Hi.
I can not make monitoring XenServer host. Please, help me.
XenServer 7.1.0 (RBAC & AD)
Lpar2RRD 6.02-24
It my first XenServer host to add to Lpar2RDD.
1) I make "lpar2rrd" user in AD and add it to Xen host, and set rights ReadOnly (RBAC & AD)
in this case i can not link by ssh
2) I make on Xen host local user "lpar2rrd", and i can link to host by ssh. But this user can not see in Users list XenServer and can not setting to it ReadOnly role.
3) I add config for Xen host in Lpar2RRD Web for user "lpar2rrd", test HTTPS Err, HTTP Ok, SSH (by Lpar2RRD host) Ok.
in logs i read errors
4) I change config for Xen host in Lpar2RRD Web for user "root", test HTTP Error, SSH (by Lpar2RRD host by lpar2rrd user) Ok.
in logs no read errors, but no info at Xen host in Web GUI.
Please, say more detail, what i need do if my XenServer uses RBAC & AD.
Comments
Hi Alex,
LPAR2RRD requires an user account on your XenServer host that will allow running XenServer API queries such as
xe host-list
over SSH.By default, only
root
is allowed to access the XenServer API from the command line (xe
command); other user accounts do not have this capability. In order to add it to any user account, you have to assign the account an RBAC role (documentation at Citrix' website); Read-Only should suffice for reading configuration and performance data.The steps are explained in the official documentation.
Once you have an user account on your XenServer host, and it can run commands such as the aforementioned
xe host-list
and view their output, you can follow the rest of the LPAR2RRD installation instructions (XenServer/Citrix tab), i.e., exchange SSH keys for your XenServer user account, test connection, and make sure that there is a scheduled cron job forload_xenserver.sh
.If the SSH authorization part of the connection test fails, you can run it from the command line, the command will be listed in red in the host connection test dialog window.
Once the XenServer host connection is set up correctly, it might take a while (several minutes, up to an hour, if you don't run the scripts manually) before XenServer data appear in LPAR2RRD menu, because
load_xenserver.sh
has to fetch the data and thenload.sh
include it in the menu.If used RBAC only root user allowed to access the XenServer API.
If used AD, any others users is only from external directory services (AD).
So, if i make user lpar2rrd in my AD, add it in RBAC and assign role ReadOnly, this OK.
But, for this user (lpar2rrd from AD) not posible manipulate RSA keys for SSH!
This my question - how make settings, if in Xen used RBAC & AD.
P.S. at this moment i find how work with root local user (XenServer), but it is very unsecure!!!
For root user HTTP and HTTPS check is not work, but by ssh i receive info.
LPAR2RRD requires the following user-account credentials to fetch data from a XenServer host:
Depending on your LPAR2RRD environment (whether it runs in an appliance, or not), authorization checks (API and SSH) in the web UI may fail, if it does not have rights to access corresponding certificates/keys; however, the
load_xenserver.sh
script may fetch data just fine.If the API authorization check fails with error 403 or similar (as opposed to error 500), user name or password is incorrect.
Performance data can be fetched (over HTTP(S)) by an ordinary user, whereas access to configuration data relies on
xe
query commands. To reiterate, onlyroot
can do so by default. If RBAC is available (it is not in XenServer Free edition), other users can be assigned such rights; RBAC relies on Active Directory.If I understand it correctly, you have
Is that correct?
xe
queries in the command-line, such as thexe host-list
command?1) i make AD user "lpar2rrd"
UserPrincipalName : lpar2rrd@domen.srv
2) i connect to XenServer by CLI, use info by https://docs.citrix.com/en-us/citrix-hypervisor/users/rbac-cli.html
3) OK, if i set (in Lpar2RRD Web GUI) USERNAME as lpar2rrd, check HTTP and enter his Password, by Test i get OK.
4) But, SSH key can not apply, because /home/lpar2rrd/.ssh directory not exist! For SSH this user do not exist.
If i try connect from Lpar2RRD by SSH to XenServer host (i use password for AD user):
So, if Xen uses RBAC & AD i can make user, add role ReadOnly, but this is not create user stuctures on Xen host for work with SSH keys.
Thank you for clarification, Alex.
Can you log in as the new user
lpar2rrd
at all? I mean in local console orsu - lpar2rrd
, when you are already logged in (probably asroot
).Go to XenServer from Lpar2RRD by SSH keys for root user:
Try switch to lpar2ddr user from AD linux like:
[root@dl580-s1-l1 ~]# su - lpar2rrd
Try connect by SSH:
[root@dl580-s1-l1 ~]# ssh lpar2rrd@dl580-s1-l1
Add role Pool-Admin by RBAC to AD user lpar2rrd:
[root@dl580-s1-l1 ~]# xe subject-role-add uuid=9884ac6b-f44d-0bc7-0527-82e2d85bfb6b role-name=pool-admin
Try connect by SSH again:
[root@dl580-s1-l1 ~]# ssh lpar2rrd@dl580-s1-l1
It appears that the local user corresponding to the subject does not exist.
I see that you have tried to change the subject role to Pool-Admin, but apparently without any effect. Did you remove the previous role beforehand, as the "To change the RBAC role of a subject" documentation section suggests?
I have some info.
Command to login by SSH with AD user:
# ssh DOMAIN\\username@hostname
If in RBAC set role "pool-admin", to SSH config file on XenServer /etc/pam.d/sshd added (auto) string:
account sufficient pam_succeed_if.so user = DOMAIN\username
and then login by SSH to !!! root session:
Any others roles do not this changes, i test it.
P.S. i can logon by AD user with SSH key for root user, ex.
I hope this helps you.
Alex
./bin/xen-xapi2json.pl
FROM:
}
TO
1. Make changes in file /bin/xen-xapi2json.pl (see up)
2. Make AD user lpar2rrd, add his to XenServer, add him role "pool-admin"
3. Exchange SSH key from lpar2rrd user to root user on XenServer
[lpar2rrd@stor2rrd .ssh]$ cd ..
4. Add XenServer on Lpar2RRD, use user name DOMAIN\lpar2rrd, his password and SSH key /home/lpar2rrd/.ssh/id_rsa
But i use Super User Rights, and i can not find how do not make it.