Get best of the week

oVirt in 2 hours. Part 3. Advanced settings

In this article, we will look at a number of optional but useful settings:


This article is a sequel, start see oVirt in 2 hours Part 1 and Part 2 .

Articles


  1. Introduction
  2. Installation of the manager (ovirt-engine) and hypervisors (hosts)
  3. Advanced Settings - We Are Here
  4. Basic operations

Additional manager settings


For convenience, we will supply additional packages:

$ sudo yum install bash-completion vim

To enable autocompletion, bash-completion commands should be switched to bash.


Adding Additional DNS Names


This is required when you need to connect to the manager by an alternative name (CNAME, alias or just a short name without a domain suffix). For security reasons, the manager only allows connections using the allowed list of names.

Create a configuration file:

$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-sso-setup.conf

the following content:

SSO_ALTERNATE_ENGINE_FQDNS="ovirt.example.com some.alias.example.com ovirt"

and restart the manager:

$ sudo systemctl restart ovirt-engine


Configure authentication through AD


oVirt has a built-in user base, but external LDAP providers are also supported, including AD.

The simplest way for a typical configuration is to start the wizard and restart the manager:

$ sudo yum install ovirt-engine-extension-aaa-ldap-setup
$ sudo ovirt-engine-extension-aaa-ldap-setup
$ sudo systemctl restart ovirt-engine

Wizard example
$ sudo ovirt-engine-extension-aaa-ldap-setup
Available LDAP implementations:

3 — Active Directory

Please select: 3
Please enter Active Directory Forest name: example.com

Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): URL
URL: wwwca.example.com/myRootCA.pem
Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): CN=oVirt-Engine,CN=Users,DC=example,DC=com
Enter search user password: *password*
[ INFO ] Attempting to bind using 'CN=oVirt-Engine,CN=Users,DC=example,DC=com'
Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]:
Please specify profile name that will be visible to users [example.com]:
Please provide credentials to test login flow:
Enter user name: someAnyUser
Enter user password:

[ INFO ] Login sequence executed successfully

Select test sequence to execute (Done, Abort, Login, Search) [Done]:
[ INFO ] Stage: Transaction setup

CONFIGURATION SUMMARY


Using the wizard is suitable for most cases. For complex configurations, the settings are manual. Read more in the oVirt, Users and Roles documentation . After successfully connecting Engine to AD, an additional profile will appear in the connection window, and on the Permissions tab for system objects, the ability to issue permissions to users and AD groups. It should be noted that the external directory of users and groups can be not only AD, but also IPA, eDirectory, etc.


Multipathing


In a production environment, the storage system must be connected to the host by several independent multiple I / O paths. As a rule, in CentOS (and therefore oVirt) there are no problems with building multiple device paths (find_multipaths yes). Additional settings for FCoE are described in Part 2 . It is worth paying attention to the recommendation of the manufacturer of storage systems - many recommend using the round-robin policy, by default, service Linux is used in Enterprise Linux 7.

For example, 3PAR
HPE 3PAR Red Hat Enterprise Linux, CentOS Linux, Oracle Linux, and OracleVM Server Implementation Guide EL Host Generic-ALUA Persona 2, /etc/multipath.conf :

defaults {
           polling_interval      10
           user_friendly_names   no
           find_multipaths       yes
          }
devices {
          device {
                   vendor                   "3PARdata"
                   product                  "VV"
                   path_grouping_policy     group_by_prio
                   path_selector            "round-robin 0"
                   path_checker             tur
                   features                 "0"
                   hardware_handler         "1 alua"
                   prio                     alua
                   failback                 immediate
                   rr_weight                uniform
                   no_path_retry            18
                   rr_min_io_rq             1
                   detect_prio              yes
                   fast_io_fail_tmo         10
                   dev_loss_tmo             "infinity"
                 }
}

:

systemctl restart multipathd


. 1 — - .


. 2 — - .


Power Management Setup


Allows you to perform, for example, a hardware reset of the machine, if Engine cannot receive a response from Host for a long time. Implemented through the Fence Agent.

Compute -> Hosts -> HOST - Edit -> Power Management, then enable "Enable Power Management" and add the agent - "Add Fence Agent" -> + .

We indicate the type (for example, ilo4 must be specified for iLO5), the name / address of the ipmi interface, as well as the user name / password. It is recommended that you create a separate user (e.g., oVirt-PM) and, in the case of iLO, give him privileges:

  • Login
  • Remote console
  • Virtual power and reset
  • Virtual media
  • Configure iLO Settings
  • Administer user accounts

Do not ask why, it is chosen empirically. The console fencing agent requires a smaller set of rights.

When setting up access control lists, it should be borne in mind that the agent does not run on the engine, but on the "neighboring" host (the so-called Power Management Proxy), that is, if there is only one node in the cluster, power management will not work .


SSL setup


The full official instructions are in the documentation , Appendix D: oVirt and SSL - Replacing the oVirt Engine SSL / TLS Certificate.

The certificate can be either from our corporate CA, or from an external commercial certification authority.

Important note: the certificate is designed to connect to the manager, it will not affect the interaction between Engine and nodes - they will use self-signed certificates issued by Engine.

Requirements:

  • certificate of the issuing CA in PEM format, with the entire chain to the root CA (from the subordinate issuer at the beginning to the root at the end);
  • Apache certificate issued by the issuing CA (also supplemented by the entire CA certificate chain)
  • private key for Apache, no password.

Suppose our publishing certification authority is running CentOS, called subca.example.com, and the requests, keys, and certificates are located in the / etc / pki / tls / directory.

We perform backups and create a temporary directory:

$ sudo cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.`date +%F`
$ sudo cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.`date +%F`
$ sudo mkdir /opt/certs
$ sudo chown mgmt.mgmt /opt/certs

Download certificates, execute it from our workstation or transfer it in another convenient way:

[myuser@mydesktop] $ scp -3 causer@subca.example.com:/etc/pki/tls/cachain.pem mgmt@ovirt.example.com:/opt/certs
[myuser@mydesktop] $ scp -3 causer@subca.example.com:/etc/pki/tls/private/ovirt.key mgmt@ovirt.example.com:/opt/certs
[myuser@mydesktop] $ scp -3 causer@subca.example.com/etc/pki/tls/certs/ovirt.crt mgmt@ovirt.example.com:/opt/certs

As a result, you should see all 3 files:

$ ls /opt/certs
cachain.pem  ovirt.crt  ovirt.key

Certificate Installation


We copy files and update trust lists:

$ sudo cp /opt/certs/cachain.pem /etc/pki/ca-trust/source/anchors
$ sudo update-ca-trust
$ sudo rm /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/cachain.pem /etc/pki/ovirt-engine/apache-ca.pem
$ sudo cp /opt/certs/ovirt03.key /etc/pki/ovirt-engine/keys/apache.key.nopass
$ sudo cp /opt/certs/ovirt03.crt /etc/pki/ovirt-engine/certs/apache.cer
$ sudo systemctl restart httpd.service

Add / update configuration files:

$ sudo vim /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf

ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""

$ sudo vim /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf

SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass

$ sudo vim /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf

# Key file for SSL connections
ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
# Certificate file for SSL connections
ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer

Next, we restart all affected services:

$ sudo systemctl restart ovirt-provider-ovn.service
$ sudo systemctl restart ovirt-imageio-proxy
$ sudo systemctl restart ovirt-websocket-proxy
$ sudo systemctl restart ovirt-engine.service

Done! It's time to connect to the manager and verify that the connection is protected by a signed SSL certificate.


Archiving


Where without her! In this section, we will discuss manager archiving; VM archiving is a separate issue. We will make archive copies once a day and put it on NFS, for example, on the same system where we placed the ISO images - mynfs01.example.com:/exports/ovirt-backup. It is not recommended to store archives on the same machine where Engine is running.

Install and enable autofs:

$ sudo yum install autofs
$ sudo systemctl enable autofs
$ sudo systemctl start autofs

Create a script:

$ sudo vim /etc/cron.daily/make.oVirt.backup.sh

the following content:

#!/bin/bash

datetime=`date +"%F.%R"`
backupdir="/net/mynfs01.example.com/exports/ovirt-backup"
filename="$backupdir/`hostname --short`.`date +"%F.%R"`"
engine-backup --mode=backup --scope=all --file=$filename.data --log=$filename.log
#uncomment next line for autodelete files older 30 days 
#find $backupdir -type f -mtime +30 -exec rm -f {} \;

We make the file executable:

$ sudo chmod a+x /etc/cron.daily/make.oVirt.backup.sh

Now every night we will receive the manager settings archive.


Host Management Interface


Cockpit is a modern administrative interface for Linux systems. In this case, it plays a role close to the ESXi web interface.

image
Fig. 3 - appearance of the panel.

It installs very simply, you need cockpit packages and the cockpit-ovirt-dashboard plugin:

$ sudo yum install cockpit cockpit-ovirt-dashboard -y

Turning on Cockpit:

$ sudo systemctl enable --now cockpit.socket

Firewall Setup:

sudo firewall-cmd --add-service=cockpit
sudo firewall-cmd --add-service=cockpit --permanent

Now you can connect to the host: https: // [Host IP or FQDN]: 9090


VLANs


Read more about networks in the documentation . There are many possibilities, here we describe the connection of virtual networks.

To connect other subnets, they must first be described in the configuration: Network -> Networks -> New, here only the name is a required field; the VM Network checkbox, which allows machines to use this network, is turned on, and to connect the tag, enable Enable VLAN tagging , enter the VLAN number and click OK.

Now you need to go to the Compute -> Hosts -> kvmNN -> Network Interfaces -> Setup Host Networks hosts. Drag the added network from the right side of Unassigned Logical Networks to the left in Assigned Logical Networks:


Fig. 4 - before adding a network.


Fig. 5 - after adding a network.

To connect several networks to the host in bulk, it is convenient to assign them a label (s) when creating networks, and add networks by labels.

After the network is created, the hosts will go into Non Operational state until the network is added to all nodes of the cluster. This behavior is caused by the Require All flag on the Cluster tab when creating a new network. In the case when the network is not needed on all nodes of the cluster, this symptom can be disabled, then the network when added to the host will be on the right in the Non Required section and you can choose whether to connect it to a specific host.


Fig. 6 - selection of a sign of a network requirement.


HPE specific


Almost all manufacturers have tools that increase the usability of their products. Using the HPE example, AMS (Agentless Management Service, amsd for iLO5, hp-ams for iLO4) and SSA (Smart Storage Administrator, working with a disk controller), etc. are useful.

Connect HPE Repository
HPE:

$ sudo rpm --import https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
$ sudo vim /etc/yum.repos.d/mcp.repo

:

[mcp]
name=Management Component Pack
baseurl=http://downloads.linux.hpe.com/repo/mcp/centos/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp

[spp]
name=Service Pack for ProLiant
baseurl=http://downloads.linux.hpe.com/SDR/repo/spp/RHEL/$releasever/$basearch/current/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-mcp

():

$ sudo yum --disablerepo="*" --enablerepo="mcp" list available
$ yum info amsd


Installation and launch:

$ sudo yum install amsd ssacli
$ sudo systemctl start amsd

An example of a disk controller utility


That's all for now. In the following articles I plan to tell some basic operations and applications. For example, how to make VDI in oVirt.

More articles:


All Articles