Kweli nqaku siza kujonga inani lokhetho kodwa useto oluluncedo:
usebenzisa amagama ongezelelweyo kumphathi ;idibanisa uqinisekiso nge-Active Directory ;Mutlipathing ;ulawulo lwamandla ;indawo yesatifikethi se-SSL ;ugcino ;ujongano lolawulo lwamamkeli (cockpit) ;Ii-VLAN ;I-HPE ethile .
Eli nqaku liyaqhubeka, bona i-oVirt kwiiyure ezi-2 ekuqaleni
amanqaku
Intshayelelo Ukufakwa komphathi (i-ovirt-injini) kunye ne-hypervisors (imikhosi) - Iisetingi ezongezelelweyo-Silapha
Iisetingi zomphathi ezongezelelweyo
Ukwenzela lula, siya kufaka iipakethe ezongezelelweyo:
$ sudo yum install bash-completion vim
Ukuvumela ukugqitywa komyalelo, ukugqitywa kwe-bash kufuna ukutshintshela kwi-bash.
Ukongeza amagama awongezelelweyo e-DNS
Oku kuyakufuneka xa ufuna ukuqhagamshela kumphathi usebenzisa elinye igama (CNAME, alias, okanye igama nje elifutshane ngaphandle kwesimamva sesizinda). Ngenxa yezizathu zokhuseleko, umphathi uvumela uqhagamshelo esebenzisa uluhlu oluvumelekileyo lwamagama kuphela.
Yenza ifayile yoqwalaselo:
$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-sso-setup.conf
umxholo olandelayo:
SSO_ALTERNATE_ENGINE_FQDNS="ovirt.example.com some.alias.example.com ovirt"
kwaye uqale phantsi umphathi:
$ sudo systemctl restart ovirt-engine
Ukuseta uqinisekiso ngeAD
I-oVirt inesiseko somsebenzisi esakhelwe ngaphakathi, kodwa ababoneleli be-LDAP bangaphandle nabo bayaxhaswa, kubandakanywa. A.D.
Eyona ndlela ilula yoqwalaselo oluqhelekileyo kukundulula iwizard kwaye uqalise kwakhona umphathi:
$ sudo yum install ovirt-engine-extension-aaa-ldap-setup
$ sudo ovirt-engine-extension-aaa-ldap-setup
$ sudo systemctl restart ovirt-engine
Umzekelo womsebenzi wenkosi
$ sudo ovirt-injini-ulwandiso-aaa-ldap-setup
Umiliselo olukhoyo lwe-LDAP:
...
3 - Uvimba weefayili osebenzayo
...
Nceda khetha: 3
Nceda ngenisa igama leHlathi likavimba weefayili: example.com
Nceda khetha iprothokholi oza kuyisebenzisa (qalisa iTLS, ldaps, plain) [qalisa iTLS]:
Nceda ukhethe indlela yokufumana isatifikethi se-CA esinekhowudi ye-PEM (Ifayile, i-URL, i-Inline, iNkqubo, Ukungakhuselekanga): URL
URL:
Ngenisa umsebenzisi wokukhangela i-DN (umzekelo uid=username,dc=example,dc=com okanye ushiye ingenanto ukuze ungaziwa): CN=oVirt-Engine,CN=Abasebenzisi,DC=example,DC=com
Ngenisa igama lokugqithisa lomsebenzisi lokukhangela: *inombolo yokuvula*
[ ULWAZI ] Ukuzama ukubopha usebenzisa 'CN=oVirt-Engine,CN=Users,DC=example,DC=com'
Ngaba uza kusebenzisa iSayino esiNye koomatshini ababonakalayo (Ewe, Hayi) [Ewe]:
Nceda uchaze igama leprofayile eliza kubonakala kubasebenzisi [umzekelo.com]:
Nceda unikezele ngeenkcukacha zovavanyo lokungena:
Ngenisa igama lomsebenzisi: omnyeNabaniMsebenzisi
Ngenisa igama lokugqitha lomsebenzisi:
...
[INFO] Ulandelelwano lokungena lwenziwe ngempumelelo
...
Khetha ulandelelwano lovavanyo oluza kwenziwa (Kwenziwe, Lahla, Ngena, Phendla) [Kwenziwe]:
[INFO] Inqanaba: Ukuseta intengiselwano
...
ISISHWANKATHELO WOQUQUBO
...
Ukusebenzisa iwizard ifanelekile kwiimeko ezininzi. Ulungelelwaniso olunzima, useto lwenziwa ngesandla. Iinkcukacha ezithe vetshe kuxwebhu lwe-oVirt,
Ukuphindaphinda
Kwindawo yokuvelisa, inkqubo yokugcina kufuneka idibaniswe nomninimzi ngokusebenzisa iindlela ezininzi ezizimeleyo, ezininzi ze-I / O. Njengomthetho, kwi-CentOS (kwaye ke i-oVirt) akukho ngxaki ngokuhlanganisa iindlela ezininzi kwisixhobo (fumana_iindlela ezininzi ewe). Iisetingi ezongezelelweyo zeFCoE zibhalwe ngaphakathi
Ukusebenzisa i-3PAR njengomzekelo
kunye noxwebhu
defaults {
polling_interval 10
user_friendly_names no
find_multipaths yes
}
devices {
device {
vendor "3PARdata"
product "VV"
path_grouping_policy group_by_prio
path_selector "round-robin 0"
path_checker tur
features "0"
hardware_handler "1 alua"
prio alua
failback immediate
rr_weight uniform
no_path_retry 18
rr_min_io_rq 1
detect_prio yes
fast_io_fail_tmo 10
dev_loss_tmo "infinity"
}
}
Emva koko umyalelo wokuqalisa kwakhona unikwa:
systemctl restart multipathd
Irayisi. I-1 yinkqubo ye-I/O engagqibekanga.
Irayisi. I-2 - ipolisi ye-I / O emininzi emva kokusebenzisa izicwangciso.
Ukumisela ulawulo lwamandla
Ikuvumela ukuba wenze, umzekelo, ukusetwa kwakhona kwehardware yomatshini ukuba i-Injini ayikwazi ukufumana impendulo evela kumamkeli ixesha elide. Iphunyezwe ngeArhente yocingo.
Bala -> Abamkeli -> UMSEBENZI -Hlela -> Ulawulo lwamandla, emva koko uvule "Vumela uLawulo lwaMandla" kwaye wongeze iarhente - "Yongeza iarhente yocingo" -> +.
Sibonisa uhlobo (umzekelo, kwi-iLO5 kufuneka uchaze ilo4), igama/idilesi yojongano lwe-ipmi, kunye negama lomsebenzisi/igama lokugqitha. Kuyacetyiswa ukuba wenze umsebenzisi owahlukileyo (umzekelo, i-oVirt-PM) kwaye, kwimeko ye-ILO, umnike amalungelo akhethekileyo:
- Ngema
- Ikhonsoli ekude
- Amandla oMbane kunye nokuSeta kwakhona
- Imidiya ebonakalayo
- Qwalasela Izicwangciso ze-ILO
- Lawula iiAkhawunti zoMsebenzisi
Sukubuza ukuba kutheni le nto injalo, yakhethwa ngokomthetho. I-arhente yocingo ye-console ifuna amalungelo ambalwa.
Xa ucwangcisa uluhlu lolawulo lokufikelela, kufuneka ukhumbule ukuba i-arhente ayiqhubeki kwi-injini, kodwa kwi-host "emmelwane" (obizwa ngokuba yi-Proxy Management Power), oko kukuthi, ukuba kukho i-node enye kuphela kwiqela, ulawulo lwamandla luya kusebenza ngeke.
Ukumisela i-SSL
Imiyalelo esemthethweni epheleleyo - kwi
Isatifikethi sinokuvela kwi-CA yethu yoshishino okanye kugunyaziwe wesatifikethi sorhwebo sangaphandle.
Inqaku elibalulekileyo: Isatifikethi senzelwe ukuqhagamshela kumphathi kwaye asiyi kuchaphazela unxibelelwano phakathi kwe-Injini kunye neendawo zokuhlala - baya kusebenzisa izatifikethi zokuzisayina ezikhutshwe yi-Engine.
Izinto ezifunekayo:
- isatifikethi sokukhutshwa kwe-CA kwifomathi ye-PEM, kunye nekhonkco lonke ukuya kwingcambu ye-CA (ukusuka kwi-CA ekhuphayo ephantsi ekuqaleni ukuya kwingcambu ekupheleni);
- isatifikethi se-Apache esikhutshwe yi-CA ekhutshwayo (ekwancediswa likhonkco lonke lezatifikethi ze-CA);
- iqhosha labucala le-Apache, ngaphandle kwegama lokugqitha.
Masicinge ukuba ukukhutshwa kwethu kwe-CA kuqhuba i-CentOS, ebizwa ngokuba yi-subca.example.com, kwaye izicelo, izitshixo, kunye nezatifikethi zibekwe kwi-/etc/pki/tls/ directory.
Senza ii-backups kwaye senze uluhlu lwexeshana:
$ sudo cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.`date +%F`
$ sudo cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.`date +%F`
$ sudo mkdir /opt/certs
$ sudo chown mgmt.mgmt /opt/certs
Khuphela izatifikethi, zenze kwindawo yakho yokusebenza okanye uzidlulisele ngenye indlela efanelekileyo:
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/cachain.pem [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/private/ovirt.key [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]/etc/pki/tls/certs/ovirt.crt [email protected]:/opt/certs
Ngenxa yoko, kuya kufuneka ubone zonke iifayile ezi-3:
$ ls /opt/certs
cachain.pem ovirt.crt ovirt.key
Ukuhlohla izatifikethi
Khuphela iifayile kwaye uhlaziye uluhlu lwethemba:
$ sudo cp /opt/certs/cachain.pem /etc/pki/ca-trust/source/anchors
$ sudo update-ca-trust
$ sudo rm /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/cachain.pem /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/ovirt03.key /etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo cp /opt/certs/ovirt03.crt /etc/pki/ovirt-engine/certs/apache.cer
$ sudo systemctl restart httpd.service
Yongeza/uhlaziye iifayile zoqwalaselo:
$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
$ sudo vim /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo vim /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
# Key file for SSL connections
ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
# Certificate file for SSL connections
ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer
Okulandelayo, qala ngokutsha zonke iinkonzo ezichaphazelekayo:
$ sudo systemctl restart ovirt-provider-ovn.service
$ sudo systemctl restart ovirt-imageio-proxy
$ sudo systemctl restart ovirt-websocket-proxy
$ sudo systemctl restart ovirt-engine.service
Ulungile! Lixesha lokuba uqhagamshele kumphathi kwaye ujonge ukuba unxibelelwano lukhuselwe sisatifikethi esisayiniweyo se-SSL.
Ugcino lwamaxwebhu
Besiya kuba phi ngaphandle kwakhe? Kweli candelo siza kuthetha ngogcino lomphathi; ugcino lwe-VM ngumba owahlukileyo. Siza kwenza iikopi zoovimba kanye ngemini kwaye sizigcine nge-NFS, umzekelo, kwinkqubo efanayo apho sibeke khona imifanekiso ye-ISO - mynfs1.example.com:/exports/ovirt-backup. Akukhuthazwa ukugcina oovimba kumatshini ofanayo apho iNjini isebenza khona.
Faka kwaye uvule i-autofs:
$ sudo yum install autofs
$ sudo systemctl enable autofs
$ sudo systemctl start autofs
Masenze iskripthi:
$ sudo vim /etc/cron.daily/make.oVirt.backup.sh
umxholo olandelayo:
#!/bin/bash
datetime=`date +"%F.%R"`
backupdir="/net/mynfs01.example.com/exports/ovirt-backup"
filename="$backupdir/`hostname --short`.`date +"%F.%R"`"
engine-backup --mode=backup --scope=all --file=$filename.data --log=$filename.log
#uncomment next line for autodelete files older 30 days
#find $backupdir -type f -mtime +30 -exec rm -f {} ;
Ukwenza ifayile iphunyezwe:
$ sudo chmod a+x /etc/cron.daily/make.oVirt.backup.sh
Ngoku busuku ngabunye siya kufumana uvimba weesetingi zomphathi.
Ujongano lolawulo lomamkeli
Irayisi. 3 - ukubonakala kwephaneli.
Ukufakela kulula kakhulu, udinga iipakethi ze-cockpit kunye neplagin ye-cockpit-ovirt-dashboard:
$ sudo yum install cockpit cockpit-ovirt-dashboard -y
Ukuvula i-Cockpit:
$ sudo systemctl enable --now cockpit.socket
Ukuseta iFirewall:
sudo firewall-cmd --add-service=cockpit
sudo firewall-cmd --add-service=cockpit --permanent
Ngoku ungaqhagamshela kumamkeli: https://[Host IP or FQDN]:9090
Ii-VLAN
Kuya kufuneka ufunde ngakumbi malunga neenethiwekhi kwi
Ukudibanisa ezinye ii-subnets, kufuneka zichazwe kuqala kuqwalaselo: Inethiwekhi -> Iinethiwekhi -> Entsha, apha kuphela igama liyintsimi efunekayo; Uthungelwano lweVM ibhokisi yokukhangela, evumela oomatshini basebenzise lomsebenzi womnatha, yenziwe, kodwa ukudibanisa ithegi kufuneka yenziwe. Vula ukuthegiswa kweVLAN, ngenisa inombolo yeVLAN kwaye ucofe u-Kulungile.
Ngoku kufuneka uye kwiKhompyutha yenginginya -> Inginginya -> kvmNN -> Unxibelelwano lweNethiwekhi -> Seta iiNethiwekhi zomamkeli. Tsala inethwekhi eyongeziweyo ukusuka kwicala lasekunene Lothungelwano oluNgabelwanga ngokuQinisekayo ukuya ekhohlo kuNethiwekhi eBekelwe uQoqosho:
Irayisi. 4 - phambi kokuba wongeze inethiwekhi.
Irayisi. I-5 - emva kokongeza inethiwekhi.
Ukudibanisa iinethiwekhi ezininzi kumamkeli ngobuninzi, kulungele ukwabela ilebhile (ii) kubo xa usenza uthungelwano, kwaye wongeze uthungelwano ngeelebhile.
Emva kokuba uthungelwano lwenziwe, iinginginya ziya kungena kwimo engaSebenziyo de inethiwekhi yongezwe kuzo zonke iindawo kwiqela. Oku kuziphatha kubangelwa yi Funa Zonke iflegi kwi Cluster tab xa usenza umsebenzi womnatha omtsha. Kwimeko xa inethiwekhi ingafuneki kuzo zonke iindawo zeqela, le flegi inokukhutshazwa, emva koko xa inethiwekhi idityanisiwe kumamkeli, iya kuba ngasekunene kwicandelo elingafunwayo kwaye ungakhetha ukuba uqhagamshelane. kumamkeli othile.
Irayisi. 6-khetha uphawu lwemfuneko yenethiwekhi.
I-HPE ethile
Phantse bonke abavelisi banezixhobo eziphucula ukusetyenziswa kweemveliso zabo. Ukusebenzisa i-HPE njengomzekelo, i-AMS (i-Agentless Management Service, amsd ye-ILO5, i-hp-ams ye-iLO4) kunye ne-SSA (i-Smart Storage Administrator, esebenza nomlawuli wediski), njl.
Ukuqhagamshela indawo yokugcina ye-HPE
Sithatha ngaphandle isitshixo kwaye siqhagamshele oovimba be-HPE:
$ sudo rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
$ sudo vim /etc/yum.repos.d/mcp.repo
umxholo olandelayo:
[mcp]
name=Management Component Pack
baseurl=http://downloads.linux.hpe.com/repo/mcp/centos/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp
[spp]
name=Service Pack for ProLiant
baseurl=http://downloads.linux.hpe.com/SDR/repo/spp/RHEL/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp
Jonga imixholo yokugcina kunye nolwazi lwephakheji (ukwenzela ireferensi):
$ sudo yum --disablerepo="*" --enablerepo="mcp" list available
$ yum info amsd
Ukuhlohla kunye nokuqaliswa:
$ sudo yum install amsd ssacli
$ sudo systemctl start amsd
Umzekelo wesixhobo sokusebenza kunye nomlawuli wedisk
Kuphelele apho okwangoku. Kumanqaku alandelayo ndiceba ukuthetha malunga nokusebenza okusisiseko kunye nezicelo. Umzekelo, uyenza njani i-VDI kwi-oVirt.
umthombo: www.habr.com