Piszki Lab | EN

My case study in the clouds…

2021/05/04
by Piotr Pisz
0 comments

CloudStack – Kubernetes plugin

Most of the IaaS solutions (CloudStack, vSphere, OpenStack, Proxmox etc.), so far focused on virtual machines, very intensively develop support for containerization. The leading standard at the moment is Kubernetes, support for it can be found in VMware vSphere (Tanzu project) and in CloudStack (kubernetes plugin). The approach to containerization in IaaS is more or less the same everywhere, containers run in lightweight VMs, and the IaaS platform is designed to facilitate cluster startup and management. Today we will deal with the latter solution, configure CloudStack step by step and launch a Kubernetes cluster. The CS documentation for version 4.15 is quite detailed and has up-to-date links to the ISO images you need, be sure to read it.

9BBF8AbW_400x400

Continue Reading →

2019/11/19
by Piotr Pisz
0 comments

vSphere 6.7U3 – Unable to push CA certificates and CRLs to host

The current version of vCenter 6.7U3 brought with it an interesting change, as we can read here, all CA certificates in trusted store must have the “X509v3 Basic Constraints: CA: TRUE” flag set. Lack of this flag in any certificate basically blocks all operations on certificates, the error “Certificate is not valid CA certificate” appears. Today, on the example of the problem with refreshing CA certificates at the host level, I will show you how to deal with it. Generally, as I wrote in this post, the vCenter CA certificate store should be in order, the mess brings only problems.

ca3

Continue Reading →

2019/09/27
by Piotr Pisz
0 comments

Secure file server based on Samba, CTDB, CephFS and OpenLDAP

The purpose of today’s exercise will be to run a secure, full HA, Samba cluster with which we will serve files directly from CephFS and authorize users at the OpenLDAP level. The closest equivalent to this configuration is the Failover Cluster + DFS service available in Microsoft Windows Server 2012+. Ceph and OpenLDAP configuration can be found in the linked articles, here we will focus mainly on CTDB and Samba. Clustered Trivial Data Base, because this is how this abbreviation develops, ensures the consistency of user sessions between multiple nodes. He also oversees the work of samba itself. In this configuration the VFS module samba-vfs-ceph (Samba Gateway for CephFS) will be used, this module allows samba to work correctly (natively) with CephFS. Using this module, Samba dumps all file operations (opening, blocking, closing, etc.) on CephFS. To ensure consistency with recent configurations, users will be taken from OpenLDAP (the entire Samba configuration will also be stored there). Thanks to this approach, we will obtain a coherent, redundant configuration that will seamlessly connect many components. Due to the use of the latest versions, which are not available in CentOS 7 or Ubuntu 18, all configuration will be carried out on Fedora Server 29 (but I think we will put it on CentOS 8 without any problems).

smb5

Continue Reading →

2019/09/13
by Piotr Pisz
0 comments

Cryptographic security in vSphere aka what is KMS, vTPM, VBS and others.

Quite recently I wrote about support for TPM 2.0 in vSphere 6.7, why use this technology and how to configure it. Today I would like to take the topic further, we will deal with the security of virtual machines (VM). VMware is intensively developing the VM security by introducing support for virtual machine encryption, support for virtual TPM (vTPM) and support for Microsoft Virtualization Based Security (VBS) technology. This is a very interesting piece of knowledge that I will try to bring as detailed as possible.

vsphere-encryption

Continue Reading →

2019/09/04
by Piotr Pisz
2 Comments

Microsoft WSFC and vSAN 6.7U3

Recently, I decided to perform AD migration from 2012R2 to 2019 in my lab, and follow the blow, migrate all services (DFS, SQL and others) to 2019. I decided to use the new feature that appeared in vSphere 6.7U3, i.e. support for RDM (SCSI-3 PR), and run the new Microsoft Windows Server Failover Cluster on this. As Piszki Lab is already two physical servers, such a cluster has more sense, of course it is only over the lab. There is also official VMware documentation describing the whole process, in addition, you can use the detailed instructions for placing WSFC.

msc0

Continue Reading →

2019/05/29
by Piotr Pisz
3 Comments

Kerberos with OpenLDAP backend configuration in CentOS 7

Today we will deal with LDAP kerberization, it sounds a bit strange, but it comes down to installing and configuring a cluster consisting of multiple nodes (N +) operating in active mode. This cluster will serve LDAP and Kerberos services for Linux systems. The kerberosa database will be stored in OpenLDAP, thanks to this service, kerberos will also work as multi master. In addition to the cluster itself, we will also configure the client system to authenticate the user at the LDAP level and that the user can use the kerberos ticket to move freely between the systems. This exercise aims to prepare an authorization system for use in the subsequent installation of Hadoop.

ticket

Continue Reading →

.

Enjoyed the post? Support Piszki Lab | EN, click on the AD! :-)

.