A presentation at MSD Program Review in in Chantilly, VA, USA by Shawn Wells
UNCLASSIFIED MADFW Program Review MADFW CONFIGURATION REPORTING CONTENT AUDITING INSTANCE MANAGEMENT LIFE-CYCLE UNCLASSIFIED
UNCLASSIFIED Briefing Overview (1) System Purpose & Capabilities Terry Seibel (2) System Design Review Shawn Wells ● Infrastructure Review ● MADFW Common Services (3) Demos Michele Newman ● Workflow Overview ● Environment Interface ● Tenant Self-Service Portal ● System Management UNCLASSIFIED
UNCLASSIFIED System Purpose & Capabilities UNCLASSIFIED
UNCLASSIFIED MADFW System Purpose & Capabilities ● Why the project began ● What provide to MSD ● Manage infrastructure, not OS ● Provide RHEL versions free for unlimited use within MADFW environment ● Inherit premium 24/7 support SLA from Red Hat Support ● UNCLASSIFIED
MADFW Security Review ● ICD 503 C&A Lifecycle ● H/L/L ● Currently IATT ● Verified by FN&ISD ● ● SECSCAN Host/Tenant Model ● We provide base infra (hypervisor down) ● You provide OS and up
UNCLASSIFIED MADFW Architecture Review UNCLASSIFIED
MADFW: Hosting Capabilities ● Built for future growth and scalability Current MADFW Environmental Limitations Technology Limitations Logical CPUs/Hypervisor xxxx 160 Physical RAM xxxx 2TB vCPU per Guest 64 vCPUs vRAM per Guest 512GB ● Support for multiple tenant Operating Systems ● RHEL 3, 4, 5, 6, and future versions (unlimited RHEL use for MADFW tenant VMs) ● Microsoft Server 2003, 2008, 2008 R2 ● Microsoft Windows XP, Windows 7 ● Microsoft SVVP and WHQL Certified
MADFW: Hosting Capabilities Feature Description High Availability Restart guest VMs from failed hosts automatically on other hosts Live Migration Move running VM between hosts with zero downtime System Scheduler Continuously load balance VMs based on resource usage/policies Maintenance Manager No downtime for virtual machines during planned maintenance windows. Hypervisor patching Image Management Template based provisioning, thin provisioning and snapshots Monitoring & Reporting For all objects in system – VM guests, hosts, networking, storage etc. OVF Import/Export Import and export VMs and templates using OVF files V2V Convert VMs from VMware and RHEL/Xen to MADFW
MADFW: High Availability ● ● ● Automatic restart on another hypervisor in event of failure Live migration to original host upon environmental restoration Resource specifications held constant through DR process (CPU, Memory, Storage, Network) CHOICE
MADFW: Centralized Storage ● Storage pool managed by MADFW ● Hardware RAID ● Exposed as NAS CHOICE
MADFW: Management Interfaces SIMPLIFY CHOICE
MADFW: Admin Portal
MADFW: Self Service Portal ● Upon account creation, Tenants will be given a “pool” of resources ● ● ● e.g. 50 vCPUs, 100GB RAM, 1TB disk Tenants have ability to utilize their resources as they see fit, managed through a WebGUI ● Self-Service create and destroy VMs ● Start/stop/modify Addition of resources (“pool growth”) will require a new ticket
MADFW: Self Service Portal ● Tenants can create Role-Based sub-accounts
MADFW: Self Service Portal
MADFW: Reports Interface
MADFW: Management through APIs A RESTful API for simple, any-platform access
MADFW: API Example $ deltacloudd -l Available drivers: * condor * vsphere * opennebula * eucalyptus * rhevm * sbc * azure * gogrid * mock * rackspace * rimuhosting * terremark * ec2 require ‘deltacloud’ api_url = ‘http://madfw.example.com:5000/api’ api_name = ‘TK2PJCAN9R1HKG2FK24Z’ api_password = ‘aLe27rZlRhlBcVoQbL4JsVtaNga12vEL9d9kS5CA’ client = DeltaCloud.new( api_name, api_password, api_url ) # get a list of currently running instances (virtual machines) client.instances.each do |instance| puts instance.name end $ deltacloudd -i rhevm -P 10000 -r madfw.example.com
UNCLASSIFIED CONTROL SIMPLIFY CHOICE UNCLASSIFIED
MADFW: Common Services ● System Management ● Identity Service ● Hardened RHEL Baselines
MADFW: System Management Service ● ● ● Software/Updates ● Access to RHEL security updates, patches, new OS versions ● Provides vehicle for IAVM/CVE patches Management ● Manage groups of systems as one ● Manage configuration files, not just binaries ● Schedule updates to occur during maintenance windows Provisioning ● Bare metal, Vms, or system cloning ● Undo problematic changes with snapshots and rollback
MADFW: Identity Service
MADFW: Hardened RHEL Baselines ● ● Initial offering of hardened RHEL6 baselines ● STIG, NIST 800-53 ● Common Criteria once announced (est. September) RHEL5 offered by mid-September ● STIG, NIST 800-53, Common Criteria
MADFW: Limitations ● 10G network ● NAS storage (not block level through SAN) ● Limited Backup
UNCLASSIFIED MADFW Demo UNCLASSIFIED
UNCLASSIFIED MADFW Demo ● Demos ● ● Workflow Overview ● How to request MADFW access (TBD) ● How to make a VM Environment Interfaces ● ● User Portal (start/stop/create) System Management via RHN Satellite (Patching, Prov, Grouping, Custom Apps) UNCLASSIFIED
UNCLASSIFIED How to Make a Virtual Machine in RHEV Overview ● Login to RHEV User Portal (https://userportal.example.com:8443) ● Create a New Server ● Add Network and Disk to VM ● Begin installation UNCLASSIFIED
UNCLASSIFIED RHEV User Portal: Create a New Server ● Virtual Machines Menu, click “New Server” ● Fill out New Server Virtual Machine (if not stated below then use defaults) ● General ● ● Name ● Description ● Template (If applicable) ● Memory ● CPU’s ● Operating System Boot Options ● Second Device: CD-ROM ● Select “Attach CD” and select version UNCLASSIFIED
New Server VM General Tab
New Server VM Boot Options Tab
UNCLASSIFIED Add Network and Storage to VM ● ● ● Attach Network Interface Card ● Select new VM, go to “Network Interfaces” Tab, click on “New” ● Defaults are acceptable, select “OK” Attach Storage ● Select new VM, go to “Virtual Disks” Tab, click on “New” ● Input size of O/S disk ● Use Defaults ● Select “OK” Wait for disk to be created/initialized UNCLASSIFIED
New VM NIC Configuration
New VM Virtual Disk Configuration
Open New VM ● Now that you have created a virtual machine in the power user portal, you can turn it on and connect to it. ● ● ● Select rhel6 in the listing and click on “Play”, this will turn the VM on. Click on the “Console” button to view the VM A SPICE console window of the virtual machine displays. You can now use the virtual machine in the same way you would use a physical desktop. ● You might have to install the SPICE app first ● The VM will boot to the CD ISO of RHEL 6 x86_64 ● Begin normal installation
VM Installation via SPICE Console
VM Installation
VM Boot Screen
Templates ● What is a template ● ● Templates are model virtual machines that are used as a convenient and efficient way to create new virtual machines of the same type and content. Templates provide a shortcut that reduces the time required to build virtual machines. Sealing a Linux Template ● ● Templates that have been created for Linux virtual machines must be generalized (sealed) before use. This ensures that machine-specific settings are not propagated through the template. Login to the virtual machine to be used as a template and flag the system for reconfiguration by running the following command as root: ● ● Remove ssh host keys. Run: ● ●
Shut down the virtual machine. Run: ● ●
The Linux virtual machine has now been sealed, and can be used as a template for Linux virtual machines.
Build a Template ● ● Build Template ● Select VM to template ● Turn off VM ● Click “Make Template” ● Fill out Name and Description ● Use other defaults ● Click “OK” View templates under “Templates” Menu
RHEL 6 Template Creation
Create New VM from Template ● ● Same steps as creating a VM but select the template to use General > Based on Template: rhel6-template
Create New VM from Template
RHEV User Portal ● ● ● ● The User Portal Graphical Interface enables you to view and use all the virtual machines that are available to you. Two main views: Basic and Extended The screen consists of three areas: the title bar, a virtual machines area, and a details pane. Access to RHEV User Portal: https://server.example.com:8443/UserPortal
User Portal: Basic View
User Portal: Extended View
User Portal: Resources
RHN Satellite ● ● RHN Satellite provides a solution to organizations requiring absolute control over and privacy of the maintenance and package deployment of their servers. It allows Red Hat Network customers the greatest flexibility and power in keeping servers secure and updated.
RHN Satellite Homepage
RHN Satellite: Kickstart Creation
RHN Satellite: Systems
RHN Satellite: System Details
RHN Satellite: System Software Details
RHN Satellite: Errata
RHN Satellite: Software Channels
References ● RHEV Power User Portal Guide ● ● RHEV User Portal Guide ● ● http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.0/html/Power_User_Portal_Guide/index.html http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.0/html/User_Portal_Guide/index.html RHEL Installation Guide ● ● http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/index.html
Copresenting with the projects SETA, detailed the MSD Application Development Framework (MADFW) hosting capabilities. The session reviewed the architecture and system capabilities for potential mission customers.