UNCLASSIFIED MADFW Program Review MADFW CONFIGURATION REPORTING CONTENT AUDITING INSTANCE MANAGEMENT LIFE-CYCLE UNCLASSIFIED

UNCLASSIFIED Briefing Overview (1) System Purpose & Capabilities Terry Seibel (2) System Design Review Shawn Wells ● Infrastructure Review ● MADFW Common Services (3) Demos Michele Newman ● Workflow Overview ● Environment Interface ● Tenant Self-Service Portal ● System Management UNCLASSIFIED

UNCLASSIFIED System Purpose & Capabilities UNCLASSIFIED

UNCLASSIFIED MADFW System Purpose & Capabilities ● Why the project began ● What provide to MSD ● Manage infrastructure, not OS ● Provide RHEL versions free for unlimited use within MADFW environment ● Inherit premium 24/7 support SLA from Red Hat Support ● UNCLASSIFIED

MADFW Security Review ● ICD 503 C&A Lifecycle ● H/L/L ● Currently IATT ● Verified by FN&ISD ● ● SECSCAN Host/Tenant Model ● We provide base infra (hypervisor down) ● You provide OS and up

UNCLASSIFIED MADFW Architecture Review UNCLASSIFIED

MADFW: Hosting Capabilities ● Built for future growth and scalability Current MADFW Environmental Limitations Technology Limitations Logical CPUs/Hypervisor xxxx 160 Physical RAM xxxx 2TB vCPU per Guest 64 vCPUs vRAM per Guest 512GB ● Support for multiple tenant Operating Systems ● RHEL 3, 4, 5, 6, and future versions (unlimited RHEL use for MADFW tenant VMs) ● Microsoft Server 2003, 2008, 2008 R2 ● Microsoft Windows XP, Windows 7 ● Microsoft SVVP and WHQL Certified

MADFW: Hosting Capabilities Feature Description High Availability Restart guest VMs from failed hosts automatically on other hosts Live Migration Move running VM between hosts with zero downtime System Scheduler Continuously load balance VMs based on resource usage/policies Maintenance Manager No downtime for virtual machines during planned maintenance windows. Hypervisor patching Image Management Template based provisioning, thin provisioning and snapshots Monitoring & Reporting For all objects in system – VM guests, hosts, networking, storage etc. OVF Import/Export Import and export VMs and templates using OVF files V2V Convert VMs from VMware and RHEL/Xen to MADFW

MADFW: High Availability ● ● ● Automatic restart on another hypervisor in event of failure Live migration to original host upon environmental restoration Resource specifications held constant through DR process (CPU, Memory, Storage, Network) CHOICE

MADFW: Centralized Storage ● Storage pool managed by MADFW ● Hardware RAID ● Exposed as NAS CHOICE

MADFW: Management Interfaces SIMPLIFY CHOICE

MADFW: Admin Portal

MADFW: Self Service Portal ● Upon account creation, Tenants will be given a “pool” of resources ● ● ● e.g. 50 vCPUs, 100GB RAM, 1TB disk Tenants have ability to utilize their resources as they see fit, managed through a WebGUI ● Self-Service create and destroy VMs ● Start/stop/modify Addition of resources (“pool growth”) will require a new ticket

MADFW: Self Service Portal ● Tenants can create Role-Based sub-accounts

MADFW: Self Service Portal

MADFW: Reports Interface

MADFW: Management through APIs A RESTful API for simple, any-platform access

MADFW: API Example $ deltacloudd -l Available drivers: * condor * vsphere * opennebula * eucalyptus * rhevm * sbc * azure * gogrid * mock * rackspace * rimuhosting * terremark * ec2 require ‘deltacloud’ api_url = ‘http://madfw.example.com:5000/api’ api_name = ‘TK2PJCAN9R1HKG2FK24Z’ api_password = ‘aLe27rZlRhlBcVoQbL4JsVtaNga12vEL9d9kS5CA’ client = DeltaCloud.new( api_name, api_password, api_url ) # get a list of currently running instances (virtual machines) client.instances.each do |instance| puts instance.name end $ deltacloudd -i rhevm -P 10000 -r madfw.example.com

UNCLASSIFIED CONTROL SIMPLIFY CHOICE UNCLASSIFIED

MADFW: Common Services ● System Management ● Identity Service ● Hardened RHEL Baselines

MADFW: System Management Service ● ● ● Software/Updates ● Access to RHEL security updates, patches, new OS versions ● Provides vehicle for IAVM/CVE patches Management ● Manage groups of systems as one ● Manage configuration files, not just binaries ● Schedule updates to occur during maintenance windows Provisioning ● Bare metal, Vms, or system cloning ● Undo problematic changes with snapshots and rollback

MADFW: Identity Service

MADFW: Hardened RHEL Baselines ● ● Initial offering of hardened RHEL6 baselines ● STIG, NIST 800-53 ● Common Criteria once announced (est. September) RHEL5 offered by mid-September ● STIG, NIST 800-53, Common Criteria

MADFW: Limitations ● 10G network ● NAS storage (not block level through SAN) ● Limited Backup

UNCLASSIFIED MADFW Demo UNCLASSIFIED

UNCLASSIFIED MADFW Demo ● Demos ● ● Workflow Overview ● How to request MADFW access (TBD) ● How to make a VM Environment Interfaces ● ● User Portal (start/stop/create) System Management via RHN Satellite (Patching, Prov, Grouping, Custom Apps) UNCLASSIFIED

UNCLASSIFIED How to Make a Virtual Machine in RHEV Overview ● Login to RHEV User Portal (https://userportal.example.com:8443) ● Create a New Server ● Add Network and Disk to VM ● Begin installation UNCLASSIFIED

UNCLASSIFIED RHEV User Portal: Create a New Server ● Virtual Machines Menu, click “New Server” ● Fill out New Server Virtual Machine (if not stated below then use defaults) ● General ● ● Name ● Description ● Template (If applicable) ● Memory ● CPU’s ● Operating System Boot Options ● Second Device: CD-ROM ● Select “Attach CD” and select version UNCLASSIFIED

New Server VM General Tab

New Server VM Boot Options Tab

UNCLASSIFIED Add Network and Storage to VM ● ● ● Attach Network Interface Card ● Select new VM, go to “Network Interfaces” Tab, click on “New” ● Defaults are acceptable, select “OK” Attach Storage ● Select new VM, go to “Virtual Disks” Tab, click on “New” ● Input size of O/S disk ● Use Defaults ● Select “OK” Wait for disk to be created/initialized UNCLASSIFIED

New VM NIC Configuration

New VM Virtual Disk Configuration

Open New VM ● Now that you have created a virtual machine in the power user portal, you can turn it on and connect to it. ● ● ● Select rhel6 in the listing and click on “Play”, this will turn the VM on. Click on the “Console” button to view the VM A SPICE console window of the virtual machine displays. You can now use the virtual machine in the same way you would use a physical desktop. ● You might have to install the SPICE app first ● The VM will boot to the CD ISO of RHEL 6 x86_64 ● Begin normal installation

VM Installation via SPICE Console

VM Installation

VM Boot Screen

Templates ● What is a template ● ● Templates are model virtual machines that are used as a convenient and efficient way to create new virtual machines of the same type and content. Templates provide a shortcut that reduces the time required to build virtual machines. Sealing a Linux Template ● ● Templates that have been created for Linux virtual machines must be generalized (sealed) before use. This ensures that machine-specific settings are not propagated through the template. Login to the virtual machine to be used as a template and flag the system for reconfiguration by running the following command as root: ● ● Remove ssh host keys. Run: ● ●

rm -rf /etc/ssh/ssh_host_*

Shut down the virtual machine. Run: ● ●

touch /.unconfigured

poweroff

The Linux virtual machine has now been sealed, and can be used as a template for Linux virtual machines.

Build a Template ● ● Build Template ● Select VM to template ● Turn off VM ● Click “Make Template” ● Fill out Name and Description ● Use other defaults ● Click “OK” View templates under “Templates” Menu

RHEL 6 Template Creation

Create New VM from Template ● ● Same steps as creating a VM but select the template to use General > Based on Template: rhel6-template

Create New VM from Template

RHEV User Portal ● ● ● ● The User Portal Graphical Interface enables you to view and use all the virtual machines that are available to you. Two main views: Basic and Extended The screen consists of three areas: the title bar, a virtual machines area, and a details pane. Access to RHEV User Portal: https://server.example.com:8443/UserPortal

User Portal: Basic View

User Portal: Extended View

User Portal: Resources

RHN Satellite ● ● RHN Satellite provides a solution to organizations requiring absolute control over and privacy of the maintenance and package deployment of their servers. It allows Red Hat Network customers the greatest flexibility and power in keeping servers secure and updated.

RHN Satellite Homepage

RHN Satellite: Kickstart Creation

RHN Satellite: Systems

RHN Satellite: System Details

RHN Satellite: System Software Details

RHN Satellite: Errata

RHN Satellite: Software Channels

References ● RHEV Power User Portal Guide ● ● RHEV User Portal Guide ● ● http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.0/html/Power_User_Portal_Guide/index.html http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.0/html/User_Portal_Guide/index.html RHEL Installation Guide ● ● http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/index.html