In this article:
- General Unix/Linux Scan Requirements
- IBM PowerVM and AIX Logical Partitions (LPAR)
- Solaris zones and Oracle VM for SPARC
- VMware Linux and Solaris Virtual Machines
- Additional important notes
General Unix/Linux Scan Requirements
AvailabilityGuard™ collects configuration data from UNIX/Linux hosts by opening an SSH connection to the scanned hosts and issuing read-only commands. The commands AvailabilityGuard™ uses vary slightly, depending on the specific operating system and solutions in use. Few of the read-only commands require elevated permission which can be granted through sudo or similar privilege management systems.
To scan a Unix/Linux host, you should make the following preparations:
- Obtain the name or IP address of the UNIX/Linux host - only if not auto-discovered through scanned vCenter, SCVMM, IBM HMC, Oracle Enterprise Manager, Solaris global zones and Oracle VM servers as appropriate.
- Obtain a user account on each UNIX/Linux host.
- If preferred, use access control solutions to grant the required permissions to run read-only commands; solutions such as sudo, PowerBroker (pbrun), UPM (pbrun), CA Access Control (seSUDO), super, Keon/FoxT or similar .
- Make sure that IP connectivity through SSH is available between the AvailabilityGuard collector server and the target UNIX/Linux host. The default SSH port is 22.
- AvailabilityGuard™ requires certain utilities to be available on the target Unix/Linux systems when external storage system are accessed, as follows:
Storage System used | Requirement |
EMC Symmetrix / VMAX / DMX / VNX / CLARiiON | At least one of the utilities (PowerPath, SymCLI, or inq [V7.3-487 and above]) is installed. If none of these utilities is available on a certain host, install the free EMC inq utility at /usr/local/bin. |
Hitachi, HP XP | At least one of the utilities (HDLM or inqraid) is installed. If neither of these utilities is available on a certain host, install the free HDS inqraid utility at /HORCM/usr/bin/. |
NetApp (SAN) | At least one of the utilities (SnapDrive or sanlun) is installed. |
IBM PowerVM and AIX Logical Partitions (LPAR)
When IBM PowerVM virtualization and/or LPARs are used, you should also configure AvailabilityGuard to scan the following systems:
- IBM HMC. Scanning HMC will enable AvailabilityGuard™ to discover the IBM machines, VIO and logical partitions. AvailabilityGuard runs read-only HMC CLI commands over a secure shell (SSH) session to collect additional configuration data from HMC
- VIO servers (partitions). Scanning VIOS will enable AvailabilityGuard™ to perform an end-to-end analysis from the LPAR standpoint through VIO, server, storage systems and additional layers.
To scan IBM HMC, you should make the following preparations:
- Obtain the IBM HMC Name or IP address.
- Obtain an IBM HMC user account with hmcviewer role (read-only).
- Verify that IP connectivity through SSH (default is port 22) is available between the AvailabilityGuard™ collector server and each HMC.
To scan a VIO LPAR, you should make the following preparations:
- Scan IBM HMC to discover the VIO server name or IP address.
- Obtain a user account . The user should be either a regular user with ksh and permissions as required for standard UNIX/Linux host (as described above) or a restricted user with rksh.
- If a restricted user is used, make sure that PermitUserEnvironment is set to yes in the /etc/ssh/sshd_config file.
- Verify that IP connectivity through SSH (default is port 22) is available between the AvailabilityGuard™ collector server and the VIO server.
- The following example describes how to create a restricted user with appropriate privileges:
- Log in to the VIO server using padmin.
- Ensure that Enhanced RBAC is enabled: lsattr -El sys0 -a enhanced_RBAC
- If not, run chdev -l sys0 -a enhanced_RBAC=true and reboot.
- Create the role:
- mkauth dfltmsg='Continuity Software' continuity
- mkauth dfltmsg='Continuity Software AvailabilityGuard' continuity.availabilityguard
- mkrole rolelist=ViewOnly authorizations=continuity.availabilityguard dfltmsg="Continuity Software AvailabilityGuard" availabilityGuard
- setkst
- mkauth dfltmsg='Continuity Software' continuity
- Create the user:
- mkuser -attr pgrp=view rguard
- chuser -attr roles=availabilityGuard default_roles=availabilityGuardrguard
- mkuser -attr pgrp=view rguard
- Create permission to run privileged commands.
- Do the following for each required privileged command; Refer to the AvailabilityGuard Deployment Guide for a compelete list of required privileged commands on AIX.
- Note: In this example, the command is /usr/sbin/pcmpath.
- setsecattr -c euid=0 accessauths=continuity.availabilityguard innateprivs=PV_SU_
- secflags=FSF_EPS authroles= /usr/sbin/pcmpath
- setkst
- oem_setup_env
- ln -s /usr/sbin/pcmpath /usr/ios/oem
- Do the following for each required privileged command; Refer to the AvailabilityGuard Deployment Guide for a compelete list of required privileged commands on AIX.
Additional notes:
- To scan an LPAR (VIOC), you should make the following the general guidelines for UNIX/Linux scanning.
- IBM HMC should be scanned prior to onboarding a VIO and Logical partitions.
- You should allow AvailabilityGuard™ to automatically detect the VIO and LPARs through IBM HMC and avoid manual definition of VIO and LPARs.
- Once discovered, AvailabilityGuard™ will list the VIO and LPARs and allow adding them to scan groups.
Solaris zones and Oracle VM for SPARC
The requirements for scanning Solaris zones and domains are identical to the general UNIX/Linux scan requirements, with the following additional guidelines:
- The Solaris global host should be scanned prior to onboarding Solaris zones.
- You should allow AvailabilityGuard™ to automatically detect the private zones through scanning of the global zone and avoid manual definition of private zones.
- Once discovered, AvailabilityGuard™ will list the private zones and allow adding them to scan groups.
- Similarly you should scan the physical server running Oracle VM for SPARC prior to onboarding Oracle VMs (LDOMs).
- On Solaris hosts running Oracle VM for SPARC (formerly LDOM), make sure that the user has the read privilege to LDOMs (solaris.ldoms.read). In this case AvailabilityGuard™ auto-discovers logical Solaris hosts when scanning the physical server running Oracle VM for SPARC.
VMware Linux and Solaris Virtual Machines
The requirements for scanning VMware Linux and Solaris VMs are identical to the general UNIX/Linux scan requirements, with the following additional guidelines:
- VMware vCenter should be scanning prior to onboarding virtual machines (VMs).
- You should allow AvailabilityGuard to automatically detect the Linux and Solaris through VMware vCenter and avoid manual definition of virtual machines.
- Once discovered, AvailabilityGuard™ will list the VMs and allow adding them to scan groups.
- For virtual machines that do not use raw device mappings, there is no need for above mentioned storage utilities even if the underlying physical host is accessing external storage systems.
Additional important notes
- It is important to also scan Unix/Linux virtual machines. Unless otherwise it explicitly mentioned, the scan requirements for VMs are identical to the general requirements for Unix/Linux.
- You should use the same ID on all hosts, although you may use different IDs per domain or per individual host. To simplify provisioning, it is also preferred to use non-privileged domain users rather than local users.
- RedHat is using the ricci service to operate the cluster. You should manually run the command "ccs -h localhost --checkconf", and if it requests a password - please enter the ricci service password. This is a one-time action required for every cluster node.
- For AIX, the above mentioned storage utilities are unnecessary when CLARiiON/VNX is used.
- Refer to the AvailabilityGuard Deployment Guide for a complete list of required privileged commands per operating system.
Comments
0 comments
Please sign in to leave a comment.