Maqaalkan waxaan ku eegi doonaa dhowr meelood oo ikhtiyaari ah laakiin faa'iido leh:
- ;
- ;
- ;
- ;
- ;
- ;
- ;
- ;
- .
Maqaalkani waa mid sii socda, eeg oVirt 2 saacadood gudahood bilowga и .
Articles
- Dejinta dheeraadka ah - Waxaan joognaa halkan
Dejinta maamulaha dheeraadka ah
Si ay u sahlanaato, waxaanu ku rakibi doonaa baakado dheeraad ah:
$ sudo yum install bash-completion vimSi aad awood ugu yeelato dhamaystirka amarka, dhamaystirka bash-ku wuxuu u baahan yahay u beddelashada bash.
Ku darida magacyo DNS oo dheeri ah
Tani waxa loo baahan doonaa marka aad u baahan tahay in aad ku xidhid maamulaha addoo isticmaalaya magac kale (CNAME, alias, ama kaliya magac gaaban oo aan lahayn suffix domain). Sababo ammaan dartood, maareeyuhu wuxuu ogol yahay isku xirka isagoo isticmaalaya liiska magacyada ee la ogol yahay oo keliya.
Samee faylka qaabeynta:
$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-sso-setup.confnuxurka soo socda:
SSO_ALTERNATE_ENGINE_FQDNS="ovirt.example.com some.alias.example.com ovirt"oo dib u bilow maamulaha:
$ sudo systemctl restart ovirt-engineDejinta aqoonsiga iyada oo loo marayo AD
oVirt waxay leedahay saldhig isticmaale oo ku dhex dhisan, laakiin bixiyeyaasha LDAP ee dibadda ayaa sidoo kale la taageeraa, oo ay ku jiraan. A.D.
Habka ugu fudud ee qaabeynta caadiga ah waa in la bilaabo saaxiraha oo dib loo bilaabo maamulaha:
$ sudo yum install ovirt-engine-extension-aaa-ldap-setup
$ sudo ovirt-engine-extension-aaa-ldap-setup
$ sudo systemctl restart ovirt-engineTusaale u ah shaqada sayidkiisa
$ sudo ovirt-engine-extension-aaa-ldap-setup
Hirgelinta LDAP ee la heli karo:
...
3 - Hagaha firfircoon
...
Fadlan dooro: 3
Fadlan geli magaca Kaymaha Hagaha Active: example.com
Fadlan dooro borotokoolka aad isticmaalayso (startTLS, ldaps, plain) [startTLS]:
Fadlan door habka aad ku heli lahayd shahaadadda CA ee PEM-ku-qoraneed (Fayl, URL, Khadka, Nidaamka, Aamminsan): URL
URL:
Geli isticmaalaha raadinta DN (tusaale uid=username,dc=example,dc=com ama ka tag maran si qarsoodi ah): CN=oVirt-Engine,CN= Isticmaalayaasha,DC=tusaale,DC=com
Geli erayga sirta ah ee isticmaalaha: *password*
[INFO] Isku day inaad ku xidho adigoo isticmaalaya 'CN=oVirt-Engine,CN=Users,DC=example,DC=com'
Ma waxaad u isticmaashey hal calaamad oo kali ah oo loogu talagalay mishiinada Virtual (Haa, Maya) [Haa]:
Fadlan sheeg magaca astaanta guud ee u muuqan doona isticmaalayaasha [tusaale.com]:
Fadlan bixi shahaadooyin si aad u tijaabiso socodka gelitaanka:
Geli magaca isticmaalaha: Isticmaale kasta
Geli erayga sirta ah ee isticmaalaha:
...
[INFO] Taxanaha soo galitaanka si guul leh ayaa loo fuliyay
...
Dooro taxanaha tijaabada si aad ufuliso [La sameeyay]:
[INFO] Marxaladda: Habaynta wax kala iibsiga
...
KOOXDA QAABKA
...
Isticmaalka saaxirku waxay ku habboon tahay kiisaska intooda badan. Habaynta adag, dejimaha waxaa lagu sameeyaa gacanta. Faahfaahin dheeraad ah oo ku jirta dukumentiyada oVirt, . Kadib marka si guul leh loogu xidho mishiinka AD, profile dheeraad ah ayaa ka muuqan doona daaqada xidhiidhka, iyo tabka Ogolaanshaha Walxaha nidaamku waxay awood u leeyihiin inay oggolaadaan isticmaalayaasha AD iyo kooxaha. Waa in la ogaadaa in tusaha dibadda ee isticmaalayaasha iyo kooxaha aysan noqon karin AD oo keliya, laakiin sidoo kale IPA, eDirectory, iwm.
Isku dhufasho
Deegaanka wax soo saarka, nidaamka kaydinta waa in lagu xidhaa martigeliyaha iyada oo loo marayo madax-bannaan badan, wadooyin badan oo I/O ah. Sida caadiga ah, gudaha CentOS (iyo sidaas darteed oVirt) ma jiraan wax dhibaato ah oo ku saabsan isu-ururinta wadooyin badan oo qalab ah (hel_multipaths haa). Dejinta dheeraadka ah ee FCoE ayaa lagu qoray . Waxaa habboon in fiiro gaar ah loo yeesho talada soo saaraha nidaamka kaydinta - qaar badan ayaa kugula taliya in la isticmaalo siyaasadda wareega wareega, laakiin marka la eego Enterprise Linux 7-waqtiga adeegga ayaa la isticmaalaa.
Isticmaalka 3PAR tusaale ahaan
iyo dukumeenti EL waxaa loo abuuray sidii martigeliye leh Generic-ALUA Persona 2, kaas oo qiyamka soo socda la geliyo goobaha /etc/multipath.conf:
defaults {
polling_interval 10
user_friendly_names no
find_multipaths yes
}
devices {
device {
vendor "3PARdata"
product "VV"
path_grouping_policy group_by_prio
path_selector "round-robin 0"
path_checker tur
features "0"
hardware_handler "1 alua"
prio alua
failback immediate
rr_weight uniform
no_path_retry 18
rr_min_io_rq 1
detect_prio yes
fast_io_fail_tmo 10
dev_loss_tmo "infinity"
}
}Ka dib markaa amarka dib u bilaabista ayaa la bixiyaa:
systemctl restart multipathd
Bariis 1 waa siyaasadda I/O ee badan.
Bariis 2- siyaasada I/O badan ka dib marka la dabaqo
Dejinta maamulka awooda
Kuu ogolaanayaa inaad samayso, tusaale ahaan, qalab dib u dajin ee mishiinka haddi matoorku aanu jawaab ka heli karin martida loo yahay wakhti dheer. Waxaa lagu fuliyay Wakiilka Xayndaabka.
Xisaabi -> Martigeliyayaasha -> HOST - Tafatir -> Maareynta Korontada, ka dib awood "Enable Management Power" oo ku dar wakiil - "Ku dar Wakiilka Xayndaabka" -> +.
Waxaanu tilmaamaynaa nooca (tusaale ahaan, iLO5 waxaad u baahan tahay inaad sheegto ilo4), magaca / ciwaanka ipmi interface, iyo sidoo kale magaca isticmaalaha / erayga sirta ah. Waxaa lagula talinayaa in la abuuro isticmaale gooni ah (tusaale, oVirt-PM) iyo, marka laga hadlayo iLO, sii mudnaan gaar ah:
- login
- Console fog
- Awood Virtual iyo Dib u dejin
- Media Virtual
- Habee ILO Settings
- Maamul Xisaabaadka Isticmaalaha
Ha weydiin sababta tani ay sidaas tahay, waxaa loo doortay si macquul ah. Wakiilka xayndaabka console wuxuu u baahan yahay xuquuqo yar.
Markaad dejinayso liisaska xakamaynta gelitaanka, waa inaad maskaxda ku haysaa in wakiilku aanu ku socon mishiinka, laakiin uu ku socdo martigeliyaha "dariska" (waxa loogu yeero Proxy Management Power), ie, haddii uu jiro hal nood oo keliya ee kutlada, maamulka korontada ayaa shaqayn doona ma doono.
Dejinta SSL
Tilmaamaha rasmiga ah oo buuxa - gudaha , Lifaaqa D: oVirt iyo SSL - Beddelka oVirt Engine SSL/TLS Shahaadada.
Shahaadadu waxay noqon kartaa mid ka timid CA-shirkadeed ama mid ka timid hay'ad shahaado ganacsi oo dibadda ah.
Xusuusin muhiim ah: Shahaadada waxaa loogu talagalay in lagu xiro maareeyaha mana saameyn doonto xiriirka u dhexeeya Matoorka iyo noodhka - waxay isticmaali doonaan shahaadooyin iskiis u saxeexay oo uu bixiyay Matoorka.
Shuruudaha:
- shahaadada soo saarista CA ee qaabka PEM, oo leh silsiladda oo dhan ilaa xididka CA (laga bilaabo soo-saarka hoose ee CA bilowga ilaa xididka dhamaadka);
- shahaadada Apache oo ay bixisay CA soo saartay (sidoo kale waxaa lagu kabay dhammaan silsiladda shahaadooyinka CA);
- furaha gaarka ah ee Apache, bilaa sir ah.
Aan ka soo qaadno in soo saaraheena CA uu wado CentOS, oo loo yaqaan subca.example.com, iyo codsiyada, furayaasha, iyo shahaadooyinka waxay ku yaalaan /etc/pki/tls/ directory.
Waxaanu samaynaa kayd-celin waxaanu abuurnaa hage ku meel gaadh ah:
$ sudo cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.`date +%F`
$ sudo cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.`date +%F`
$ sudo mkdir /opt/certs
$ sudo chown mgmt.mgmt /opt/certsSoo deji shahaadooyinka, ka samee goobtaada shaqada ama ugu wareeji hab kale oo ku habboon:
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/cachain.pem [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/private/ovirt.key [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]/etc/pki/tls/certs/ovirt.crt [email protected]:/opt/certsNatiijo ahaan, waa inaad aragto dhammaan 3 fayl:
$ ls /opt/certs
cachain.pem ovirt.crt ovirt.keyKu rakibida shahaadooyinka
Nuqul faylasha oo cusboonaysii liisaska kalsoonida:
$ sudo cp /opt/certs/cachain.pem /etc/pki/ca-trust/source/anchors
$ sudo update-ca-trust
$ sudo rm /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/cachain.pem /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/ovirt03.key /etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo cp /opt/certs/ovirt03.crt /etc/pki/ovirt-engine/certs/apache.cer
$ sudo systemctl restart httpd.serviceKu dar/cusbooneysii qaabeynta faylasha:
$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-truststore.confENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""$ sudo vim /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.confSSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass$ sudo vim /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf# Key file for SSL connections
ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
# Certificate file for SSL connections
ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cerMarka xigta, dib u bilow dhammaan adeegyada ay saamaysay:
$ sudo systemctl restart ovirt-provider-ovn.service
$ sudo systemctl restart ovirt-imageio-proxy
$ sudo systemctl restart ovirt-websocket-proxy
$ sudo systemctl restart ovirt-engine.serviceDiyaar! Waa waqtigii lagu xidhi lahaa maareeyaha oo la hubiyo in xidhiidhka lagu ilaaliyo shahaado SSL oo saxeexan.
Kaydinta
Xagee la'aanteed ahaan lahayn? Qaybtan waxaan kaga hadli doonaa kaydinta maamulaha; kaydinta VM waa arin gooni ah. Waxaan samayn doonaa nuqullo kayd ah hal mar maalintii waxaana ku kaydin doonaa NFS, tusaale ahaan, isla nidaamka aan dhignay sawirada ISO - mynfs1.example.com:/exports/ovirt-backup. Laguma talin in lagu kaydiyo kaydka isla mishiinka uu matoorku ku shaqaynayo.
Ku rakib oo awood autofs:
$ sudo yum install autofs
$ sudo systemctl enable autofs
$ sudo systemctl start autofsAan abuurno qoraal:
$ sudo vim /etc/cron.daily/make.oVirt.backup.shnuxurka soo socda:
#!/bin/bash
datetime=`date +"%F.%R"`
backupdir="/net/mynfs01.example.com/exports/ovirt-backup"
filename="$backupdir/`hostname --short`.`date +"%F.%R"`"
engine-backup --mode=backup --scope=all --file=$filename.data --log=$filename.log
#uncomment next line for autodelete files older 30 days
#find $backupdir -type f -mtime +30 -exec rm -f {} ;Samaynta faylka la fulin karo:
$ sudo chmod a+x /etc/cron.daily/make.oVirt.backup.shHadda habeen kasta waxaan heli doonaa kaydka goobaha maamulaha.
Interface maamulka martida loo yahay
- interface casri ah oo maamul ee nidaamyada Linux. Xaaladdan oo kale, waxay fulisaa door la mid ah interface-ka shabakadda ESXi.
Bariis 3 - muuqaalka guddiga.
Rakibaadda waa mid aad u fudud, waxaad u baahan tahay baakadaha kockpit-ka iyo plugin-ovirt-dashboard-ka:
$ sudo yum install cockpit cockpit-ovirt-dashboard -yDajinta Cockpit:
$ sudo systemctl enable --now cockpit.socketDejinta Firewall:
sudo firewall-cmd --add-service=cockpit
sudo firewall-cmd --add-service=cockpit --permanentHadda waxaad ku xidhi kartaa martigeliyaha: https://[Host IP or FQDN]:9090
VLANs
Waa inaad wax badan ka akhrido shabakadaha gudaha . Waxaa jira fursado badan, halkan waxaan ku tilmaami doonaa isku xirka shabakadaha farsamada.
Si loo xidho subnets kale, marka hore waa in lagu qeexaa qaabeynta: Network -> Networks -> Cusub, halkan magaca kaliya ayaa loo baahan yahay; Sanduuqa hubinta ee Shabakadda VM, kaas oo u oggolaanaya mishiinada inay adeegsadaan shabakaddan, waa la dajiyay, laakiin in la isku xidho summada waa in la dhaqaajiyaa. Daar sumadaynta VLAN, geli lambarka VLAN oo guji OK.
Hadda waxaad u baahan tahay inaad aado xisaabiyeyaasha -> Hosts -> kvmNN -> Interfaces Network -> Dejinta Shabakadaha Martigelinta. U jiid shabkada lagu daray dhinaca midig ee Shabakadaha macquulka ah ee Aan La-u-degin dhanka bidix una geli Shabakadaha macquulka ah ee loo qoondeeyay:
Bariis 4 - ka hor intaadan ku darin shabakad.
Bariis 5 - ka dib marka lagu daro shabakad.
Si loogu xidho shabakado badan martigeliyaha guud ahaan, way ku habboon tahay in lagu meeleeyo calaamad(-yaal) iyaga marka la abuurayo shabkado, oo lagu daro shabakadaha calaamado.
Ka dib markii shabakada la abuuro, martigaliyayaasha waxay geli doonaan gobolka aan shaqayn ilaa shabakada lagu daro dhammaan qanjidhada kutlada. Dabeecaddan waxaa sababa Baahida All Calan ee ku yaal tabka Kooxda marka la abuurayo shabakad cusub. Xaaladda marka shabakadda aan looga baahnayn dhammaan qanjidhada kooxda, calankani waa la joojin karaa, ka dib marka shabakadda lagu daro martigeliyaha, waxay ku jiri doontaa midigta qaybta aan loo baahnayn oo waxaad dooran kartaa inaad ku xidho. waxay u tahay martigelin gaar ah.
Bariis 6-dooro shuruuda shabakada sifada.
HPE gaar ah
Ku dhawaad dhammaan wax-soo-saarayaashu waxay leeyihiin qalab hagaajinaya isticmaalka alaabtooda. Isticmaalka HPE tusaale ahaan, AMS (Adeegga Maareynta Agentless, amsd for iLO5, hp-ams for iLO4) iyo SSA (Maamulaha Kaydinta Smart, oo la shaqeeya kontaroolaha saxanka), iwm.
Isku xirka kaydka HPE
Waxaan soo dejineynaa furaha waxaanan isku xireynaa kaydadka HPE:
$ sudo rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
$ sudo vim /etc/yum.repos.d/mcp.reponuxurka soo socda:
[mcp]
name=Management Component Pack
baseurl=http://downloads.linux.hpe.com/repo/mcp/centos/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp
[spp]
name=Service Pack for ProLiant
baseurl=http://downloads.linux.hpe.com/SDR/repo/spp/RHEL/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcpArag waxa ku jira kaydka iyo macluumaadka xidhmada (tixraac):
$ sudo yum --disablerepo="*" --enablerepo="mcp" list available
$ yum info amsdRakibaadda iyo bilaabista:
$ sudo yum install amsd ssacli
$ sudo systemctl start amsdTusaalaha utility ee la shaqaynta kontoroolka saxanka
Waa intaas hadda. Maqaallada soo socda waxaan qorsheynayaa inaan ka hadlo qaar ka mid ah hawlgallada aasaasiga ah iyo codsiyada. Tusaale ahaan, sida loo sameeyo VDI ee oVirt.
Source: www.habr.com