Friday, June 25, 2010

XenServer 5.6 (I)

This will be a tutorial for XenServer administration. But…the free edition. What can I say, don’t have the necessary funds to test the Enterprise edition. This will cover both XenCenter and CLI administration tasks that can be accomplished on XenServer installation.

User authentication

XenServer automatically creates the root account for administration of XenServer machines. But, if you want to add more users, from an Active Directory installation, you can add them from XenCenter, or from CLI. What's good about CLI is that it can autocomplete the params for the commands you enter, which is pretty cool for people using XenServer for the first time.

xe pool-enable-external-auth auth-type=AD \

service-name= \
config:user= \
Unfortunately, in the free version, you can't assign Roles to users added, but it's a nice feature, and it will stop people using the root account. If you don't have DHCP enabled in your AD infrastructure, although I doubt it, you can add your Domain Controllers as DNS servers on XenServer like this:


xe pif-reconfigure-ip mode=static dns=
And if you'd like to disable external authentication, you can go to XenCenter and delete the joined domain/users or use the CLI to do it.

xe pool-disable-external-auth
XenCenter and CLI defines users in different names. XenCenter uses "user", and CLI uses "subject". So, adding users from XenCenter is pretty straight-forward, but, from CLI you should type this:

xe subject-add subject-name=
To remove a user, you should follow a 2 step procedure:


first, you should get the subject's identifier like this:
xe subject-list
or using filter to do it:
xe subject-list other-config:subject-name=''
and then, use the following command to remove a subject:
xe subject-remove subject-identifier=
Terminating all authenticated sessions can be done also from CLI:
xe session-subject-identifier-logout-all
Role-based access control (RBAC)

This is a feature in XenServer Enterprise or higher. By default, there are 6 roles defined with different levels of access: Pool Admin, Pool Operator, VM Power Admin, VM Admin, VM Operator, Read Only. You can see them all using CLI. Other useful role managing commands using CLI are listed below.

show defined roles
xe role-list
show subject's role
xe subject-list
add a subject to RBAC
xe subject-add subject-name=
assign a role to an already created account
xe subject-role-add uuid= role-uuid=
xe subject-role-add uuid= role-name=
change a user's RBAC role uses a role-remove and a role-add commands to do it
xe subject-role-remove uuid= role-name=
xe subject-role-add uuid= role-name=
Resource pools
This the XenServer version of VMWare's Cluster. Hosts in a resource pool can for example start migrate guests, start them on whatever host is low on resource consumption, but they should be all connected to the same shared storage do to it. In a High Availability resource pool (which is not available in the free version), when a hosts fails, of software or hardware, the guest is automatically started on another running host in the resource pool. I can't test it using the free version, but hopefully works better than VMWares HA which I did test. What can I say, VMWare HA sucks. I test it using the poweroff command. All good. Virtual machines were moved to another hosts, but on a PSOD (aka Pink Screen of Death - something like Windows blue screen), it didn't. Virtual machines kept being down, and VMWare HA couldn't start them on another hosts because the files on the shared storage were somehow locked by the failing host, and they couldn't be started by the rest of the hosts in the cluster.

To add hosts in a resource pool you can use both XenCenter and CLI to do it.

add host to a resource pool
xe pool-join master-address= master-username= master-password=
name a resource pool
xe pool-param-set name-label=<"New Pool"> uuid=
remove a host from a pool
xe host-list
xe pool-eject host-uuid=
find out what pool is a host part of
xe pool-list
Hmm, I've tried to find a way to remove a host from a pool using XenCenter and couldn't find a way. So the only chance might be the CLI. I tried to create a new pool and add the machine I wanted to remove to that new pool, but it said it's already connected to the master of the pool. Damn!

High Availability
Although I will not be able to try this right now, I'll just write this here, for future reference when I'll need it.
So, to be able to use HA feature, you'll need:
- shared storage for all VMs in the resource pool
- a shared resource (SR) with at least 356MB of storage
--- 4MB heartbeat volume
--- 256MB metadata volume
- a XenServer resource pool
- Enterprise licence on all pool hosts
- static IP addresses on all pool hosts
Not having the enterprise license, I can only write about CLI commands that I can find in the manual. So, here they are:

enable HA on a resource pool
xe pool-ha-enable heartbeat-sr-uuids=
set restart priority for every HA protected VM
xe vm-param-set uuid= ha-restart-priority=<1> ha-always-run=true
calculation of maximum hosts that can fail before the pool will run out of resources to run all VMs in HA
xe vm-param-set uuid= ha-restart-priority=<1> ha-always-run=true
specify the number of failures to tolerate - must be less or equal than the computed value from above
xe pool-param-set ha-host-failures-to-tolerate=<2>
remove HA protection of a VM
xe vm-param-set uuid= ha-always-run=false
shutting down a host when HA is enabled
xe host-disable host=

xe host-evacuate uuid=
xe host-shutdown host=
To be continued.. :)

1 comment:

  1. Do we have any chances to add role-based users without using AD authentication ?