2018年10月29日 星期一

在 CentOS / RHEL 7 上,安裝 FreedIPA 服務

學習目標:
  • 在 CentOS / RHEL 7 Linux 作業系統上,安裝 FreeIPA 服務!
  • 需要先架設好自有 DNS Server !
安裝設定流程:
  1. 安裝相關必要軟體安裝工作!
    # yum -y upgrade
    # reboot
    
  2. 設定主機名稱:
    # hostnamectl set-hostname dns.example.com
    # echo "192.168.100.120 dns.example.com dns" >> /etc/hosts
    # echo "nameserver 127.0.0.1" > /etc/resolv.conf
    
  3. 安裝 IPA Server 套件軟體!
    # yum install -y ipa-server ipa-server-dns
    
  4. 進行設定 IPA Server 工作!
    # ipa-server-install --setup-dns
    (以下就依實際需要修改!)
    Server host name [dns.example.com]:
    Please confirm the domain name [example.com]:
    Please provide a realm name [EXAMPLE.COM]:
    Directory Manager password:
    Password (confirm):
    IPA admin password: 
    Password (confirm):
    Do you want to configure DNS forwarders? [yes]:
    Do you want to configure these servers as DNS forwarders? [yes]: no
    Enter an IP address for a DNS forwarder, or press Enter to skip:
    Do you want to search for missing reverse zones? [yes]:
    Continue to configure the system with these values? [no]: yes
    ...略...
    (看到以下項目,表示安裝成功!)
    ==============================================================================
    Setup complete
    
    Next steps:
     1. You must make sure these network ports are open:
      TCP Ports:
        * 80, 443: HTTP/HTTPS
        * 389, 636: LDAP/LDAPS
        * 88, 464: kerberos
        * 53: bind
      UDP Ports:
        * 88, 464: kerberos
        * 53: bind
        * 123: ntp
    
     2. You can now obtain a kerberos ticket using the command: 'kinit admin'
        This ticket will allow you to use the IPA tools (e.g., ipa user-add)
        and the web user interface.
    
    Be sure to back up the CA certificates stored in /root/cacert.p12
    These files are required to create replicas. The password for these
    files is the Directory Manager password
    
  5. 進行初始化設定:
    # kinit admin
    Password for admin@EXAMPLE.COM:
    
  6. 進行檢查列表:
    # klist
    Ticket cache: KEYRING:persistent:0:0
    Default principal: admin@EXAMPLE.COM
    
    Valid starting       Expires              Service principal
    2018-10-29T12:25:08  2018-10-30T12:24:57  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    
  7. 更改常用的 shell :
    # ipa config-mod --defaultshell=/bin/bash 
    
  8. 設定防火牆!
    # firewall-cmd --add-service={http,https,freeipa-ldap,freeipa-ldaps,dns,ntp,kerberos} --permanent
    # firewall-cmd --reload
    

參考文獻:
  • https://www.server-world.info/en/note?os=CentOS_7&p=ipa&f=1
  • https://www.howtoing.com/how-to-set-up-centralized-linux-authentication-with-freeipa-on-centos-7

2018年10月9日 星期二

在 CentOS / RHEL 7 上,安裝 oVirt 4.2 服務

學習目標:
  • 在 CentOS / RHEL 7 Linux 作業系統上,安裝 oVirt 服務!
  • 使用三部主機進行安裝,一部安裝 ovirt-engine ,一部安裝 postgresql 資料庫,另一部為 Enterprise Linux Hosts!
  • 防火牆的部份,可以先關閉!利用硬體防火牆進行安全的防護即可!
oVirt Engine 安裝設定流程:
  1. 安裝相關必要軟體安裝工作!
    # yum -y upgrade
    # reboot
    
  2. 安裝 oVirt Engine 相關必要軟體:
    # yum install http://resources.ovirt.org/pub/yum-repo/ovirt-release42.rpm
    # yum -y upgrade
    # reboot
    # yum -y install ovirt-engine
    
    PS:請先將資料庫安裝好!可參考本文 Database 安裝設定流程!
  3. 啟動 oVirt Engine 設定流程:
    # engine-setup
    (出現下列項目問題,請依實際狀況回答即可!)
    --== PRODUCT OPTIONS ==--
    Configure Engine on this host (Yes, No) [Yes]: 
    Configure ovirt-provider-ovn (Yes, No) [Yes]:
    Configure Image I/O Proxy on this host (Yes, No) [Yes]:
    Configure Data Warehouse on this host (Yes, No) [Yes]: 
    Configure VM Console Proxy on this host (Yes, No) [Yes]: 
    
    --== NETWORK CONFIGURATION ==--
    Host fully qualified DNS name of this server [ovirt42.hello.tw]:
    Do you want Setup to configure the firewall? (Yes, No) [Yes]:
    
    --== DATABASE CONFIGURATION ==--
    Where is the DWH database located? (Local, Remote) [Local]: Remote (因為需要使用外部資料庫,所以就選 Remote)
    Where is the Engine database located? (Local, Remote) [Local]: Remote
    DWH database host [localhost]: database.hello.tw
    DWH database port [5432]:
    DWH database secured connection (Yes, No) [No]:
    DWH database name [ovirt_engine_history]: ovirt
    DWH database user [ovirt_engine_history]: ovirt
    DWH database password:
    
    ATTENTION
    
    Manual action required.
    Please create database for ovirt-engine use.
    
    Engine database host [localhost]: database.hello.tw
    Engine database port [5432]: 
    Engine database secured connection (Yes, No) [No]:   
    Engine database name [engine]:
    
    --== OVIRT ENGINE CONFIGURATION ==--
             
    Engine admin password:
    Confirm engine admin password:
    Use default credentials (admin@internal) for ovirt-provider-ovn (Yes, No) [Yes]:
    
    --== STORAGE CONFIGURATION ==--
    Default SAN wipe after delete (Yes, No) [No]: 
    
    --== PKI CONFIGURATION ==--
    Organization name for certificate [tdhome.tw]:
    
    --== APACHE CONFIGURATION ==--
    Do you wish to set the application as the default page of the web server? (Yes, No) [Yes]:
    Do you wish Setup to configure that, or prefer to perform that manually? (Automatic, Manual) [Automatic]:
    
    --== MISC CONFIGURATION ==--
    Please choose Data Warehouse sampling scale:
              (1) Basic
              (2) Full
              (1, 2)[1]: 2
    
    --== CONFIGURATION PREVIEW ==--
    Please confirm installation settings (OK, Cancel) [OK]:
    
  4. 注意最後的訊息!
    Please use the user 'admin@internal' and password specified in order to login
    Web access is enabled at:
        http://ovirt42.hello.tw:80/ovirt-engine
        https://ovirt42.hello.tw:443/ovirt-engine
    Log file is located at /var/log/ovirt-engine/setup/ovirt-engine-setup-20181010114454-hs87tz.log
    Generating answer file '/var/lib/ovirt-engine/setup/answers/20181010115332-setup.conf'
    
  5. 由網頁登入後,即可加入主機節點,新增VM !!
Database 安裝設定流程:
  • 資料庫的部份,只能使用指定的 PostgreSQL 9.5.14 的版本!ovirt-release42 有提供!
  1. 安裝相關必要軟體安裝工作!
    # yum install http://resources.ovirt.org/pub/yum-repo/ovirt-release42.rpm
    # yum -y upgrade
    # reboot
    
  2. 安裝與設定 PostgreSQL 9.5.14 資料庫相關軟體!
    # yum install rh-postgresql95-*
    # scl enable rh-postgresql95 -- postgresql-setup --initdb
    * Initializing database in '/var/opt/rh/rh-postgresql95/lib/pgsql/data'
    * Initialized, logs are in /var/lib/pgsql/initdb_rh-postgresql95-postgresql.log
    
  3. 啟動 PostgreSQL 資料庫!
    # systemctl enable rh-postgresql95-postgresql
    # systemctl start rh-postgresql95-postgresql
    
  4. 設定 PostgreSQL 資料庫 postgres 帳號與密碼!
    # su - postgres -c 'scl enable rh-postgresql95 -- psql'
    postgres=# ALTER USER postgres WITH PASSWORD 'abc123';
    postgres=# \q
    
  5. 設定 PostgreSQL 組態檔!
    # cd /var/opt/rh/rh-postgresql95/lib/pgsql/data/
    # vim postgresql.conf
    (只修改需要修改的部份)
    listen_addresses = '*'
    autovacuum_vacuum_scale_factor = 0.01
    autovacuum_analyze_scale_factor = 0.075
    autovacuum_max_workers = 6 
    work_mem = 8MB
    maintenance_work_mem = 64MB
    max_connections = 150
    
    # vim pg_hba.conf
    (追加在最後一行)
    host    all             all             192.168.100.0/24        md5
    
    # systemctl restart rh-postgresql95-postgresql
    
  6. 修改防火牆設定:
    # firewall-cmd --zone=public --add-service=postgresql
    # firewall-cmd --permanent --zone=public --add-service=postgresql
    
  7. 登入資料庫內,建立給 oVirt 專用的資料庫與帳號密碼
    # su - postgres -c 'scl enable rh-postgresql95 -- psql'
    postgres=# CREATE ROLE ovirt WITH LOGIN ENCRYPTED PASSWORD 'abc123';
    postgres=# CREATE DATABASE ovirt OWNER ovirt TEMPLATE template0 ENCODING 'UTF8' LC_COLLATE 'en_US.UTF-8' LC_CTYPE 'en_US.UTF-8';
    postgres=# \c ovirt;
    ovirt=# CREATE EXTENSION "uuid-ossp";
    ovirt=# CREATE LANGUAGE plpgsql;
    ovirt=# \q
    
  8. 重新啟動 PostgreSQL 資料庫與測試:
    # systemctl restart rh-postgresql95-postgresql
    
  9. 登入資料庫內,建立給 Engine 專用的資料庫與帳號密碼
    # su - postgres -c 'scl enable rh-postgresql95 -- psql'
    postgres=# CREATE ROLE engine WITH LOGIN ENCRYPTED PASSWORD 'abc123';
    postgres=# CREATE DATABASE engine OWNER engine TEMPLATE template0 ENCODING 'UTF8' LC_COLLATE 'en_US.UTF-8' LC_CTYPE 'en_US.UTF-8';
    postgres=# \c engine;
    engine=# CREATE EXTENSION "uuid-ossp";
    engine=# CREATE LANGUAGE plpgsql;
    engine=# \q
    
Enterprise Linux Hosts 安裝設定流程:
  1. 安裝相關必要軟體安裝工作!
    # yum install http://resources.ovirt.org/pub/yum-repo/ovirt-release42.rpm
    # yum -y upgrade
    
  2. 安裝 Cockpit 軟體!
    # yum install cockpit-ovirt-dashboard
    
  3. 啟動 Cockpit 服務!
    # systemctl enable cockpit.socket
    # systemctl start cockpit.socket
    
  4. 利用 firefox 登入 https://localhost:9090 網頁
參考文獻:
  • https://ovirt.org/documentation/install-guide/Installation_Guide/

2018年10月1日 星期一

在 CentOS / RHEL 7 上,安裝 Graylog 服務

學習目標:
  • 在 CentOS / RHEL 7 Linux 作業系統上,安裝 Graylog 服務!
  • Graylog 為收集系統記錄檔於一部主機上的服務!該服務亦可進行監控與分析的工作!
  • Graylog 安裝的主機名稱定為:Systemlog1 !
Server 設定流程:
  1. 在 Systemlog1主機上,做好升級與事前相關必要軟體安裝工作!
    # yum upgrade
    # yum install epel-release
    # yum install java-1.8.0-openjdk-headless.x86_64
    # yum install pwgen
    
  2. 在 Systemlog1 主機上,安裝 MongoDB 套件:
    # vim mongodb-org-3.6.repo
    [mongodb-org-3.6]
    name=MongoDB Repository
    baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.6/x86_64/
    gpgcheck=1
    enabled=1
    gpgkey=https://www.mongodb.org/static/pgp/server-3.6.asc
    
    
    # yum install -y mongodb-org
    # systemctl daemon-reload
    # systemctl enable mongod.service
    # systemctl start mongod.service
    # systemctl status mongod.service -l
    
  3. 在 Systemlog1 主機上,安裝 ElasticSearchDB 套件:
    # rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
    # vim /etc/yum.repos.d/elasticsearch.repo
    [elasticsearch-5.x]
    name=Elasticsearch repository for 5.x packages
    baseurl=https://artifacts.elastic.co/packages/5.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
    
    # yum install elasticsearch
    # vim /etc/elasticsearch/elasticsearch.yml
    (只修改需要改的部份)
    cluster.name: graylog
    
    # systemctl enable elasticsearch.service
    # systemctl restart elasticsearch.service
    # systemctl status elasticsearch.service -l
    
  4. 在 Systemlog1 主機上,下載安裝 Graylog 套件:
    # rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.rpm
    # yum install graylog-server
    # pwgen -N 1 -s 96 (產生密碼給 password_secret 使用)
    # echo -n yourpassword | shasum -a 256 (產生密碼給 root_password_sha2 使用)
    # vim /etc/graylog/server/server.conf
    (只修改需要修改的部份...)
    password_secret = (pwgen 產生的密碼)
    root_username = admin
    root_password_sha2 = (shawum 產生的密碼)
    root_timezone = Asia/Taipei
    rest_listen_uri = http://127.0.0.1:9000/api/
    web_listen_uri = http://127.0.0.1:9000/
    
    # systemctl enable graylog-server.service
    # systemctl start graylog-server.service
    # yum install policycoreutils-python
    # systemctl status graylog-server.service -l (啟動應該會失敗!)
    
  5. 在 Systemlog1 主機上,修改 SELinux 設定:
    # setsebool -P httpd_can_network_connect 1
    # semanage port -a -t http_port_t -p tcp 9000
    # semanage port -a -t http_port_t -p tcp 9200
    # semanage port -a -t mongod_port_t -p tcp 27017
    # less /var/log/messages (找到 sealert 部份)
    # sealert -l XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
    # ausearch -c 'ftdc' --raw | audit2allow -M my-ftdc
    # ausearch -c 'ftdc' --raw | audit2allow -M my-ftdc
    # systemctl restart graylog-server.service
    # systemctl status graylog-server.service -l
    
  6. 在 Systemlog1 主機上,修改 Firewall 設定:
    # firewall-cmd --add-port=9000/tcp
    # firewall-cmd --add-port=8514/tcp
    # firewall-cmd --add-port=514/tcp
    # firewall-cmd --list-all
    
  7. 在 Systemlog1 主機上,使用 firefox ,連線 http://127.0.0.1:9000 即可登入!

Client 設定流程:
  1. 在 Clients 主機上,修改 rsyslog 設定檔:
    # vim /etc/rsyslog.conf
    (只修改需要的項目:)
    #### GLOBAL DIRECTIVES ####
    *.* @@Systemlog1:8514;RSYSLOG_SyslogProtocol23Format
    
    # systemctl restart rsyslog
    

參考文獻:
  • 官方安裝文件:http://docs.graylog.org/en/2.4/pages/installation/os/centos.html

2018年1月31日 星期三

在 CentOS/RHEL 7 上,新增 OpenStack Cinder 儲存節點

學習目標:
  • 在 OpenStack 平台上,增加 Cinder 儲存節點!
  • 本次範例假設 OpenStack 平台上,己經有架設好的 Control 節點!
操作流程:
  1. 在 Cinder 節點主機上,架設好 LVM 儲存空間!
  2. 在 Cinder 節點主機上,安裝必要的套件:
    # yum install openstack-cinder targetcli python-keystone
    
  3. 在 Cinder 節點主機上,修改設定檔內容:
    # cd /etc/cinder
    # vim cinder.conf
    (修改下列設定,其他設定保持不變...)
    [DEFAULT]
    my_ip = 192.168.100.3  (本 Cinder 節點主機想要提供 Cinder 服務的 IP 位置)
    glance_api_servers = http://192.168.100.1:9292 (提供 glance API 連到該 Cinder 的主機清單列表)
    enable_v3_api=True
    storage_availability_zone=nova
    default_availability_zone=nova
    default_volume_type=iscsi
    auth_strategy=keystone
    enabled_backends=lvm-op3 (名稱很重要,請一下需要對應LVM名稱)
    nova_catalog_info=compute:nova:publicURL
    nova_catalog_admin_info=compute:nova:adminURL
    osapi_volume_listen=0.0.0.0
    osapi_volume_workers=32
    iscsi_protocol = iscsi
    debug=False
    log_dir=/var/log/cinder
    transport_url=rabbit://guest:guest@192.168.100.1:5672/
    control_exchange=openstack
    api_paste_config=/etc/cinder/api-paste.ini
    glance_host=192.168.100.1
    [backend]
    [backend_defaults]
    [barbican]
    [brcd_fabric_example]
    [cisco_fabric_example]
    [coordination]
    [cors]
    [database]
    connection=mysql+pymysql://cinder:0d9082d5643849e4@192.168.100.1/cinder
    [fc-zone-manager]
    [healthcheck]
    [key_manager]
    [keystone_authtoken]
    auth_uri=http://192.168.100.1:5000/
    auth_type=password
    auth_url=http://192.168.100.1:35357
    username=cinder
    password=HelloWorld
    project_name=services
    [matchmaker_redis]
    [nova]
    [oslo_concurrency]
    lock_path=/var/lib/cinder/tmp
    [oslo_messaging_amqp]
    [oslo_messaging_kafka]
    [oslo_messaging_notifications]
    driver=messagingv2
    [oslo_messaging_rabbit]
    ssl=False
    [oslo_messaging_zmq]
    [oslo_middleware]
    [oslo_policy]
    policy_file=/etc/cinder/policy.json
    [oslo_reports]
    [oslo_versionedobjects]
    [profiler]
    [ssl]
    [lvm-op3]
    volume_backend_name=lvm
    volume_driver=cinder.volume.drivers.lvm.LVMVolumeDriver
    iscsi_ip_address=192.168.100.5
    iscsi_helper=lioadm
    volume_group=data
    volumes_dir=/var/lib/cinder/volumes
    
  4. 在 Cinder 節點主機上,新增一下記錄檔:
    # touch /var/log/cinder/volume.log
    # chown root.cinder /var/log/cinder/volume.log
    # chmod g+w /var/log/cinder/volume.log
    # restorecon -R /etc/cinder
    # restorecon -R /var/log/cinder
    
  5. 在 Cinder 節點主機上,啟動 Cinder Volume 服務:
    # systemctl enable openstack-cinder-volume.service target.service
    # systemctl start openstack-cinder-volume.service target.service
    
  6. 在 Control 節點主機上,查詢 Cinder 服務:
    (keystone_admin)]# cinder service-list
    

參考範例:
  • https://docs.openstack.org/mitaka/install-guide-rdo/cinder-storage-install.html

2018年1月14日 星期日

在 CentOS/RHEL 7 上安裝 OpenStack 套件

學習目標:
  • 在多節點的硬體平台基礎上,安裝 OpenStack 套件!
  • 本次範例以三個節點為示範!
操作流程:
  1. 三部主機同時安裝相關的套件:
    # yum update
    # reboot
    
  2. 三部主機可暫時停用防火牆:
    # systemctl disable firewalld 
    # systemctl stop firewalld (重開機後,會自動啟動!需要時,仍需要關上!)
    
  3. 三部主機同時設定 chronyd:
    # yum install chrony
    # vim /etc/chrony.conf
    server time.stdtime.gov.tw iburst
    
    # systemctl enable chronyd.service
    # systemctl restart chronyd.service
    
  4. 三部主機上,停用 NetworkManger 套件,並同時啟用 network 套件:
    # systemctl stop NetworkManager
    # systemctl disable NetworkManager
    # systemctl enable network
    # hostnamectl set-hostname control.example.com (每部均不相同!)
    # reboot
    
  5. 在 Control Node 上,設定連線用的 ssh key:
    # ssh-keygen
    # ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.1.2
    # ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.1.3
    # ssh network
    
  6. 在 Control Node 上,修改 /etc/hosts 檔案:
    # vim /etc/hosts
    (其他省略...)
    192.168.1.1 control control.example.com
    192.168.1.2 network network.example.com
    192.168.1.3 compute1 compute1.example.com
    
  7. 在 Control Node 上,將 /etc/hosts 檔案送至另兩部主機上:
    # scp /etc/hosts root@192.168.1.2:/etc/
    # scp /etc/hosts root@192.168.1.3:/etc/
    
  8. 在三部主機上,安裝 OpenStack Pike 倉儲套件:
    # yum install centos-release-openstack-pike
    # yum upgrade
    # reboot
    # yum install python-openstackclient
    # yum install openstack-selinux
    
  9. 在 Control Node 上,安裝 PackStack 套件,用來協助安裝、設定 OpenStack:
    # yum install openstack-packstack
    
  10. 在 Control Node 上,產生 answer.txt 檔案,並且編修內容:
    # packstack --gen-answer-file=/root/answer.txt
    # vim /root/answer.txt
    (部份省略,只顯示必須修改的要項...)
    CONFIG_DEFAULT_PASSWORD=a123456
    CONFIG_CEILOMETER_INSTALL=y
    CONFIG_NTP_SERVERS=tick.stdtime.gov.tw
    CONFIG_CONTROLLER_HOST=192.168.1.1
    CONFIG_COMPUTE_HOSTS=192.168.1.3
    CONFIG_NETWORK_HOSTS=192.168.1.2
    CONFIG_PROVISION_DEMO=n
    CONFIG_KEYSTONE_ADMIN_PW=a123456
    CONFIG_HEAT_INSTALL=y
    CONFIG_CINDER_VOLUMES_CREATE=y
    CONFIG_LBAAS_INSTALL=y
    CONFIG_CINDER_VOLUME_NAME=data
    CONFIG_NEUTRON_METERING_AGENT_INSTALL=y
    CONFIG_NEUTRON_FWAAS=y
    CONFIG_NEUTRON_ML2_TYPE_DRIVERS=vlan
    CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=vlan
    CONFIG_NEUTRON_ML2_VLAN_RANGES=physnet1:1:1000
    CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=physnet1:br-eth1
    CONFIG_NEUTRON_OVS_BRIDGE_IFACES=br-eth1:eth1
    CONFIG_HEAT_CFN_INSTALL=y
    CONFIG_HORIZON_SSL=y
    CONFIG_SWIFT_INSTALL=n
    
  11. 在 Control Node 上,執行安裝 OpenStack 套件:
    # packstack --answer-file=/root/answer.txt
    

參考文獻:
  • http://www.techsupportpk.com/2016/12/installing-openstack-on-multi-node-in-linux.html
  • https://www.linuxtechi.com/multiple-node-openstack-liberty-installation-on-centos-7-x/
  • https://www.linuxtechi.com/multinode-openstack-newton-installation-centos7/