oVirt mu 2 hours. Gawo 3. Zokonda zina

M'nkhaniyi tiwona zosintha zingapo zomwe mungasankhe koma zothandiza:

• kugwiritsa ntchito mayina owonjezera a manejala;
• kulumikiza kutsimikizika kudzera pa Active Directory;
• Mutlipathing;
• kasamalidwe ka mphamvu;
• kusintha satifiketi ya SSL;
• kusunga;
• mawonekedwe oyang'anira alendo (cockpit);
• Ma VLANs;
• HPE yeniyeni.

Nkhaniyi ndikupitilira, onani oVirt mu maola awiri poyambira Gawo la 1 и gawo 2.

nkhani

1. Mau oyamba
2. Kuyika manejala (ovirt-injini) ndi hypervisors (makamu)
3. Zokonda zowonjezera - Tili pano

Zokonda zowonjezera zowonjezera

Kuti zitheke, tidzakhazikitsa ma phukusi owonjezera:

$ sudo yum install bash-completion vim

Kuti athe kumaliza lamulo, bash-kumaliza kumafuna kusintha kwa bash.

Powonjezera mayina a DNS

Izi zidzafunika mukafuna kulumikizana ndi manejala pogwiritsa ntchito dzina lina (CNAME, alias, kapena dzina lalifupi lopanda suffix ya domain). Pazifukwa zachitetezo, manejala amalola kulumikizana kokha pogwiritsa ntchito mndandanda wololedwa wa mayina.

Pangani fayilo yosinthira:

$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-sso-setup.conf

zotsatirazi:

SSO_ALTERNATE_ENGINE_FQDNS="ovirt.example.com some.alias.example.com ovirt"

ndikuyambitsanso manejala:

$ sudo systemctl restart ovirt-engine

Kukhazikitsa kutsimikizika kudzera pa AD

oVirt ili ndi malo ogwiritsira ntchito, koma operekera LDAP akunja amathandizidwanso, kuphatikizapo. A.D.

Njira yosavuta yosinthira wamba ndikuyambitsa wizard ndikuyambitsanso manejala:

$ sudo yum install ovirt-engine-extension-aaa-ldap-setup
$ sudo ovirt-engine-extension-aaa-ldap-setup
$ sudo systemctl restart ovirt-engine

Chitsanzo cha ntchito ya mbuye
$ sudo ovirt-injini-yowonjezera-aaa-ldap-kukhazikitsa
Kukhazikitsa kwa LDAP komwe kulipo:
...
3 - Active Directory
...
Chonde sankhani: 3
Chonde lowetsani dzina la Active Directory Forest: chitsanzo.com

Chonde sankhani protocol yoti mugwiritse ntchito (startTLS, ldaps, plain) [yambitsaniTLS]:
Chonde sankhani njira yopezera satifiketi ya CA ya PEM (Fayilo, URL, Inline, System, Insecure): ulalo
ulalo: wwwca.example.com/myRootCA.pem
Lowetsani wosuta wa DN (mwachitsanzo uid=username,dc=example,dc=com kapena siyani opanda kanthu kwa osadziwika): CN=oVirt-Engine,CN=Ogwiritsa,DC=chitsanzo,DC=com
Lowetsani mawu achinsinsi osaka: *password*
[ INFO ] Kuyesa kumanga pogwiritsa ntchito 'CN=oVirt-Engine,CN=Users,DC=example,DC=com'
Kodi mugwiritsa ntchito Kusainira Kumodzi Pamakina Owona (Inde, Ayi) [Inde]:
Chonde tchulani dzina lambiri lomwe liziwoneka kwa ogwiritsa ntchito [chitsanzo.com]:
Chonde perekani zidziwitso kuti muyese mayendedwe olowera:
Lowetsani dzina lanu: enaAnyUser
Lowetsani mawu achinsinsi:
...
[INFO] Njira zolowera zachitika bwino
...
Sankhani mayeso kuti muyese (Ndamaliza, Chotsani, Lowani, Sakani) [Zatheka]:
[INFO] Gawo: Kukhazikitsa kochitika
...
KUSINTHA KWAMBIRI
...

Kugwiritsa ntchito wizard ndikoyenera nthawi zambiri. Kwa masinthidwe ovuta, makonda amachitidwa pamanja. Zambiri muzolemba za oVirt, Ogwiritsa ndi Maudindo. Pambuyo polumikiza bwino Injini ku AD, mbiri yowonjezera idzawonekera pawindo lolumikizira, ndi pa tabu Zilolezo Zinthu zamakina zimatha kupereka zilolezo kwa ogwiritsa ntchito AD ndi magulu. Zindikirani kuti bukhu lakunja la ogwiritsa ntchito ndi magulu silingakhale AD, komanso IPA, eDirectory, etc.

Zowonjezera

Pamalo opangira, makina osungira ayenera kulumikizidwa ndi wolandirayo kudzera munjira zingapo zodziyimira pawokha, zingapo za I/O. Monga lamulo, mu CentOS (ndipo chifukwa chake oVirt) palibe mavuto pakusonkhanitsa njira zingapo ku chipangizo (find_multipaths inde). Zokonda zowonjezera za FCoE zalembedwa Gawo la 2. Ndikoyenera kumvera malingaliro a wopanga makina osungira - ambiri amalimbikitsa kugwiritsa ntchito ndondomeko ya robin yozungulira, koma mwachisawawa mu Enterprise Linux 7 nthawi ya utumiki imagwiritsidwa ntchito.

Kugwiritsa ntchito 3PAR monga chitsanzo
ndi document HPE 3PAR Red Hat Enterprise Linux, CentOS Linux, Oracle Linux, ndi OracleVM Server Implementation Guide EL idapangidwa ngati Host yokhala ndi Generic-ALUA Persona 2, yomwe mfundo zotsatirazi zimalowetsedwa muzokonda /etc/multipath.conf:

defaults {
           polling_interval      10
           user_friendly_names   no
           find_multipaths       yes
          }
devices {
          device {
                   vendor                   "3PARdata"
                   product                  "VV"
                   path_grouping_policy     group_by_prio
                   path_selector            "round-robin 0"
                   path_checker             tur
                   features                 "0"
                   hardware_handler         "1 alua"
                   prio                     alua
                   failback                 immediate
                   rr_weight                uniform
                   no_path_retry            18
                   rr_min_io_rq             1
                   detect_prio              yes
                   fast_io_fail_tmo         10
                   dev_loss_tmo             "infinity"
                 }
}

Pambuyo pake lamulo loti muyambitsenso limaperekedwa:

systemctl restart multipathd

Mpunga. 1 ndiye ndondomeko yosasinthika ya ma I/O angapo.

Mpunga. 2 - ndondomeko zambiri za I / O mutatha kugwiritsa ntchito makonda.

Kukhazikitsa kasamalidwe ka mphamvu

Imakulolani kuti muchite, mwachitsanzo, kukonzanso makina a hardware ngati Injini singathe kulandira yankho kuchokera kwa Host kwa nthawi yayitali. Kukhazikitsidwa kudzera mwa Fence Agent.

Kuwerengera -> Makamu -> HOST - Sinthani -> Kuwongolera Mphamvu, kenako yambitsani "Yambitsani Kuwongolera Mphamvu" ndikuwonjezera wothandizira - "Add Fence Agent" -> +.

Timasonyeza mtundu (mwachitsanzo, kwa iLO5 muyenera kufotokozera ilo4), dzina / adilesi ya mawonekedwe a ipmi, komanso dzina lachinsinsi / mawu achinsinsi. Ndikofunikira kuti mupange wogwiritsa ntchito wina (mwachitsanzo, oVirt-PM) ndipo, pankhani ya ILO, mumupatse mwayi:

• Lowani muakaunti
• Remote Console
• Virtual Power ndikukhazikitsanso
• Virtual Media
• Konzani Zokonda za ILO
• Kuwongolera Akaunti Yogwiritsa Ntchito

Osafunsa chifukwa chake zili choncho, zidasankhidwa mwachidwi. Wothandizira mpanda wa console amafuna maufulu ochepa.

Mukakhazikitsa mndandanda wowongolera mwayi, muyenera kukumbukira kuti wothandizila sathamanga pa injini, koma pa "oyandikana nawo" wolandira (wotchedwa Power Management Proxy), mwachitsanzo, ngati pali node imodzi yokha m'gulu, kasamalidwe ka mphamvu kagwira ntchito sadzatero.

Kupanga SSL

Malangizo athunthu - mu zolemba, Zowonjezera D: oVirt ndi SSL - Kusintha Sitifiketi ya oVirt Engine SSL/TLS.

Satifiketi ikhoza kukhala yochokera ku kampani yathu ya CA kapena kuchokera kwa satifiketi yakunja yamalonda.

Chidziwitso chofunikira: Satifiketiyo idapangidwa kuti ilumikizidwe ndi manejala ndipo sichingakhudze kulumikizana pakati pa Injini ndi ma node - adzagwiritsa ntchito ziphaso zodzilembera zokha zoperekedwa ndi Injini.

Zofunikira:

• satifiketi yopereka CA mu mtundu wa PEM, ndi unyolo wonse mpaka muzu CA (kuchokera kwa woperekayo wopereka CA koyambirira mpaka muzu kumapeto);
• satifiketi ya Apache yoperekedwa ndi CA yopereka (yophatikizidwanso ndi satifiketi yonse ya CA);
• kiyi yachinsinsi ya Apache, yopanda mawu achinsinsi.

Tiyeni tiyerekeze kuti CA yomwe tapereka ikuyendetsa CentOS, yotchedwa subca.example.com, ndipo zopempha, makiyi, ndi ziphaso zili mu /etc/pki/tls/ directory.

Timapanga zosunga zobwezeretsera ndikupanga chikwatu chakanthawi:

$ sudo cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.`date +%F`
$ sudo cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.`date +%F`
$ sudo mkdir /opt/certs
$ sudo chown mgmt.mgmt /opt/certs

Tsitsani satifiketi, chitani kuchokera kumalo anu ogwirira ntchito kapena kusamutsa m'njira ina yabwino:

[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/cachain.pem [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/private/ovirt.key [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]/etc/pki/tls/certs/ovirt.crt [email protected]:/opt/certs

Zotsatira zake, muyenera kuwona mafayilo onse atatu:

$ ls /opt/certs
cachain.pem  ovirt.crt  ovirt.key

Kuyika masatifiketi

Koperani mafayilo ndikusintha mndandanda wa trust:

$ sudo cp /opt/certs/cachain.pem /etc/pki/ca-trust/source/anchors
$ sudo update-ca-trust
$ sudo rm /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/cachain.pem /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/ovirt03.key /etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo cp /opt/certs/ovirt03.crt /etc/pki/ovirt-engine/certs/apache.cer
$ sudo systemctl restart httpd.service

Onjezani / sinthani mafayilo osinthira:

$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf

ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""

$ sudo vim /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf

SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass

$ sudo vim /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf

# Key file for SSL connections
ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
# Certificate file for SSL connections
ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer

Kenako, yambitsaninso ntchito zonse zomwe zakhudzidwa:

$ sudo systemctl restart ovirt-provider-ovn.service
$ sudo systemctl restart ovirt-imageio-proxy
$ sudo systemctl restart ovirt-websocket-proxy
$ sudo systemctl restart ovirt-engine.service

Okonzeka! Yakwana nthawi yolumikizana ndi manejala ndikuwonetsetsa kuti kulumikizana kwatetezedwa ndi satifiketi ya SSL yosainidwa.

Kusungidwa

Tikanakhala kuti popanda iye? Mu gawoli tikambirana za kusunga ma manejala; VM archive ndi nkhani ina. Tidzapanga makope osungidwa kamodzi patsiku ndikusunga kudzera pa NFS, mwachitsanzo, padongosolo lomwelo pomwe tidayika zithunzi za ISO - mynfs1.example.com:/exports/ovirt-backup. Sitikulimbikitsidwa kusunga zolemba pamakina omwewo pomwe Injini ikugwira ntchito.

Ikani ndi kuyatsa ma autofs:

$ sudo yum install autofs
$ sudo systemctl enable autofs
$ sudo systemctl start autofs

Tiyeni tipange script:

$ sudo vim /etc/cron.daily/make.oVirt.backup.sh

zotsatirazi:

#!/bin/bash

datetime=`date +"%F.%R"`
backupdir="/net/mynfs01.example.com/exports/ovirt-backup"
filename="$backupdir/`hostname --short`.`date +"%F.%R"`"
engine-backup --mode=backup --scope=all --file=$filename.data --log=$filename.log
#uncomment next line for autodelete files older 30 days 
#find $backupdir -type f -mtime +30 -exec rm -f {} ;

Kupanga fayilo kuti ikwaniritsidwe:

$ sudo chmod a+x /etc/cron.daily/make.oVirt.backup.sh

Tsopano usiku uliwonse timalandira zosungidwa zakale zamakina oyang'anira.

Host kasamalidwe mawonekedwe

Chokwanira - mawonekedwe amakono oyang'anira machitidwe a Linux. Pankhaniyi, imagwira ntchito yofanana ndi mawonekedwe a intaneti a ESXi.

Mpunga. 3 - mawonekedwe a gulu.

Kuyika ndikosavuta, muyenera phukusi la cockpit ndi pulogalamu yowonjezera ya cockpit-ovirt-dashboard:

$ sudo yum install cockpit cockpit-ovirt-dashboard -y

Kuthandizira Cockpit:

$ sudo systemctl enable --now cockpit.socket

Kupanga ma firewall:

sudo firewall-cmd --add-service=cockpit
sudo firewall-cmd --add-service=cockpit --permanent

Tsopano mutha kulumikizana ndi wolandila: https://[Host IP kapena FQDN]:9090

Ma VLANs

Muyenera kuwerenga zambiri za ma network mu zolemba. Pali zotheka zambiri, apa tifotokoza kulumikiza maukonde pafupifupi.

Kuti mulumikizane ndi ma subnets ena, amayenera kufotokozedwa koyamba pakusintha: Network -> Networks -> Chatsopano, apa dzina lokha ndilo gawo lofunikira; Bokosi loyang'ana la VM Network, lomwe limalola makina kugwiritsa ntchito netiweki iyi, layatsidwa, koma kulumikiza chizindikirocho kuyenera kuyatsidwa. Yambitsani ma tagging a VLAN, lowetsani nambala ya VLAN ndikudina Chabwino.

Tsopano muyenera kupita ku Compute host -> Hosts -> kvmNN -> Network Interfaces -> Setup Host Networks. Kokani netiweki yowonjezeredwa kuchokera kumanja kwa Unassigned Logical Networks kupita kumanzere kupita ku Assigned Logical Networks:

Mpunga. 4 - musanawonjezere maukonde.

Mpunga. 5 - mutatha kuwonjezera maukonde.

Kuti mulumikize ma netiweki angapo kwa wolandira mochulukira, ndikwabwino kuwapatsa zilembo popanga ma netiweki, ndikuwonjezera maukonde ndi zilembo.

Netiweki ikapangidwa, makamuwo amapita ku Non Operational state mpaka ma netiweki awonjezedwe ku node zonse mgululi. Khalidweli limayambitsidwa ndi Chifuniro Chonse mbendera pa Cluster tabu popanga netiweki yatsopano. Ngati maukonde sakufunika pamagulu onse a gululo, mbendera iyi ikhoza kuyimitsidwa, ndiye kuti netiwekiyo ikawonjezedwa kwa wolandila, idzakhala kumanja mu gawo la Non Required ndipo mutha kusankha ngati mungalumikizane. kwa wolandira wina.

Mpunga. 6 - sankhani zofunikira pa netiweki.

HPE yeniyeni

Pafupifupi opanga onse ali ndi zida zomwe zimakulitsa kugwiritsidwa ntchito kwa zinthu zawo. Pogwiritsa ntchito HPE monga chitsanzo, AMS (Agentless Management Service, amsd for iLO5, hp-ams for iLO4) ndi SSA (Smart Storage Administrator, kugwira ntchito ndi disk controller), ndi zina zotero.

Kulumikiza chosungira cha HPE
Timalowetsa kiyi ndikulumikiza nkhokwe za HPE:

$ sudo rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
$ sudo vim /etc/yum.repos.d/mcp.repo

zotsatirazi:

[mcp]
name=Management Component Pack
baseurl=http://downloads.linux.hpe.com/repo/mcp/centos/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp

[spp]
name=Service Pack for ProLiant
baseurl=http://downloads.linux.hpe.com/SDR/repo/spp/RHEL/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp

Onani zomwe zili m'nkhokwe ndi zambiri za phukusi (kuti mufufuze):

$ sudo yum --disablerepo="*" --enablerepo="mcp" list available
$ yum info amsd

Kuyika ndi kukhazikitsa:

$ sudo yum install amsd ssacli
$ sudo systemctl start amsd

Chitsanzo cha ntchito yogwiritsira ntchito disk controller

Ndizo zonse pakadali pano. M'nkhani zotsatirazi ndikukonzekera kulankhula za ntchito zina zofunika ndi ntchito. Mwachitsanzo, momwe mungapangire VDI mu oVirt.

Source: www.habr.com