Kulesi sihloko sizobheka izilungiselelo ezimbalwa kodwa eziwusizo:
- ;
- ;
- ;
- ;
- ;
- ;
- ;
- ;
- .
Lesi sihloko siwukuqhubeka, bheka i-oVirt emahoreni angu-2 ekuqaleni и .
Izihloko
- Izilungiselelo ezengeziwe - Silapha
Izilungiselelo zomphathi ezengeziwe
Ukuze kube lula, sizofaka amaphakheji engeziwe:
$ sudo yum install bash-completion vimUkuze unike amandla ukuqedwa komyalo, ukuqedwa kwe-bash kudinga ukushintshela ku-bash.
Yengeza amagama e-DNS engeziwe
Lokhu kuzodingeka uma udinga ukuxhuma kumphathi usebenzisa elinye igama (i-CNAME, isibizo, noma igama elifushane nje elingenaso isijobelelo sesizinda). Ngezizathu zokuphepha, umphathi uvumela ukuxhumana kusetshenziswa kuphela uhlu oluvunyelwe lwamagama.
Dala ifayela lokumisa:
$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-sso-setup.confokuqukethwe okulandelayo:
SSO_ALTERNATE_ENGINE_FQDNS="ovirt.example.com some.alias.example.com ovirt"bese uqala kabusha umphathi:
$ sudo systemctl restart ovirt-engineIsetha ukufakazela ubuqiniso nge-AD
I-oVirt inesisekelo somsebenzisi esakhelwe ngaphakathi, kodwa abahlinzeki be-LDAP bangaphandle nabo bayasekelwa, kuhlanganisa. A.D.
Indlela elula yokucushwa okujwayelekile ukwethula iwizadi bese uqala kabusha umphathi:
$ sudo yum install ovirt-engine-extension-aaa-ldap-setup
$ sudo ovirt-engine-extension-aaa-ldap-setup
$ sudo systemctl restart ovirt-engineIsibonelo somsebenzi wenkosi
$ I-sudo ovirt-injini-isandiso-aaa-ldap-setup
Ukuqaliswa okutholakalayo kwe-LDAP:
...
3 - Uhla lwemibhalo olusebenzayo
...
Sicela ukhethe: 3
Sicela ufake igama le-Active Directory Forest: isibonelo.com
Sicela ukhethe iphrothokholi ozoyisebenzisa (qala iTLS, i-ldaps, i-plain) [qalisa iTLS]:
Sicela ukhethe indlela yokuthola isitifiketi se-CA esifakwe ikhodi ye-PEM (Ifayela, i-URL, eLayini, Isistimu, Engavikelekile): I-URL
URL:
Faka umsebenzisi wosesho i-DN (isibonelo uid=username,dc=example,dc=com noma shiya kungenalutho ukuze ungaziwa): CN=oVirt-Engine,CN=Users,DC=example,DC=com
Faka iphasiwedi yomsebenzisi wosesho: *iphasiwedi*
[ ULWAZI ] Izama ukubopha isebenzisa 'CN=oVirt-Engine,CN=Users,DC=example,DC=com'
Ingabe uzosebenzisa Ukungena ngemvume Okukodwa Emishinini Ebonakalayo (Yebo, Cha) [Yebo]:
Sicela ucacise igama lephrofayela elizobonakala kubasebenzisi [isibonelo.com]:
Sicela unikeze ngemininingwane ukuze uhlole ukugeleza kokungena ngemvume:
Faka igama lomsebenzisi: abanyeAnyUser
Faka iphasiwedi yomsebenzisi:
...
[INFO] Ukulandelana kokungena ngemvume kwenziwe ngempumelelo
...
Khetha ukulandelana kokuhlola ozokusebenzisa (Kwenziwe, Yehlisa, Ngena, Sesha) [Kwenziwe]:
[INFO] Isiteji: Ukusethwa komsebenzi
...
ISIFINYEZO SOKULUNGISA
...
Ukusebenzisa iwizadi kulungele izimo eziningi. Ngokulungiselelwa okuyinkimbinkimbi, izilungiselelo zenziwa mathupha. Imininingwane eyengeziwe kumadokhumenti e-oVirt, . Ngemuva kokuxhuma ngempumelelo Injini ku-AD, kuzovela iphrofayili eyengeziwe efasiteleni lokuxhuma, nakuthebhu Izimvume Izinto zesistimu zinamandla okunikeza izimvume kubasebenzisi be-AD namaqembu. Kufanele kuqashelwe ukuthi uhla lwemibhalo lwangaphandle lwabasebenzisi namaqembu angeke lube yi-AD kuphela, kodwa futhi ne-IPA, i-eDirectory, njll.
Ukuphindaphinda
Endaweni yokukhiqiza, isistimu yokugcina kufanele ixhunywe kumsingathi ngezindlela eziningi ezizimele, eziningi ze-I/O. Njengomthetho, ku-CentOS (ngakho-ke i-oVirt) azikho izinkinga ngokuhlanganisa izindlela eziningi kudivayisi (find_multipaths yebo). Izilungiselelo ezengeziwe ze-FCoE zibhalwe ku . Kuyafaneleka ukunaka izincomo zomkhiqizi wesistimu yokugcina - abaningi batusa ukusebenzisa inqubomgomo ye-round-robin, kodwa ngokuzenzakalelayo ku-Enterprise Linux 7 isikhathi sesevisi sisetshenziswa.
Ukusebenzisa i-3PAR njengesibonelo
kanye nedokhumenti I-EL idalwe njengosokhaya one-Generic-ALUA Persona 2, lapho amanani alandelayo afakwa kuzilungiselelo /etc/multipath.conf:
defaults {
polling_interval 10
user_friendly_names no
find_multipaths yes
}
devices {
device {
vendor "3PARdata"
product "VV"
path_grouping_policy group_by_prio
path_selector "round-robin 0"
path_checker tur
features "0"
hardware_handler "1 alua"
prio alua
failback immediate
rr_weight uniform
no_path_retry 18
rr_min_io_rq 1
detect_prio yes
fast_io_fail_tmo 10
dev_loss_tmo "infinity"
}
}Ngemuva kwalokho kunikezwa umyalo wokuqalisa kabusha:
systemctl restart multipathd
Ilayisi. 1 inqubomgomo ezenzakalelayo ye-I/O eminingi.
Ilayisi. 2 - Inqubomgomo ye-I/O eminingi ngemva kokufaka izilungiselelo.
Isetha ukuphathwa kwamandla
Ikuvumela ukuthi wenze, isibonelo, ukusetha kabusha ihadiwe yomshini uma Injini ingakwazi ukuthola impendulo evela Kusokhaya isikhathi eside. Kwenziwa nge-Ejenti Yocingo.
Bala -> Ababungazi -> UMPHATHI — Hlela -> Ukuphatha Amandla, bese uvula “Vumela Ukuphathwa Kwamandla” bese wengeza i-ejenti — “Engeza I-Ejenti Yocingo” -> +.
Sibonisa uhlobo (isibonelo, ku-iLO5 okudingeka ucacise ilo4), igama/ikheli le-interface ye-ipmi, kanye negama lomsebenzisi/iphasiwedi. Kunconywa ukuthi udale umsebenzisi ohlukile (isibonelo, i-oVirt-PM) futhi, esimweni se-ILO, umnikeze amalungelo:
- Ngena ngemvume
- Ikhonsoli yesilawuli kude
- Amandla Abonakalayo Nokusetha Kabusha
- Imidiya ebonakalayo
- Lungiselela Izilungiselelo ze-ILO
- Lawula ama-Akhawunti Omsebenzisi
Ungabuzi ukuthi kungani lokhu kunjalo, kwakhethwa ngokomthetho. I-ejenti yokubiyela ikhonsoli idinga amalungelo ambalwa.
Uma usetha izinhlu zokulawula ukufinyelela, kufanele ukhumbule ukuthi i-ejenti ayisebenzi enjinini, kodwa kumsingathi "omakhelwane" (okuthiwa Ummeleli Wokuphathwa Kwamandla), okungukuthi, uma kune-node eyodwa kuphela ku-cluster, ukuphathwa kwamandla kuzosebenza ngeke.
Isetha i-SSL
Imiyalo esemthethweni egcwele - ku , Isithasiselo D: oVirt kanye ne-SSL — Ukushintsha i-oVirt Engine SSL/TLS Certificate.
Isitifiketi singavela ku-CA yethu yebhizinisi noma esiphathimandla sesitifiketi sokuhweba sangaphandle.
Inothi elibalulekile: Isitifiketi senzelwe ukuxhuma kumphathi futhi angeke sithinte ukuxhumana phakathi kweNjini kanye namanodi - bazosebenzisa izitifiketi ezizisayinise ngokwazo ezikhishwe Injini.
Izidingo:
- isitifiketi sokukhishwa kwe-CA ngefomethi ye-PEM, nalo lonke iketango kuze kufike empandeni ye-CA (kusuka kwe-CA ekhishwayo engaphansi ekuqaleni kuya empandeni ekugcineni);
- isitifiketi se-Apache esikhishwe yi-CA ekhishiwe (futhi silekelelwa yilolu chungechunge lwezitifiketi ze-CA);
- ukhiye oyimfihlo we-Apache, ngaphandle kwephasiwedi.
Ake sicabange ukuthi i-CA yethu ekhiphayo isebenzisa i-CentOS, ebizwa ngokuthi i-subca.example.com, futhi izicelo, okhiye, nezitifiketi zitholakala kuhla lwemibhalo /etc/pki/tls/.
Senza izipele futhi sakha uhla lwemibhalo lwesikhashana:
$ sudo cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.`date +%F`
$ sudo cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.`date +%F`
$ sudo mkdir /opt/certs
$ sudo chown mgmt.mgmt /opt/certsLanda izitifiketi, zenze usuka endaweni yakho yokusebenza noma uzidlulisele ngenye indlela elula:
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/cachain.pem [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/private/ovirt.key [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]/etc/pki/tls/certs/ovirt.crt [email protected]:/opt/certsNgenxa yalokho, kufanele ubone wonke amafayela angu-3:
$ ls /opt/certs
cachain.pem ovirt.crt ovirt.keyIfaka izitifiketi
Kopisha amafayela futhi ubuyekeze izinhlu zokuthenjwa:
$ sudo cp /opt/certs/cachain.pem /etc/pki/ca-trust/source/anchors
$ sudo update-ca-trust
$ sudo rm /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/cachain.pem /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/ovirt03.key /etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo cp /opt/certs/ovirt03.crt /etc/pki/ovirt-engine/certs/apache.cer
$ sudo systemctl restart httpd.serviceEngeza/buyekeza amafayela okumisa:
$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-truststore.confENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""$ sudo vim /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.confSSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass$ sudo vim /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf# Key file for SSL connections
ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
# Certificate file for SSL connections
ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cerOkulandelayo, qala kabusha zonke izinsiza ezithintekile:
$ sudo systemctl restart ovirt-provider-ovn.service
$ sudo systemctl restart ovirt-imageio-proxy
$ sudo systemctl restart ovirt-websocket-proxy
$ sudo systemctl restart ovirt-engine.serviceIlungile! Isikhathi sokuxhuma kumphathi futhi uhlole ukuthi uxhumano luvikelwe yini isitifiketi se-SSL esayiniwe.
Igcina kungobo yomlando
Besiyoba kuphi ngaphandle kwakhe? Kulesi sigaba sizokhuluma ngokugcina kungobo yomlando kwabaphathi; Ukugcina kungobo yomlando kwe-VM kuyinkinga ehlukile. Sizokwenza amakhophi engobo yomlando kanye ngosuku futhi siwagcine nge-NFS, isibonelo, ohlelweni olufanayo lapho sibeke khona izithombe ze-ISO - mynfs1.example.com:/exports/ovirt-backup. Akunconywa ukugcina izingobo zomlando emshinini ofanayo lapho Injini isebenza khona.
Faka futhi unike amandla okuzenzakalelayo:
$ sudo yum install autofs
$ sudo systemctl enable autofs
$ sudo systemctl start autofsMasidale umbhalo:
$ sudo vim /etc/cron.daily/make.oVirt.backup.shokuqukethwe okulandelayo:
#!/bin/bash
datetime=`date +"%F.%R"`
backupdir="/net/mynfs01.example.com/exports/ovirt-backup"
filename="$backupdir/`hostname --short`.`date +"%F.%R"`"
engine-backup --mode=backup --scope=all --file=$filename.data --log=$filename.log
#uncomment next line for autodelete files older 30 days
#find $backupdir -type f -mtime +30 -exec rm -f {} ;Ukwenza ifayela lisebenze:
$ sudo chmod a+x /etc/cron.daily/make.oVirt.backup.shManje njalo ebusuku sizothola ingobo yomlando yezilungiselelo zomphathi.
Isixhumi esibonakalayo sokuphathwa kosokhaya
- i-interface yesimanje yokuphatha yezinhlelo ze-Linux. Kulokhu, yenza indima efana ne-interface yewebhu ye-ESXi.
Ilayisi. 3 - ukubukeka kwephaneli.
Ukufaka kulula kakhulu, udinga amaphakheji e-cockpit kanye ne-plugin ye-cockpit-ovirt-dashboard:
$ sudo yum install cockpit cockpit-ovirt-dashboard -yIvumela i-Cockpit:
$ sudo systemctl enable --now cockpit.socketUkusethwa kwe-firewall:
sudo firewall-cmd --add-service=cockpit
sudo firewall-cmd --add-service=cockpit --permanentManje usungakwazi ukuxhuma kumsingathi: https://[Host IP noma i-FQDN]:9090
Ama-VLAN
Kufanele ufunde kabanzi mayelana namanethiwekhi ku . Kunamathuba amaningi, lapha sizochaza ukuxhuma amanethiwekhi abonakalayo.
Ukuze uxhume amanye ama-subnet, kufanele aqale achazwe ekucushweni: Inethiwekhi -> Amanethiwekhi -> Okusha, lapha kuphela igama eliyinkambu edingekayo; Ibhokisi lokuhlola le-VM Network, elivumela imishini ukuthi isebenzise le nethiwekhi, livuliwe, kodwa ukuze uxhume ithegi kufanele inikwe amandla. Nika amandla ukumaka kwe-VLAN, faka inombolo ye-VLAN bese uchofoza okuthi KULUNGILE.
Manje udinga ukuya kokuthi Compute host -> Hosts -> kvmNN -> Network Interfaces -> Setup Host Networks. Hudula inethiwekhi engeziwe kusukela kwesokudla samaNethiwekhi Anengqondo Angabelwe ukuya kwesokunxele uye Kumanethiwekhi Anengqondo Abelwe:
Ilayisi. 4 - ngaphambi kokwengeza inethiwekhi.
Ilayisi. 5 - ngemva kokwengeza inethiwekhi.
Ukuze uxhume amanethiwekhi amaningi kumsingathi ngenqwaba, kulula ukubanikeza ilebula(ama)lebula lapho udala amanethiwekhi, futhi wengeze amanethiwekhi ngamalebula.
Ngemuva kokuthi inethiwekhi idaliwe, ababungazi bazongena esimweni Sokungasebenzi kuze kube yilapho inethiwekhi yengezwa kuwo wonke ama-node kuqoqo. Lokhu kuziphatha kubangelwa ifulegi elithi Dinga Konke kuthebhu ye-Cluster lapho udala inethiwekhi entsha. Esimeni lapho inethiwekhi ingadingeki kuwo wonke ama-node eqoqo, leli fulegi lingakhutshazwa, khona-ke lapho inethiwekhi yengezwa kumsingathi, izoba ngakwesokudla esigabeni Okungadingeki futhi ungakhetha ukuthi uxhumeke yona kumsingathi othile.
Ilayisi. 6—khetha isibaluli sesidingo senethiwekhi.
I-HPE eqondile
Cishe bonke abakhiqizi banamathuluzi athuthukisa ukusebenziseka kwemikhiqizo yabo. Ukusebenzisa i-HPE njengesibonelo, i-AMS (i-Agentless Management Service, amsd ye-iLO5, i-hp-ams ye-iLO4) kanye ne-SSA (I-Smart Storage Administrator, ukusebenza nesilawuli sediski), njll. ziwusizo.
Ixhuma inqolobane ye-HPE
Singenisa ukhiye bese sixhuma izinqolobane ze-HPE:
$ sudo rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
$ sudo vim /etc/yum.repos.d/mcp.repookuqukethwe okulandelayo:
[mcp]
name=Management Component Pack
baseurl=http://downloads.linux.hpe.com/repo/mcp/centos/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp
[spp]
name=Service Pack for ProLiant
baseurl=http://downloads.linux.hpe.com/SDR/repo/spp/RHEL/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcpBuka okuqukethwe kwenqolobane nolwazi lwephakeji (ukuze uthole inkomba):
$ sudo yum --disablerepo="*" --enablerepo="mcp" list available
$ yum info amsdUkufaka nokuqalisa:
$ sudo yum install amsd ssacli
$ sudo systemctl start amsdIsibonelo sensiza yokusebenza nesilawuli sediski
Yilokho kuphela okwamanje. Ezihlokweni ezilandelayo ngihlela ukukhuluma mayelana nokusebenza okuyisisekelo kanye nezinhlelo zokusebenza. Isibonelo, indlela yokwenza i-VDI ku-oVirt.
Source: www.habr.com