Kulesi sihloko sizobheka izilungiselelo ezimbalwa kodwa eziwusizo:
usebenzisa amagama engeziwe kumphathi ;ukuxhuma ubuqiniso nge-Active Directory ;Mutlipathing ;ukuphathwa kwamandla ;esikhundleni sesitifiketi se-SSL ;ukugcina kungobo yomlando ;isixhumi esibonakalayo sokuphatha umsingathi (i-cockpit) ;Ama-VLAN ;I-HPE eqondile .
Lesi sihloko siwukuqhubeka, bheka i-oVirt emahoreni angu-2 ekuqaleni
Izihloko
Isingeniso Ukufakwa komphathi (i-ovirt-injini) kanye nama-hypervisors (ababungazi) - Izilungiselelo ezengeziwe - Silapha
Izilungiselelo zomphathi ezengeziwe
Ukuze kube lula, sizofaka amaphakheji engeziwe:
$ sudo yum install bash-completion vim
Ukuze unike amandla ukuqedwa komyalo, ukuqedwa kwe-bash kudinga ukushintshela ku-bash.
Yengeza amagama e-DNS engeziwe
Lokhu kuzodingeka uma udinga ukuxhuma kumphathi usebenzisa elinye igama (i-CNAME, isibizo, noma igama elifushane nje elingenaso isijobelelo sesizinda). Ngezizathu zokuphepha, umphathi uvumela ukuxhumana kusetshenziswa kuphela uhlu oluvunyelwe lwamagama.
Dala ifayela lokumisa:
$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-sso-setup.conf
okuqukethwe okulandelayo:
SSO_ALTERNATE_ENGINE_FQDNS="ovirt.example.com some.alias.example.com ovirt"
bese uqala kabusha umphathi:
$ sudo systemctl restart ovirt-engine
Isetha ukufakazela ubuqiniso nge-AD
I-oVirt inesisekelo somsebenzisi esakhelwe ngaphakathi, kodwa abahlinzeki be-LDAP bangaphandle nabo bayasekelwa, kuhlanganisa. A.D.
Indlela elula yokucushwa okujwayelekile ukwethula iwizadi bese uqala kabusha umphathi:
$ sudo yum install ovirt-engine-extension-aaa-ldap-setup
$ sudo ovirt-engine-extension-aaa-ldap-setup
$ sudo systemctl restart ovirt-engine
Isibonelo somsebenzi wenkosi
$ I-sudo ovirt-injini-isandiso-aaa-ldap-setup
Ukuqaliswa okutholakalayo kwe-LDAP:
...
3 - Uhla lwemibhalo olusebenzayo
...
Sicela ukhethe: 3
Sicela ufake igama le-Active Directory Forest: isibonelo.com
Sicela ukhethe iphrothokholi ozoyisebenzisa (qala iTLS, i-ldaps, i-plain) [qalisa iTLS]:
Sicela ukhethe indlela yokuthola isitifiketi se-CA esifakwe ikhodi ye-PEM (Ifayela, i-URL, eLayini, Isistimu, Engavikelekile): I-URL
URL:
Faka umsebenzisi wosesho i-DN (isibonelo uid=username,dc=example,dc=com noma shiya kungenalutho ukuze ungaziwa): CN=oVirt-Engine,CN=Users,DC=example,DC=com
Faka iphasiwedi yomsebenzisi wosesho: *iphasiwedi*
[ ULWAZI ] Izama ukubopha isebenzisa 'CN=oVirt-Engine,CN=Users,DC=example,DC=com'
Ingabe uzosebenzisa Ukungena ngemvume Okukodwa Emishinini Ebonakalayo (Yebo, Cha) [Yebo]:
Sicela ucacise igama lephrofayela elizobonakala kubasebenzisi [isibonelo.com]:
Sicela unikeze ngemininingwane ukuze uhlole ukugeleza kokungena ngemvume:
Faka igama lomsebenzisi: abanyeAnyUser
Faka iphasiwedi yomsebenzisi:
...
[INFO] Ukulandelana kokungena ngemvume kwenziwe ngempumelelo
...
Khetha ukulandelana kokuhlola ozokusebenzisa (Kwenziwe, Yehlisa, Ngena, Sesha) [Kwenziwe]:
[INFO] Isiteji: Ukusethwa komsebenzi
...
ISIFINYEZO SOKULUNGISA
...
Ukusebenzisa iwizadi kulungele izimo eziningi. Ngokulungiselelwa okuyinkimbinkimbi, izilungiselelo zenziwa mathupha. Imininingwane eyengeziwe kumadokhumenti e-oVirt,
Ukuphindaphinda
Endaweni yokukhiqiza, isistimu yokugcina kufanele ixhunywe kumsingathi ngezindlela eziningi ezizimele, eziningi ze-I/O. Njengomthetho, ku-CentOS (ngakho-ke i-oVirt) azikho izinkinga ngokuhlanganisa izindlela eziningi kudivayisi (find_multipaths yebo). Izilungiselelo ezengeziwe ze-FCoE zibhalwe ku
Ukusebenzisa i-3PAR njengesibonelo
kanye nedokhumenti
defaults {
polling_interval 10
user_friendly_names no
find_multipaths yes
}
devices {
device {
vendor "3PARdata"
product "VV"
path_grouping_policy group_by_prio
path_selector "round-robin 0"
path_checker tur
features "0"
hardware_handler "1 alua"
prio alua
failback immediate
rr_weight uniform
no_path_retry 18
rr_min_io_rq 1
detect_prio yes
fast_io_fail_tmo 10
dev_loss_tmo "infinity"
}
}
Ngemuva kwalokho kunikezwa umyalo wokuqalisa kabusha:
systemctl restart multipathd
Ilayisi. 1 inqubomgomo ezenzakalelayo ye-I/O eminingi.
Ilayisi. 2 - Inqubomgomo ye-I/O eminingi ngemva kokufaka izilungiselelo.
Isetha ukuphathwa kwamandla
Ikuvumela ukuthi wenze, isibonelo, ukusetha kabusha ihadiwe yomshini uma Injini ingakwazi ukuthola impendulo evela Kusokhaya isikhathi eside. Kwenziwa nge-Ejenti Yocingo.
Bala -> Ababungazi -> UMPHATHI — Hlela -> Ukuphatha Amandla, bese uvula “Vumela Ukuphathwa Kwamandla” bese wengeza i-ejenti — “Engeza I-Ejenti Yocingo” -> +.
Sibonisa uhlobo (isibonelo, ku-iLO5 okudingeka ucacise ilo4), igama/ikheli le-interface ye-ipmi, kanye negama lomsebenzisi/iphasiwedi. Kunconywa ukuthi udale umsebenzisi ohlukile (isibonelo, i-oVirt-PM) futhi, esimweni se-ILO, umnikeze amalungelo:
- Ngena ngemvume
- Ikhonsoli yesilawuli kude
- Amandla Abonakalayo Nokusetha Kabusha
- Imidiya ebonakalayo
- Lungiselela Izilungiselelo ze-ILO
- Lawula ama-Akhawunti Omsebenzisi
Ungabuzi ukuthi kungani lokhu kunjalo, kwakhethwa ngokomthetho. I-ejenti yokubiyela ikhonsoli idinga amalungelo ambalwa.
Uma usetha izinhlu zokulawula ukufinyelela, kufanele ukhumbule ukuthi i-ejenti ayisebenzi enjinini, kodwa kumsingathi "omakhelwane" (okuthiwa Ummeleli Wokuphathwa Kwamandla), okungukuthi, uma kune-node eyodwa kuphela ku-cluster, ukuphathwa kwamandla kuzosebenza ngeke.
Isetha i-SSL
Imiyalo esemthethweni egcwele - ku
Isitifiketi singavela ku-CA yethu yebhizinisi noma esiphathimandla sesitifiketi sokuhweba sangaphandle.
Inothi elibalulekile: Isitifiketi senzelwe ukuxhuma kumphathi futhi angeke sithinte ukuxhumana phakathi kweNjini kanye namanodi - bazosebenzisa izitifiketi ezizisayinise ngokwazo ezikhishwe Injini.
Izidingo:
- isitifiketi sokukhishwa kwe-CA ngefomethi ye-PEM, nalo lonke iketango kuze kufike empandeni ye-CA (kusuka kwe-CA ekhishwayo engaphansi ekuqaleni kuya empandeni ekugcineni);
- isitifiketi se-Apache esikhishwe yi-CA ekhishiwe (futhi silekelelwa yilolu chungechunge lwezitifiketi ze-CA);
- ukhiye oyimfihlo we-Apache, ngaphandle kwephasiwedi.
Ake sicabange ukuthi i-CA yethu ekhiphayo isebenzisa i-CentOS, ebizwa ngokuthi i-subca.example.com, futhi izicelo, okhiye, nezitifiketi zitholakala kuhla lwemibhalo /etc/pki/tls/.
Senza izipele futhi sakha uhla lwemibhalo lwesikhashana:
$ sudo cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.`date +%F`
$ sudo cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.`date +%F`
$ sudo mkdir /opt/certs
$ sudo chown mgmt.mgmt /opt/certs
Landa izitifiketi, zenze usuka endaweni yakho yokusebenza noma uzidlulisele ngenye indlela elula:
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/cachain.pem [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]:/etc/pki/tls/private/ovirt.key [email protected]:/opt/certs
[myuser@mydesktop] $ scp -3 [email protected]/etc/pki/tls/certs/ovirt.crt [email protected]:/opt/certs
Ngenxa yalokho, kufanele ubone wonke amafayela angu-3:
$ ls /opt/certs
cachain.pem ovirt.crt ovirt.key
Ifaka izitifiketi
Kopisha amafayela futhi ubuyekeze izinhlu zokuthenjwa:
$ sudo cp /opt/certs/cachain.pem /etc/pki/ca-trust/source/anchors
$ sudo update-ca-trust
$ sudo rm /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/cachain.pem /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/ovirt03.key /etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo cp /opt/certs/ovirt03.crt /etc/pki/ovirt-engine/certs/apache.cer
$ sudo systemctl restart httpd.service
Engeza/buyekeza amafayela okumisa:
$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
$ sudo vim /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo vim /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
# Key file for SSL connections
ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
# Certificate file for SSL connections
ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer
Okulandelayo, qala kabusha zonke izinsiza ezithintekile:
$ sudo systemctl restart ovirt-provider-ovn.service
$ sudo systemctl restart ovirt-imageio-proxy
$ sudo systemctl restart ovirt-websocket-proxy
$ sudo systemctl restart ovirt-engine.service
Ilungile! Isikhathi sokuxhuma kumphathi futhi uhlole ukuthi uxhumano luvikelwe yini isitifiketi se-SSL esayiniwe.
Igcina kungobo yomlando
Besiyoba kuphi ngaphandle kwakhe? Kulesi sigaba sizokhuluma ngokugcina kungobo yomlando kwabaphathi; Ukugcina kungobo yomlando kwe-VM kuyinkinga ehlukile. Sizokwenza amakhophi engobo yomlando kanye ngosuku futhi siwagcine nge-NFS, isibonelo, ohlelweni olufanayo lapho sibeke khona izithombe ze-ISO - mynfs1.example.com:/exports/ovirt-backup. Akunconywa ukugcina izingobo zomlando emshinini ofanayo lapho Injini isebenza khona.
Faka futhi unike amandla okuzenzakalelayo:
$ sudo yum install autofs
$ sudo systemctl enable autofs
$ sudo systemctl start autofs
Masidale umbhalo:
$ sudo vim /etc/cron.daily/make.oVirt.backup.sh
okuqukethwe okulandelayo:
#!/bin/bash
datetime=`date +"%F.%R"`
backupdir="/net/mynfs01.example.com/exports/ovirt-backup"
filename="$backupdir/`hostname --short`.`date +"%F.%R"`"
engine-backup --mode=backup --scope=all --file=$filename.data --log=$filename.log
#uncomment next line for autodelete files older 30 days
#find $backupdir -type f -mtime +30 -exec rm -f {} ;
Ukwenza ifayela lisebenze:
$ sudo chmod a+x /etc/cron.daily/make.oVirt.backup.sh
Manje njalo ebusuku sizothola ingobo yomlando yezilungiselelo zomphathi.
Isixhumi esibonakalayo sokuphathwa kosokhaya
Ilayisi. 3 - ukubukeka kwephaneli.
Ukufaka kulula kakhulu, udinga amaphakheji e-cockpit kanye ne-plugin ye-cockpit-ovirt-dashboard:
$ sudo yum install cockpit cockpit-ovirt-dashboard -y
Ivumela i-Cockpit:
$ sudo systemctl enable --now cockpit.socket
Ukusethwa kwe-firewall:
sudo firewall-cmd --add-service=cockpit
sudo firewall-cmd --add-service=cockpit --permanent
Manje usungakwazi ukuxhuma kumsingathi: https://[Host IP noma i-FQDN]:9090
Ama-VLAN
Kufanele ufunde kabanzi mayelana namanethiwekhi ku
Ukuze uxhume amanye ama-subnet, kufanele aqale achazwe ekucushweni: Inethiwekhi -> Amanethiwekhi -> Okusha, lapha kuphela igama eliyinkambu edingekayo; Ibhokisi lokuhlola le-VM Network, elivumela imishini ukuthi isebenzise le nethiwekhi, livuliwe, kodwa ukuze uxhume ithegi kufanele inikwe amandla. Nika amandla ukumaka kwe-VLAN, faka inombolo ye-VLAN bese uchofoza okuthi KULUNGILE.
Manje udinga ukuya kokuthi Compute host -> Hosts -> kvmNN -> Network Interfaces -> Setup Host Networks. Hudula inethiwekhi engeziwe kusukela kwesokudla samaNethiwekhi Anengqondo Angabelwe ukuya kwesokunxele uye Kumanethiwekhi Anengqondo Abelwe:
Ilayisi. 4 - ngaphambi kokwengeza inethiwekhi.
Ilayisi. 5 - ngemva kokwengeza inethiwekhi.
Ukuze uxhume amanethiwekhi amaningi kumsingathi ngenqwaba, kulula ukubanikeza ilebula(ama)lebula lapho udala amanethiwekhi, futhi wengeze amanethiwekhi ngamalebula.
Ngemuva kokuthi inethiwekhi idaliwe, ababungazi bazongena esimweni Sokungasebenzi kuze kube yilapho inethiwekhi yengezwa kuwo wonke ama-node kuqoqo. Lokhu kuziphatha kubangelwa ifulegi elithi Dinga Konke kuthebhu ye-Cluster lapho udala inethiwekhi entsha. Esimeni lapho inethiwekhi ingadingeki kuwo wonke ama-node eqoqo, leli fulegi lingakhutshazwa, khona-ke lapho inethiwekhi yengezwa kumsingathi, izoba ngakwesokudla esigabeni Okungadingeki futhi ungakhetha ukuthi uxhumeke yona kumsingathi othile.
Ilayisi. 6—khetha isibaluli sesidingo senethiwekhi.
I-HPE eqondile
Cishe bonke abakhiqizi banamathuluzi athuthukisa ukusebenziseka kwemikhiqizo yabo. Ukusebenzisa i-HPE njengesibonelo, i-AMS (i-Agentless Management Service, amsd ye-iLO5, i-hp-ams ye-iLO4) kanye ne-SSA (I-Smart Storage Administrator, ukusebenza nesilawuli sediski), njll. ziwusizo.
Ixhuma inqolobane ye-HPE
Singenisa ukhiye bese sixhuma izinqolobane ze-HPE:
$ sudo rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
$ sudo vim /etc/yum.repos.d/mcp.repo
okuqukethwe okulandelayo:
[mcp]
name=Management Component Pack
baseurl=http://downloads.linux.hpe.com/repo/mcp/centos/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp
[spp]
name=Service Pack for ProLiant
baseurl=http://downloads.linux.hpe.com/SDR/repo/spp/RHEL/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp
Buka okuqukethwe kwenqolobane nolwazi lwephakeji (ukuze uthole inkomba):
$ sudo yum --disablerepo="*" --enablerepo="mcp" list available
$ yum info amsd
Ukufaka nokuqalisa:
$ sudo yum install amsd ssacli
$ sudo systemctl start amsd
Isibonelo sensiza yokusebenza nesilawuli sediski
Yilokho kuphela okwamanje. Ezihlokweni ezilandelayo ngihlela ukukhuluma mayelana nokusebenza okuyisisekelo kanye nezinhlelo zokusebenza. Isibonelo, indlela yokwenza i-VDI ku-oVirt.
Source: www.habr.com