Advanced Architecture Lab

In this lab, you explore and implement an advanced CloudForms appliance with multi-tier architecture. The lab steps through the process of breaking up appliance roles into multi-tier appliances.

The lab creates an environment with an architecture similar to that shown in this diagram:

• One appliance is dedicated to the database.

• One appliance is dedicated to the web UI.

• Five appliances are dedicated to be the workers.

• End users connect only to the UI appliance.

• Only worker appliances communicate with the different providers (vCenter, RHV, SCVMM, OpenShift, etc.).

1. Configure the Database

In this section, you set up the initial database configuration.

1.1. Log In and Connect to CloudForms Appliance

1. Log in using SSH:

   # ssh <your username>-redhat.com@workstation-<UID>.rhpds.opentlc.com

2. From the workstation host, use SSH to remotely connect to the appliance (password issmartvm):

   # ssh root@cf.example.com

3. Verify that your output is similar to the following, indicating that you are now logged in to the CloudForms appliance:

   Last login: Fri Dec 18 14:38:39 2015 from workstation-[GUID].rhpds.opentlc.comWelcome to the Appliance ConsoleFor a menu, type: appliance_console.

1.2. Configure CloudForms Database

1. Start the console:

   # appliance_console

2. Verify that your console information page is similar to this example:

   Welcome to the CFME Virtual Appliance.To modify the configuration, use a web browser to access the management page.Hostname:                      cf-[GUID].rhpds.opentlc.comIP Address:                    192.168.0.100Netmask:                       255.255.0.0Gateway:                       192.168.0.2Primary DNS:                   192.168.0.1Secondary DNS:Search Order:                  localdomain rhpds.opentlc.comMAC Address:                   2c:c2:60:3d:70:15Timezone:                      America/New_YorkLocal Database:                not runningCFME Database:                 not configuredDatabase/Region:               not configuredExternal Auth:                 not configuredCFME Version:                  5.5.0.13CFME Console:                  not configuredPress any key to continue.

3. Press any key to open the Advanced Setting menu:

   Advanced Setting1) Set DHCP Network Configuration2) Set Static Network Configuration3) Test Network Configuration4) Set Hostname5) Set Timezone, Date, and Time6) Restore Database From Backup7) Setup Database Region8) Configure Database...OUTPUT OMITTED...Choose the advanced setting:

4. Enter 8 to Configure Database and verify that your output is similar to the following:

   Configure DatabaseNo encryption key found.For migrations, copy encryption key from a hardened appliance.For worker and multi-region setups, copy key from another appliance.If this is your first appliance, just generate one now.Encryption Key1) Create key2) Fetch key from remote machineChoose the encryption key: |1|

   1. Enter 1 to Create key and confirm that your key is created:

      Encryption key now configured.

   2. From the Database Operation menu, enter 1 to Create Internal Database:

      Database Operation1) Create Internal Database2) Create Region in External Database3) Join Region in External Database4) Reset Configured DatabaseChoose the database operation: 1

   3. Enter 1 to select the /dev/vdb disk device:

      database disk1) /dev/vdb: 10240 MB2) Don't partition the diskChoose the database disk: |1|

   4. When prompted, enter 0 for database region number:

      Each database region number must be unique.Enter the database region number: 0

   5. When prompted for the database password and password confirmation, enter r3dh4t1! twice:

      Enter the database password on 127.0.0.1: ********Enter the database password again: ********

   6. Wait a few minutes and then verify that the database configuration is complete:

      Activating the configuration using the following settings...Host:     127.0.0.1Username: rootDatabase: vmdb_productionRegion:   0Initialize postgresql disk startingInitialize postgresql disk completeInitialize postgresql startingInitialize postgresql completeChecking for connections to the database...Create region startingCreate region completeConfiguration activated successfully.Press any key to continue.

5. Press any key when prompted.

6. Verify that you see the CloudForms appliance information page:

   Welcome to the CFME Virtual Appliance.To modify the configuration, use a web browser to access the management page.Hostname:                      cf-261c.rhpds.opentlc.comIP Address:                    192.168.0.100Netmask:                       255.255.0.0Gateway:                       192.168.0.2Primary DNS:                   192.168.0.1Secondary DNS:Search Order:                  localdomain rhpds.opentlc.comMAC Address:                   2c:c2:60:3d:70:15Timezone:                      America/New_YorkLocal Database:                runningCFME Database:                 postgres @ localhostDatabase/Region:               vmdb_production / 0External Auth:                 not configuredCFME Version:                  5.5.0.13CFME Console:                  https://192.168.0.100Press any key to continue.

7. Press any key when prompted.

1.3. Lock Down the Appliance

1. From the CloudForms Advanced Setting menu, enter 12 to access the Harden Appliance Using SCAP Configuration screen:

   Harden Appliance Using SCAP ConfigurationLocking down the appliance for SCAP...CompletePress any key to continue.

    The lock down process begins immediately without any further prompting.

2. Press any key when prompted.

3. Press any key when prompted again.

4. Enter 18 to Quit the Advanced Setting menu.

    Part of the lockdown procedure causes idle SSH sessions to time out on the CloudForms appliance. While this can be a problem when runningtail -f on logs, it is an important security measure.

5. Use the exit command to log out of the appliance.

2. Configure UI and Workers

In this section, you add new appliances that are designated either as the UI appliance or a worker appliance. The UI appliance provides the main interface for users and administrators. It has no other function, such as database or SmartProxy. The worker appliances serve as workers for all CloudForms functions that do not provide a user interface or database.

1. From the workstation host, become the root user then configure the remaining appliances using theappliance_console_cli over SSH.

2. Run the following script to set up SSH keys to all the appliances, then configure them to use the central database appliance:

   $ sudo -i# hostlist="cfui.example.com cfwork1.example.com cfwork2.example.com cfwork3.example.com cfwork4.example.com cfwork5.example.com"# for host in $hostlist; do ssh-copy-id -o StrictHostKeyChecking=false $host;done# for host in $hostlist; do ssh root@$host "appliance_console_cli -a smartvm -p r3dh4t1! -h cf.example.com -K cf.example.com -H $host";done

    Remember the default password for root on the appliances issmartvm

3. Configure IdM Authentication on UI Appliance (CLI Portion)

 This step is for the UI appliance only—do not perform it for the worker appliances.

1. Make sure you are in the cfui.example.com CLI.

   # ssh cfui.example.com# appliance_console

2. Press any key to open the Advanced Setting menu:

   ...OUTPUT OMITTED...Advanced Setting...OUTPUT OMITTED...10) Configure External Authentication (httpd)...OUTPUT OMITTED...Choose the advanced setting:

3. Enter 10 to configure external authentication (httpd).

4. Enter idm.example.com as the IdM/IPA server hostname.

5. Enter example.com as the server domain.

6. Enter EXAMPLE.COM for the server realm.

7. Enter admin for the server principal.

8. Enter r3dh4t1! for the server principal password.

9. Verify that your display looks similar to the following:

   Configure External Authentication (httpd)IPA Server Parameters:Enter the IPA Server Hostname: idm.example.comEnter the IPA Server Domain: |rhpds.opentlc.com| example.comEnter the IPA Server Realm: |EXAMPLE.COM| EXAMPLE.COMEnter the IPA Server Principal: |admin| adminEnter the IPA Server Principal Password: r3dh4t1!

10. View the sample IPA server details, as shown here:

    IPA Server Details:  Hostname:       idm.example.com  Domain:         example.com  Realm:          EXAMPLE.COM  Naming Context: dc=example,dc=com  Principal:      adminProceed? (Y/N):

11. At the Proceed? (Y/N) prompt, enter y.

12. Review the IPA configuration output:

    Checking connectivity to idm.example.com ... Succeeded.Configuring IPA (may take a minute) ...Configuring the IPA Client ...Configuring pam ...Configuring sssd ...Configuring IPA HTTP Service and Keytab ...Configuring httpd ...Configuring SELinux ...Restarting sssd and httpd ...Configuring sssd to start upon reboots ...External Authentication configured successfully.Press any key to continue.

13. Exit the Appliance TUI and log out of the appliance.

4. Install VMware VDDK

 Complete this step on all worker appliances, but NOT on the UI appliance.

Any appliance that serves the SmartProxy role and that interacts with vSphere must have the VMware Virtual Disk Development Kit (VDDK) installed.

 

This lab provides a copy of the VDDK tarball on the workstation server for you. In practice, you download this from the VMware website directly using the following steps:

1. Navigate to Downloads → All Downloads, Drivers & Tools → VMware vSphere → Drivers & Tools.

2. Expand Automation Tools and SDKs.

3. Select vSphere Virtual Disk Development Kit 5.5.

Alternatively, you can find the file by searching for it on the VMware website using the website’s search menu.

1. Copy the VDDK tarball from the workstation host to the CloudForms appliance:

   [root@workstation-GUID ~]# for i in `seq 1 5`; do scp /root/VMware-vix-disklib-5.5.0-1284542.x86_64.tar.gz root@cfwork$i.example.com:/root; done

2. From the workstation host extract the tarball on each host:

   [root@workstation-GUID ~]# for i in `seq 1 5`; do ssh cfwork$i.example.com "tar zxf VMware-vix-disklib-5.5.0-1284542.x86_64.tar.gz;cd vmware-vix-disklib-distrib;yes|./vmware-install.pl --default"; done

3. Verify that your output looks similar to this VDDK install output (this should output 5 times):

   Creating a new VMware VIX DiskLib API installer database using the tar4 format.Installing VMware VIX DiskLib API.You must read and accept the VMware VIX DiskLib API End User License Agreementto continue.Press *Enter* to display it.VMware® vSphere Software Development Kit License AgreementVMware, Inc. (VMware) provides the VMware vSphere Software Development Kit(collectively the Software) to you subject to the following terms andconditions.  By downloading, installing, or using the Software, you (theindividual or legal entity) agree to be bound by the terms of this licenseagreement (the Agreement). If you disagree with any of the followingterms, then do not use the Software.1.  The Software contains a variety of materials, interface definitions,documentation, sample utility applications and sample code regardingprogramming interfaces to one or more VMware products that are referenced insuch materials (the referenced products, VMware Products).  This Softwareis intended to be used to develop software that interacts with the VMwareProducts.2.  Use Rights:  Subject to the restrictions below, you may download andmake a reasonable number of copies of the Software for your use solely forthe purpose of creating software that communicates with VMware Products(your software, Developer Software).  Some code may be designated asdistributable code and/or modifiable code at http://www.vmware.com/go/vwssdk-redistribution-info.  You may use and merge all or portions of the distributable code withyour Developer Software.  Any merged portion of any distributable code isDo you accept? (yes/no) yesThank you.What prefix do you want to use to install VMware VIX DiskLib API?The prefix is the root directory where the otherfolders such as man, bin, doc, lib, etc. will be placed.[/usr]The installation of VMware VIX DiskLib API 5.5.0 build-1284542 for Linuxcompleted successfully. You can remove this software from your systemat any time by invoking the following command:"/usr/bin/vmware-uninstall-vix-disklib.pl".Enjoy,--the VMware team

4. Run the following command from the workstation host to find the newly installed VDDK library:

   [root@workstation-GUID ~]# for i in `seq 1 5`; do ssh cfwork$i.example.com "ldconfig"; done

5. Run the following command from the workstation host to verify that the VDDK files are installed and accessible to the appliance on all hosts:

   [root@workstation-GUID ~]# for i in `seq 1 5`; do ssh cfwork$i.example.com "echo cfwork$i.example.com;ldconfig -p |grep vix"; done

6. Verify that your ldconfig output is similar for all hosts:

   cfwork1.example.com        libvixDiskLib.so.5 (libc6,x86-64) => /lib/libvixDiskLib.so.5        libvixDiskLib.so (libc6,x86-64) => /lib/libvixDiskLib.socfwork2.example.com        libvixDiskLib.so.5 (libc6,x86-64) => /lib/libvixDiskLib.so.5        libvixDiskLib.so (libc6,x86-64) => /lib/libvixDiskLib.socfwork3.example.com        libvixDiskLib.so.5 (libc6,x86-64) => /lib/libvixDiskLib.so.5        libvixDiskLib.so (libc6,x86-64) => /lib/libvixDiskLib.socfwork4.example.com        libvixDiskLib.so.5 (libc6,x86-64) => /lib/libvixDiskLib.so.5        libvixDiskLib.so (libc6,x86-64) => /lib/libvixDiskLib.socfwork5.example.com        libvixDiskLib.so.5 (libc6,x86-64) => /lib/libvixDiskLib.so.5        libvixDiskLib.so (libc6,x86-64) => /lib/libvixDiskLib.so

5. Set admin User Password

Before continuing, you must change the default admin password. You do this from the CloudForms web UI.

1. Go to http://cfui-GUID.rhpds.opentlc.com.

    Remember to replace GUID with your personal GUID which is provided at the top of the lab provisioning email you received from Red Hat.

2. Accept the untrusted SSL certificate.

3. Click the Update password link, as shown below:

4. Complete the form as follows:

   • Username: admin

   • Password: smartvm

   • New Password: r3dh4t1!

   • Verify Password: r3dh4t1!