -> Networks -> Novus, hic solum nomen campi requiritur; Retiacula VM Retiacula, quae machinis hac retis utendi permittit, potest, sed tag coniungere ut possit Admitte VLAN tagging, VLAN numerum inire et deprime OK.

Nunc debes ire ad Exercituum Compute -> Hostes -> kvmNN -> Network Interfaces -> Setup Hostiam Networks. Trahunt adiecta retia a dextris Unassigned Logica Networks ad sinistram in Logica Networks:

oVirt in 2 horis. Pars 3. Additional occasus
Renatus. 4 - ante retis addit.

oVirt in 2 horis. Pars 3. Additional occasus
Renatus. V - addito ornatum.

Multiplices retiacula ad hospitem mole connectere, commodum est illis pittacium creandis reticulis assignare et retiacula per pittacia addere.

Postquam retis creatur, turmae in statum Non operational intrabunt donec reticulum omnibus nodis in botro addatur. Haec agendi ratio causatur per Require Omnes vexillum in Botri tab cum novum ornatum creando. In casu, cum retis in omnibus nodi botri non necessarius est, vexillum hoc debilitari potest, tum cum reticulum hospiti adiciatur, dextrorsum in sectione Non quaesita erit et eligere potes an coniungere ad certum exercitum.

oVirt in 2 horis. Pars 3. Additional occasus
Renatus. VI-retis postulationem eligere attributum.

HPE specifica

Fere omnes artifices instrumenta habent quae usum productorum emendant. HPE utens exemplo, AMS (Agentless Service Management, amsd pro iLO5, hp-ams pro iLO4) et SSA (Smart Administrator Storage, operans cum orbe moderatoris), etc. utilia sunt.

HPE repositio connectens
Clavem importamus et repositoria connectimus HPE:

$ sudo rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
$ sudo vim /etc/yum.repos.d/mcp.repo

sequenti contentus:

[mcp]
name=Management Component Pack
baseurl=http://downloads.linux.hpe.com/repo/mcp/centos/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp

[spp]
name=Service Pack for ProLiant
baseurl=http://downloads.linux.hpe.com/SDR/repo/spp/RHEL/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp

Visum repositio contenta et sarcina informationes (ut referat);

$ sudo yum --disablerepo="*" --enablerepo="mcp" list available
$ yum info amsd

Installation and launch:

$ sudo yum install amsd ssacli
$ sudo systemctl start amsd

Exemplum de utilitate operandi cum orbe moderatoris
oVirt in 2 horis. Pars 3. Additional occasus

Quod ut 'quia iam omnia. In sequentibus articulis de quibusdam fundamentalibus operationibus et applicationibus loqui instituo. VDI QUAM FACERE VDI IN OVIR.

Source: www.habr.com

Emptum certos hospites pro locis cum praesidio DDoS, VPS VDS servers 🔥 Eme hospitium interretiale fidum cum praesidio DDoS, servitores VPS VDS | ProHoster