manualshive.com logo in svg

HPE Synergy Image Streamer 5.2, Руководство пользователя, Страница: 76 / 96

Поделиться
Скачать
HPE Synergy Image Streamer 5.2 Скачать руководство пользователя страница 76

Security

This chapter discusses about the security aspects of Image Streamer.

The Image Streamer appliance assumes that the following security aspects are met:

• The Image Streamer appliance operates in a secure HPE OneView managed environment and is connected to a secure

management network.

• The Administrator obtains the Golden Images from trusted sources.

• The scripts used in the appliance for personalization or generalization are free from malware.

• The Golden Images reside on the Image Streamer OS deployment server. However, the OS deployment server does

not create or manage sensitive data in the Golden Images.

Roles and Authorization

HPE OneView provides authorization to Image Streamer users. Software administrator is the role that is defined in HPE
OneView to authorize users to manage Image Streamer artifacts. The 

User roles and Authorization table illustrates the

different user roles and their respective authorization levels for the artifacts and deployment process.

NOTE: Image Streamer supports only the default global scope All Resources.

Table 4: User roles and Authorization

Role

Image Streamer artifact
management

HPE OneView server profile with OS
deployment

Software Administrator

Full Privileges

View Only

Server Administrator

View Only

Full Privileges

Infrastructure Administrator

Full Privileges

Full Privileges

Backup Administrator

View Only

No Access

Network Administrator

View Only

No Access

Storage Administrator

View Only

No Access

Scope Operator

No Access

No Access

Scope Administrator

No Access

No Access

Server Firmware Administrator

No Access

No Access

Scope Based Access Control

OS Deployment Plans can be scope limited so that different server administrators have access to different subsets of
Deployment Plans.

Security

76

Содержание Synergy Image Streamer 5.2

Страница 1: ...interfaces and working environment It describes the server deployment process using Image Streamer the purpose and life cycle of Image Streamer artifacts and the actions you can perform using them It...

Страница 2: ...ewlett Packard Enterprise required for possession use or copying Consistent with FAR 12 211 and 12 212 Commercial Computer Software Computer Software Documentation and Technical Data for Commercial It...

Страница 3: ...r Image Streamer 17 Add Image Streamer to a logical enclosure 17 Accessing Image Streamer documentation and help 18 Using Image Streamer user interface or REST API scripts 19 Artifacts 20 About Plan S...

Страница 4: ...pdating Image Streamer 49 Update process 49 Update Image Streamer in a single frame configuration 50 Update scenarios 52 Backup restore and recovery 53 Backup 53 Restore and recovery 53 Image Streamer...

Страница 5: ...not highly available 82 Changes to compute module settings are not updated onto Image Streamer 83 Compute module waits in PXE boot mode due to unavailability of OS volume from Image Streamer 83 Creati...

Страница 6: ...Support and other resources 94 Accessing Hewlett Packard Enterprise Support 94 Accessing updates 94 Remote support 95 Warranty information 95 Regulatory information 95 Documentation feedback 96 6...

Страница 7: ...amer achieves OS deployment on stateless servers by maintaining the OS deployment state as part of the HPE OneView server profile The server profile holds the logical hardware and software state of th...

Страница 8: ...en Image creation and artifact replication between appliance pairs It also handles Golden Image deployment and OS volume management 3 The Image Streamer SSD repository partition stores the management...

Страница 9: ...loning the Golden Image associated with the specified OS Deployment Plan The personalization information such as hostname and IP address are added to the composed OS volume with the values that you sp...

Страница 10: ...when needed A special single frame configuration with one Image Streamer can be used for development or testing environments Hewlett Packard Enterprise requires a three frame configuration as a minim...

Страница 11: ...for deployment Determine the configuration settings that Software administrators may customize Backup administrator Backup administrator can perform the following actions Create and download backup f...

Страница 12: ...S volume that is used to deploy and configure operating systems for compute modules A previously deployed OS volume can consist of a bootable operating system applications and I O driver version Deplo...

Страница 13: ...OS or hypervisor installation and configuration is complete it is stored as a stateless Golden Image in Image Streamer The Golden Image in its extracted form is used for fast deployments of server OS...

Страница 14: ...terface Server administrator Specifies the OS deployment settings using the HPE OneView server profiles Use the sample artifacts provided by Hewlett Packard Enterprise for OS deployment or to help dev...

Страница 15: ...ation provides a guide to tasks specific to Image Streamer configuration Use these instructions when you add Image Streamer devices to an existing configuration HPE Oneview raises alerts when the conf...

Страница 16: ...o HPE OneView 2 Verify that the Inventory list contains the expected number of Image Streamer appliances from the Appliance Hardware Setup screen 3 View the Checklist and resolve any hardware or claim...

Страница 17: ...ings under Settings Networking in HPE OneView user interface to see if any management networks have been defined NOTE Any management network used for Image Streamer must also include the IP address fo...

Страница 18: ...rface Clicking the icon opens the help sidebar In the help sidebar Help on this page opens help for the current screen Browse help opens the home page of the help system Clicking on a screen or a dial...

Страница 19: ...e about the tasks At the top of each screen the help icon gives you access to the help system Image Streamer REST API REST is a web service that uses basic CRUD Create Read Update and Delete operation...

Страница 20: ...age Read only property value In use scenario Can I delete the Plan Script Yes Used by OS Build Plan No Yes Not in use No No Used by OS Build Plan Yes A warning is displayed but you can delete the Plan...

Страница 21: ...IC String A String type custom attribute can have any value unless a regular expression constraint is specified in the OS Build Plan Constraints for a String custom attribute value Regular Expression...

Страница 22: ...value of a custom attribute of type IPv4 address must contain a valid IPv4 address Hostname The value of a custom attribute of type Hostname must contain a valid hostname Constraints for a Hostname c...

Страница 23: ...Network Interface Controller NIC Plan Scripts can contain Network Interface Controller NIC attributes NIC attributes are complex custom attributes and contain network interface configuration parameter...

Страница 24: ...Unteamed NIC attributes Unteamed NIC attributes can contain the following parameters ipaddress mac If the mac attribute is not set to any value it expands to none in the Plan Script dns1 dns2 dns3 net...

Страница 25: ...onnection This option indicates that the server profile is allowed to provide no connection for the NIC If set the mac or mac1 and mac2 values expand to none in the Plan Script If not set a network co...

Страница 26: ...fault values NIC attributes cannot have default values The value can either be automatically populated from the IP pool if auto mode is enabled in the server profile in HPE OneView or specified by the...

Страница 27: ...ue of dev sda _Target name Name of the OS volume _Target ip IP address of the OS volume _Target port Port of the OS volume _Target lun The logical unit number of the OS volume The system attributes th...

Страница 28: ...a compressed file For deployment you can customize the image by specifying server specific configuration using custom attributes For capture you can generalize the image by removing any server specif...

Страница 29: ...Table 3 Golden Image life cycle sequence of events Sequence Operation Description 1 Add Adds a Golden Image from your laptop 1 Capture1 Creates a Golden Image either from a deployed server or from an...

Страница 30: ...ture installation you can make configurational changes in the operating system Any configuration information that is not specific to the compute module must be completed in the OS before server shutdo...

Страница 31: ...r sles d VMware vSphere ESXi https github com HewlettPackard image streamer esxi 2 Select the desired branch corresponding to the release using the Branch menu By default the latest branch is selected...

Страница 32: ...b com HewlettPackard image streamer tools Artifacts provided by Hewlett Packard Enterprise are read only However you can make a copy and edit them For more information on copying artifacts to allow mo...

Страница 33: ...ach compute module A simple partition layout and configuration for deployment is useful to reduce the complexity of personalizing each server NOTE Do not reduce the iSCSI timeout on servers deployed u...

Страница 34: ...ggered in HPE OneView You can view the claim status of the Image Streamer appliance in the Activity screen in HPE OneView user interface If HPE OneView fails to claim the Image Streamer appliance an a...

Страница 35: ...volumes if an active appliance fails For an Image Streamer appliance pair the artifact management and OS deployment function is served by an Active Standby management cluster whereas the OS volume sto...

Страница 36: ...ables you to capture an existing instance of the operating system on the compute module The Image Streamer resource management interface removes all server specific information before creating a Golde...

Страница 37: ...be impacted Also the OS interactions with CPU memory and swap files will place a load on this bandwidth Hence the recommendation is that the requested bandwidth that is specified in the HPE OneView s...

Страница 38: ...dation for application installation varies depending on the type of storage that is configured for the compute module in HPE OneView server profile In a stateless server environment any existing local...

Страница 39: ...n other frames either now or in the future they must be installed and stored on storage external to the frame The installation of new applications and configuration of existing ones must be performed...

Страница 40: ...ion of the appliance module image View the firmware version In the appliance maintenance console using the View option In oneview mgmt software view the Installed firmware version for Member Appliance...

Страница 41: ...ressed image 7 Copy the contents of the image file to the USB flash drive IMPORTANT Do not rename the files 8 Optionally remove the USB flash drive and store it for future use Reimaging the appliance...

Страница 42: ...The HPE Synergy Frame Link Module at the rear of the frame On connection the HPE Synergy Console is displayed b Click the monitor icon at the top right of the screen c Select the appliance module to...

Страница 43: ...initial oneview mgmt software login screen appears in the HPE Synergy Console For Image Streamer the administrator must log in to the appliance maintenance console shut down the Image Streamer and re...

Страница 44: ...he cluster health and OS volume status If you remove the appliance module without verifying the cluster health or OS volume status you might lose access to the OS volume Before removing an Image Strea...

Страница 45: ...e Deployment Appliances screen in the Image Streamer user interface If the Remove Image Streamer Appliance task on the SERVERS Enclosures screen terminates with an error follow the resolution suggeste...

Страница 46: ...eView user interface After you insert an appliance the SERVERS Enclosures screen in the HPE OneView user interface displays an alert about the interconnect link topology with state as Cleared This sta...

Страница 47: ...SERVERS Enclosures screen in HPE OneView user interface NOTE If the CIM is in the local ring then Factory Reset link in the alert will power on automatically If the CIM is in the remote ring you must...

Страница 48: ...ce and persists for more than 30 minutes Compute modules shut down immediately NOTE Compute modules running Linux might shut down immediately The compute modules running VMware ESXi might continue fun...

Страница 49: ...the next pair 4 Update Frame Link Module and Interconnect Modules IMPORTANT Do not attempt to update the Frame Link Module and Interconnect Modules if The Image Streamer appliance cluster is not healt...

Страница 50: ...es in various parts of HPE Synergy temporarily interrupt a part of the network This requirement is applicable for the deployment network that is used for OS volume access and connections to other netw...

Страница 51: ...on ensures that HPE OneView discovers and claims the Image Streamer appliance afresh 9 From the HPE OneView main menu select APPLIANCE OS Deployment Servers Add OS deployment servers Create the OS dep...

Страница 52: ...iance returns a validation error if The selected update bin file is corrupted The existing version of the appliance is the same as or later than the selected update bin version Updating an appliance t...

Страница 53: ...nd replicated periodically to secondary appliances If the deployment server is edited to change the primary appliance the latest artifacts will be immediately replicated from the secondary appliance t...

Страница 54: ...all the artifacts in the appliance at the time of backup bundle creation When you perform an Import artifact bundle operation if the same artifact is available in the artifact bundle and in the Image...

Страница 55: ...in menu navigate to APPLIANCE OS Deployment Servers screen and click on the Image Streamer UI link to open Image Streamer user interface 10 From the Image Streamer main menu navigate to Deployment Gro...

Страница 56: ...e operation 3 Download the existing audit logs and store them for safekeeping 4 Make the backup file accessible to the appliance you want to restore If you are using an enterprise backup product to ar...

Страница 57: ...o preserve network settings while performing a factory reset operation Always choose to perform a full factory reset Appliance reset using user interface If there is an issue in the claim process and...

Страница 58: ...pressed file with a name in the following format hostname identifier timestamp sdmp Where for support dump files created from the UI identifier is either CI indicating an appliance support dump or LE...

Страница 59: ...nce console is always available from the front panel console or from an SSH session if maintenance IP addresses are configured In the upper left of most appliance maintenance console screens the local...

Страница 60: ...the appliance maintenance console using one of the following options NOTE Use the credentials of a local user with the Infrastructure administrator role when prompted You can Reset the administrator...

Страница 61: ...me Link Module on the rear of the frame On connection the Synergy console is displayed 2 On the HPE Synergy Console select Actions Serial consoles Appliances and choose the appliance you want to acces...

Страница 62: ...connection 192 168 10 1 4 The HPE Synergy console is now available using the VNC client connection 5 Log in to the appliance maintenance console to access the appliance maintenance console Log in to t...

Страница 63: ...s state is propagated to all the local and remote FLMs in the ring Backup operations do not back up the appliance maintenance console password Ensure that you can remember or retrieve the appliance ma...

Страница 64: ...Notification banner Notifies or warns of a situation regarding the appliance or appliance cluster The Notification banner spans the width of the appliance maintenance console If no notification is pen...

Страница 65: ...by its host name Located directly beneath the Title Icon Indicates the general status of the appliance in the upper right State text Displays one to three lines of additional text to elaborate on the...

Страница 66: ...e but not with the UI Serial number The serial number of the appliance hardware Maintenance console appliance states The appliance maintenance console displays an icon and a message in the upper right...

Страница 67: ...luster Contact your authorized technical support to replace the failed disk The disk on the peer appliance failed The local appliance is currently the standby appliance but it will be activated automa...

Страница 68: ...sole main menu 2 Select View details The appliance maintenance console details screen is displayed Reset the appliance maintenance console password Prerequisites Create a new password that fulfills th...

Страница 69: ...with this account You will be prompted to set a new password Prerequisites If you lose or forget the local administrator password and can access the appliance maintenance console through the virtual...

Страница 70: ...e logged out and all ongoing work is completed Procedure 1 Access the appliance maintenance console main menu 2 Select Shut down in the main menu 3 Confirm that you want to shut down the appliance 4 V...

Страница 71: ...ith only one partition If necessary use a computer to format the USB drive The USB drive must have enough free space typically 1 GB to 4 GB to store the support dump file Procedure 1 Ensure that the U...

Страница 72: ...The other port stays in standby mode If there is a connectivity issue on the MGMT port that carries the management network traffic then the management network traffic is automatically switched to the...

Страница 73: ...stored or perform this task from the Maintenance console of an active Image Streamer appliance Procedure 1 Connect to HPE OneView using the serial console and confirm if HPE OneView is functional If H...

Страница 74: ...er Maintenance console main menu 3 Select Configure MGMT port for deployment network connectivity 4 A confirmation prompt appears Select OK to proceed This step powers on the blue UID light on the MGM...

Страница 75: ...new active appliance User intervention is required in a situation when the communication between active and standby appliances in an Image Streamer appliance pair is broken and the standby appliance i...

Страница 76: ...ers to manage Image Streamer artifacts The User roles and Authorization table illustrates the different user roles and their respective authorization levels for the artifacts and deployment process NO...

Страница 77: ...ism REST API calls for Image Streamer management HTTPS iSCSI commands for booting the blade servers IQN authorization Certificate management Image Streamer uses HTTPS to communicate with remote server...

Страница 78: ...All certificates shown on the Manage Certificates screen are trusted by Image Streamer All trusted certificates can communicate securely with Image Streamer The certificates shown as trusted comprise...

Страница 79: ...ficate that belongs to www hpe com you must upload CRLs for the following VeriSign Class 3 Public Primary CA VeriSign Universal Root CA Symantec Class 3 Secure Server CA Symantec Class 3 Secure Server...

Страница 80: ...s from the Actions menu on the Deployment Groups screen Compliance The Image Streamer OS deployment server is compliant with the Hewlett Packard Enterprise security policies such as code signing and i...

Страница 81: ...the appliance storage volumes is a clear text protocol and relies on IQN and CHAP authorizations that are not considered as strong security mechanisms The high availability and RAID communications ar...

Страница 82: ...and the issues with Image Streamer If you are unable to troubleshoot an issue then create a support dump to gather logs and other information required to debug The support dump file can then be shared...

Страница 83: ...iLO does not add the OS volume to the booting sequence If you attempt to boot the compute module before Image Streamer is ready the boot fails or causes the compute module to wait in PXE boot mode NO...

Страница 84: ...addresses that are available 2 After checking the availability of IP addresses a Delete the failed OS deployment server b Factory reset the appliance using the link on the SERVERS Enclosures screen in...

Страница 85: ...You can access the HPE Synergy Image Streamer API reference from the user interface of HPE OneView or download it from Hewlett Packard Enterprise Information Library OS deployment server creation fai...

Страница 86: ...in errors The connections created for the compute modules in the server profile are not valid Action Ensure the Plan Scripts used for the deployment are valid Ensure that the connections created for t...

Страница 87: ...to a different enclosure in the same interconnect link topology with a similar configuration of the other standby appliances Solution 3 Cause The standby appliance malfunctions Action Replace the sta...

Страница 88: ...port dump created from the Image Streamer user interface or service console contains information only from the active appliance Cause The active standby cluster formation has issues and the support du...

Страница 89: ...xamples for management network HPE Synergy Image Streamer interconnects and power Configuration and Compatibility Guide An overview of HPE Synergy management and fabric architecture detailed hardware...

Страница 90: ...ums for HPE OneView User Guide and Help for HPE Synergy Resource features planning tasks configuration quick start tasks navigational tools for the graphical user interface and more support and refere...

Страница 91: ...gement Combination Firmware Feature Table A list of firmware features to use to compare HPE Synergy Custom SPPs supported by the selected HPE Synergy Management Combination Upgrade Paths Table Informa...

Страница 92: ...or HPE Synergy User Guides HPE Synergy Software Release Information site Managing HPE OneView User Guide for HPE Synergy HPE Synergy Image Streamer Help HPE Synergy Image Streamer User Guide HPE Syner...

Страница 93: ...ption Service Support Alerts https www hpe com support e updates Software Depot https www hpe com support softwaredepot Customer Self Repair https www hpe com support selfrepair Product specific websi...

Страница 94: ...updates Some software products provide a mechanism for accessing software updates through the product interface Review your product documentation to identify the recommended software update method To...

Страница 95: ...PE Proactive Care service Supported products list https www hpe com services proactivecaresupportedproducts HPE Proactive Care advanced service Supported products list https www hpe com services proac...

Страница 96: ...com info ecodata For Hewlett Packard Enterprise environmental information including company programs product recycling and energy efficiency see https www hpe com info environment Documentation feedb...

Отзывы:

Нет отзывов