ProHoster > Blog > Maamulka > oVirt 2 saacadood gudahood. Qaybta 3. Habayn dheeri ah

oVirt 2 saacadood gudahood. Qaybta 3. Habayn dheeri ah

Maqaalkan waxaan ku eegi doonaa dhowr meelood oo ikhtiyaari ah laakiin faa'iido leh:

Maqaalkani waa mid sii socda, eeg oVirt 2 saacadood gudahood bilowga Qayb ka mid ah 1 и qaybta 2.

Articles

  1. Horudhac
  2. Rakibaadda maareeyaha (ovirt-engine) iyo hypervisors (martigeliyayaasha)
  3. Dejinta dheeraadka ah - Waxaan joognaa halkan

Dejinta maamulaha dheeraadka ah

Si ay u sahlanaato, waxaanu ku rakibi doonaa baakado dheeraad ah:

$ sudo yum install bash-completion vim

Si aad awood ugu yeelato dhamaystirka amarka, dhamaystirka bash-ku wuxuu u baahan yahay u beddelashada bash.

Ku darida magacyo DNS oo dheeri ah

Tani waxa loo baahan doonaa marka aad u baahan tahay in aad ku xidhid maamulaha addoo isticmaalaya magac kale (CNAME, alias, ama kaliya magac gaaban oo aan lahayn suffix domain). Sababo ammaan dartood, maareeyuhu wuxuu ogol yahay isku xirka isagoo isticmaalaya liiska magacyada ee la ogol yahay oo keliya.

Samee faylka qaabeynta:

$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-sso-setup.conf

nuxurka soo socda:

SSO_ALTERNATE_ENGINE_FQDNS="ovirt.example.com some.alias.example.com ovirt"

oo dib u bilow maamulaha:

$ sudo systemctl restart ovirt-engine

Dejinta aqoonsiga iyada oo loo marayo AD

oVirt waxay leedahay saldhig isticmaale oo ku dhex dhisan, laakiin bixiyeyaasha LDAP ee dibadda ayaa sidoo kale la taageeraa, oo ay ku jiraan. A.D.

Habka ugu fudud ee qaabeynta caadiga ah waa in la bilaabo saaxiraha oo dib loo bilaabo maamulaha:

$ sudo yum install ovirt-engine-extension-aaa-ldap-setup
$ sudo ovirt-engine-extension-aaa-ldap-setup
$ sudo systemctl restart ovirt-engine

Tusaale u ah shaqada sayidkiisa
$ sudo ovirt-engine-extension-aaa-ldap-setup
Hirgelinta LDAP ee la heli karo:
...
3 - Hagaha firfircoon
...
Fadlan dooro: 3
Fadlan geli magaca Kaymaha Hagaha Active: example.com

Fadlan dooro borotokoolka aad isticmaalayso (startTLS, ldaps, plain) [startTLS]:
Fadlan door habka aad ku heli lahayd shahaadadda CA ee PEM-ku-qoraneed (Fayl, URL, Khadka, Nidaamka, Aamminsan): URL
URL: wwwca.example.com/myRootCA.pem
Geli isticmaalaha raadinta DN (tusaale uid=username,dc=example,dc=com ama ka tag maran si qarsoodi ah): CN=oVirt-Engine,CN= Isticmaalayaasha,DC=tusaale,DC=com
Geli erayga sirta ah ee isticmaalaha: *password*
[INFO] Isku day inaad ku xidho adigoo isticmaalaya 'CN=oVirt-Engine,CN=Users,DC=example,DC=com'
Ma waxaad u isticmaashey hal calaamad oo kali ah oo loogu talagalay mishiinada Virtual (Haa, Maya) [Haa]:
Fadlan sheeg magaca astaanta guud ee u muuqan doona isticmaalayaasha [tusaale.com]:
Fadlan bixi shahaadooyin si aad u tijaabiso socodka gelitaanka:
Geli magaca isticmaalaha: Isticmaale kasta
Geli erayga sirta ah ee isticmaalaha:
...
[INFO] Taxanaha soo galitaanka si guul leh ayaa loo fuliyay
...
Dooro taxanaha tijaabada si aad ufuliso [La sameeyay]:
[INFO] Marxaladda: Habaynta wax kala iibsiga
...
KOOXDA QAABKA
...

Isticmaalka saaxirku waxay ku habboon tahay kiisaska intooda badan. Habaynta adag, dejimaha waxaa lagu sameeyaa gacanta. Faahfaahin dheeraad ah oo ku jirta dukumentiyada oVirt, Isticmaalayaasha iyo Doorarka. Kadib marka si guul leh loogu xidho mishiinka AD, profile dheeraad ah ayaa ka muuqan doona daaqada xidhiidhka, iyo tabka Ogolaanshaha Walxaha nidaamku waxay awood u leeyihiin inay oggolaadaan isticmaalayaasha AD iyo kooxaha. Waa in la ogaadaa in tusaha dibadda ee isticmaalayaasha iyo kooxaha aysan noqon karin AD oo keliya, laakiin sidoo kale IPA, eDirectory, iwm.

Isku dhufasho

Deegaan wax soo saar, nidaamka kaydinta waa in lagu xiraa martida iyada oo loo marayo waddooyin badan oo madax-bannaan oo I/O ah. Caadiyan, gudaha CentOS (sidaas darteed oVirt'e) ma jiraan wax dhibaato ah oo ku saabsan isu-geynta waddooyin badan oo loo maro qalabka (find_multipaths haa). Dejinta dheeraadka ah ee FCoE waxaa lagu sharaxay Qaybta 2aadWaa mudan tahay in fiiro gaar ah loo yeesho talada soo saaraha nidaamka kaydinta - dad badan ayaa ku taliya inay isticmaalaan siyaasad wareeg ah, halka Enterprise ay isticmaasho nidaamka caadiga ah. Linux 7 saacadood oo adeeg ah ayaa la isticmaalaa.

Isticmaalka 3PAR tusaale ahaan
iyo dukumeenti Shirkadda HPE 3PAR Red Hat Enterprise Linux, CentOS Linux, Oracle Linux, iyo Hagaha Hirgelinta Server-ka OracleVM EL waxaa loo abuuray sidii martigeliye leh Generic-ALUA Persona 2, kaas oo qiyamka soo socda la geliyo goobaha /etc/multipath.conf:

defaults {
           polling_interval      10
           user_friendly_names   no
           find_multipaths       yes
          }
devices {
          device {
                   vendor                   "3PARdata"
                   product                  "VV"
                   path_grouping_policy     group_by_prio
                   path_selector            "round-robin 0"
                   path_checker             tur
                   features                 "0"
                   hardware_handler         "1 alua"
                   prio                     alua
                   failback                 immediate
                   rr_weight                uniform
                   no_path_retry            18
                   rr_min_io_rq             1
                   detect_prio              yes
                   fast_io_fail_tmo         10
                   dev_loss_tmo             "infinity"
                 }
}

Ka dib markaa amarka dib u bilaabista ayaa la bixiyaa:

systemctl restart multipathd

oVirt 2 saacadood gudahood. Qaybta 3. Habayn dheeri ah
Bariis 1 waa siyaasadda I/O ee badan.

oVirt 2 saacadood gudahood. Qaybta 3. Habayn dheeri ah
Bariis 2- siyaasada I/O badan ka dib marka la dabaqo

Dejinta maamulka awooda

Kuu ogolaanayaa inaad samayso, tusaale ahaan, qalab dib u dajin ee mishiinka haddi matoorku aanu jawaab ka heli karin martida loo yahay wakhti dheer. Waxaa lagu fuliyay Wakiilka Xayndaabka.

Xisaabi -> Martigeliyayaasha -> HOST - Tafatir -> Maareynta Korontada, ka dib awood "Enable Management Power" oo ku dar wakiil - "Ku dar Wakiilka Xayndaabka" -> +.

Waxaanu tilmaamaynaa nooca (tusaale ahaan, iLO5 waxaad u baahan tahay inaad sheegto ilo4), magaca / ciwaanka ipmi interface, iyo sidoo kale magaca isticmaalaha / erayga sirta ah. Waxaa lagula talinayaa in la abuuro isticmaale gooni ah (tusaale, oVirt-PM) iyo, marka laga hadlayo iLO, sii mudnaan gaar ah:

  • login
  • Console fog
  • Awood Virtual iyo Dib u dejin
  • Media Virtual
  • Habee ILO Settings
  • Maamul Xisaabaadka Isticmaalaha

Ha weydiin sababta tani ay sidaas tahay, waxaa loo doortay si macquul ah. Wakiilka xayndaabka console wuxuu u baahan yahay xuquuqo yar.

Markaad dejinayso liisaska xakamaynta gelitaanka, waa inaad maskaxda ku haysaa in wakiilku aanu ku socon mishiinka, laakiin uu ku socdo martigeliyaha "dariska" (waxa loogu yeero Proxy Management Power), ie, haddii uu jiro hal nood oo keliya ee kutlada, maamulka korontada ayaa shaqayn doona ma doono.

Dejinta SSL

Tilmaamaha rasmiga ah oo buuxa - gudaha dukumentiyo, Lifaaqa D: oVirt iyo SSL - Beddelka oVirt Engine SSL/TLS Shahaadada.

Shahaadadu waxay noqon kartaa mid ka timid CA-shirkadeed ama mid ka timid hay'ad shahaado ganacsi oo dibadda ah.

Xusuusin muhiim ah: Shahaadada waxaa loogu talagalay in lagu xiro maareeyaha mana saameyn doonto xiriirka u dhexeeya Matoorka iyo noodhka - waxay isticmaali doonaan shahaadooyin iskiis u saxeexay oo uu bixiyay Matoorka.

Shuruudaha:

  • shahaadada soo saarista CA ee qaabka PEM, oo leh silsiladda oo dhan ilaa xididka CA (laga bilaabo soo-saarka hoose ee CA bilowga ilaa xididka dhamaadka);
  • shahaadada Apache oo ay bixisay CA soo saartay (sidoo kale waxaa lagu kabay dhammaan silsiladda shahaadooyinka CA);
  • furaha gaarka ah ee Apache, bilaa sir ah.

Aan u qaadanno in CA-gayaga soo saaraya uu shaqeynayo CentOS, waxaa loo yaqaan subca.example.com, codsiyada, furayaasha iyo shahaadooyinka waxay ku yaalliin galka /etc/pki/tls/.

Waxaanu samaynaa kayd-celin waxaanu abuurnaa hage ku meel gaadh ah:

$ sudo cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.`date +%F`
$ sudo cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.`date +%F`
$ sudo mkdir /opt/certs
$ sudo chown mgmt.mgmt /opt/certs

Soo deji shahaadooyinka, ka samee goobtaada shaqada ama ugu wareeji hab kale oo ku habboon:

[myuser@mydesktop] $ scp -3 causer@subca.example.com:/etc/pki/tls/cachain.pem mgmt@ovirt.example.com:/opt/certs
[myuser@mydesktop] $ scp -3 causer@subca.example.com:/etc/pki/tls/private/ovirt.key mgmt@ovirt.example.com:/opt/certs
[myuser@mydesktop] $ scp -3 causer@subca.example.com/etc/pki/tls/certs/ovirt.crt mgmt@ovirt.example.com:/opt/certs

Natiijo ahaan, waa inaad aragto dhammaan 3 fayl:

$ ls /opt/certs
cachain.pem  ovirt.crt  ovirt.key

Ku rakibida shahaadooyinka

Nuqul faylasha oo cusboonaysii liisaska kalsoonida:

$ sudo cp /opt/certs/cachain.pem /etc/pki/ca-trust/source/anchors
$ sudo update-ca-trust
$ sudo rm /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/cachain.pem /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/ovirt03.key /etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo cp /opt/certs/ovirt03.crt /etc/pki/ovirt-engine/certs/apache.cer
$ sudo systemctl restart httpd.service

Ku dar/cusbooneysii qaabeynta faylasha:

$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
$ sudo vim /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo vim /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
# Key file for SSL connections
ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
# Certificate file for SSL connections
ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer

Marka xigta, dib u bilow dhammaan adeegyada ay saamaysay:

$ sudo systemctl restart ovirt-provider-ovn.service
$ sudo systemctl restart ovirt-imageio-proxy
$ sudo systemctl restart ovirt-websocket-proxy
$ sudo systemctl restart ovirt-engine.service

Diyaar! Waa waqtigii lagu xidhi lahaa maareeyaha oo la hubiyo in xidhiidhka lagu ilaaliyo shahaado SSL oo saxeexan.

Kaydinta

Xagee la'aanteed ahaan lahayn? Qaybtan waxaan kaga hadli doonaa kaydinta maamulaha; kaydinta VM waa arin gooni ah. Waxaan samayn doonaa nuqullo kayd ah hal mar maalintii waxaana ku kaydin doonaa NFS, tusaale ahaan, isla nidaamka aan dhignay sawirada ISO - mynfs1.example.com:/exports/ovirt-backup. Laguma talin in lagu kaydiyo kaydka isla mishiinka uu matoorku ku shaqaynayo.

Ku rakib oo awood autofs:

$ sudo yum install autofs
$ sudo systemctl enable autofs
$ sudo systemctl start autofs

Aan abuurno qoraal:

$ sudo vim /etc/cron.daily/make.oVirt.backup.sh

nuxurka soo socda:

#!/bin/bash

datetime=`date +"%F.%R"`
backupdir="/net/mynfs01.example.com/exports/ovirt-backup"
filename="$backupdir/`hostname --short`.`date +"%F.%R"`"
engine-backup --mode=backup --scope=all --file=$filename.data --log=$filename.log
#uncomment next line for autodelete files older 30 days 
#find $backupdir -type f -mtime +30 -exec rm -f {} ;

Samaynta faylka la fulin karo:

$ sudo chmod a+x /etc/cron.daily/make.oVirt.backup.sh

Hadda habeen kasta waxaan heli doonaa kaydka goobaha maamulaha.

Interface maamulka martida loo yahay

Qafis - is-dhexgal maamul oo casri ah oo loogu talagalay Linux nidaamyada. Xaaladdan, waxay door la mid ah ka ciyaartaa is-dhexgalka shabakadda ESXi.

oVirt 2 saacadood gudahood. Qaybta 3. Habayn dheeri ah
Bariis 3 - muuqaalka guddiga.

Rakibaadda waa mid aad u fudud, waxaad u baahan tahay baakadaha kockpit-ka iyo plugin-ovirt-dashboard-ka:

$ sudo yum install cockpit cockpit-ovirt-dashboard -y

Dajinta Cockpit:

$ sudo systemctl enable --now cockpit.socket

Dejinta Firewall:

sudo firewall-cmd --add-service=cockpit
sudo firewall-cmd --add-service=cockpit --permanent

Hadda waxaad ku xidhi kartaa martigeliyaha: https://[Host IP or FQDN]:9090

VLANs

Waa inaad wax badan ka akhrido shabakadaha gudaha dukumentiyo. Waxaa jira fursado badan, halkan waxaan ku tilmaami doonaa isku xirka shabakadaha farsamada.

Si loo xidho subnets kale, marka hore waa in lagu qeexaa qaabeynta: Network -> Networks -> Cusub, halkan magaca kaliya ayaa loo baahan yahay; Sanduuqa hubinta ee Shabakadda VM, kaas oo u oggolaanaya mishiinada inay adeegsadaan shabakaddan, waa la dajiyay, laakiin in la isku xidho summada waa in la dhaqaajiyaa. Daar sumadaynta VLAN, geli lambarka VLAN oo guji OK.

Hadda waxaad u baahan tahay inaad aado xisaabiyeyaasha -> Hosts -> kvmNN -> Interfaces Network -> Dejinta Shabakadaha Martigelinta. U jiid shabkada lagu daray dhinaca midig ee Shabakadaha macquulka ah ee Aan La-u-degin dhanka bidix una geli Shabakadaha macquulka ah ee loo qoondeeyay:

oVirt 2 saacadood gudahood. Qaybta 3. Habayn dheeri ah
Bariis 4 - ka hor intaadan ku darin shabakad.

oVirt 2 saacadood gudahood. Qaybta 3. Habayn dheeri ah
Bariis 5 - ka dib marka lagu daro shabakad.

Si loogu xidho shabakado badan martigeliyaha guud ahaan, way ku habboon tahay in lagu meeleeyo calaamad(-yaal) iyaga marka la abuurayo shabkado, oo lagu daro shabakadaha calaamado.

Ka dib markii shabakada la abuuro, martigaliyayaasha waxay geli doonaan gobolka aan shaqayn ilaa shabakada lagu daro dhammaan qanjidhada kutlada. Dabeecaddan waxaa sababa Baahida All Calan ee ku yaal tabka Kooxda marka la abuurayo shabakad cusub. Xaaladda marka shabakadda aan looga baahnayn dhammaan qanjidhada kooxda, calankani waa la joojin karaa, ka dib marka shabakadda lagu daro martigeliyaha, waxay ku jiri doontaa midigta qaybta aan loo baahnayn oo waxaad dooran kartaa inaad ku xidho. waxay u tahay martigelin gaar ah.

oVirt 2 saacadood gudahood. Qaybta 3. Habayn dheeri ah
Bariis 6-dooro shuruuda shabakada sifada.

HPE gaar ah

Ku dhawaad ​​dhammaan wax-soo-saarayaashu waxay leeyihiin qalab hagaajinaya isticmaalka alaabtooda. Isticmaalka HPE tusaale ahaan, AMS (Adeegga Maareynta Agentless, amsd for iLO5, hp-ams for iLO4) iyo SSA (Maamulaha Kaydinta Smart, oo la shaqeeya kontaroolaha saxanka), iwm.

Isku xirka kaydka HPE
Waxaan soo dejineynaa furaha waxaanan isku xireynaa kaydadka HPE:

$ sudo rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
$ sudo vim /etc/yum.repos.d/mcp.repo

nuxurka soo socda:

[mcp]
name=Management Component Pack
baseurl=http://downloads.linux.hpe.com/repo/mcp/centos/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp

[spp]
name=Service Pack for ProLiant
baseurl=http://downloads.linux.hpe.com/SDR/repo/spp/RHEL/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp

Arag waxa ku jira kaydka iyo macluumaadka xidhmada (tixraac):

$ sudo yum --disablerepo="*" --enablerepo="mcp" list available
$ yum info amsd

Rakibaadda iyo bilaabista:

$ sudo yum install amsd ssacli
$ sudo systemctl start amsd

Tusaalaha utility ee la shaqaynta kontoroolka saxanka
oVirt 2 saacadood gudahood. Qaybta 3. Habayn dheeri ah

Waa intaas hadda. Maqaallada soo socda waxaan qorsheynayaa inaan ka hadlo qaar ka mid ah hawlgallada aasaasiga ah iyo codsiyada. Tusaale ahaan, sida loo sameeyo VDI ee oVirt.

Source: www.habr.com

U soo iibso martigelin lagu kalsoonaan karo oo loogu talagalay bogagga leh ilaalinta DDoS, VPS VDS servers 🔥 Iibso martigelin degel oo lagu kalsoonaan karo oo leh ilaalinta DDoS, VPS VDS servers | ProHoster