JSA KVM SUPPORT · 2018-10-17 · network:default,model=virtio--graphics vnc--console...

© 2018 Juniper Networks

JSA KVM SUPPORTTheodore Jencks, CSE


KVM IMAGE SPECIFICATIONS

• Image is a compressed qcow2 image 16.5G in size when compressed

• Md5sum:

• Uncompressed the image is a 512G QCOW2

• Ubuntu 18.04 LTS w/ KVM and OVS was used to validate the image for KVM

• Contrail 3.2.12 was validate to run with the image / Kilo / Ocata Openstack Versions

• For best IO performance image metadata pre allocation is recommended as a minimum. Full

allocation of the disk is required for max performance and recommend for all installs on KVM.

• Image role and resource requirements can be found here:

https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_siem_

vrt_ap_reqs.html

2

https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_siem_vrt_ap_reqs.html


INSTALL INSTRUCTIONS ON KVM

3

• Considerations for NUMA. It is recommended that JSA VM’s be instantiated on the same NUMA as the disk controller / RAID Controller on

the host system. This is to optimize Disk IO operations and avoid crossing QPI. It is also recommend that NUMA policy be set as strict for

KVM so that memory and CPU resources are all allocated from the same NUMA.

• Copy the jsa7.3.1p6.qcow2 image to a safe location on the virtualization host.

• Clone the image: qemu-img convert -p -f qcow2 -O qcow2 /iso/jsa7.3.1p6-final.qcow2 /vm/vjsa-tacon.qcow2 -o preallocation=metadata

• Full allocation recommened: qemu-img convert -p -f qcow2 -O qcow2 /iso/jsa7.3.1p6.qcow2 /vm/vjsa-tacon.qcow2 -o preallocation=falloc

• Install with virt-install: virt-install --hvm --name jsa7.3.1-tacon --cpu host --cpuset 2-10,42-50 --vcpussockets=18,cores=1,threads=1 --memory 65536 --memorybacking hugepages=yes --disk path=/vm/vjsa-tacon.qcow2,format=qcow2 --os-type linux --os-variant rhel7.4 --memballoon virtio --network network:default,model=virtio --graphics vnc --console pty,target_type=virtio –-import –-print-xml > vjsa-tacon.xml

• The above command will print the XML necessary to define the VM in KVM. In this case we are going to print the output to a file then edit the file to complete our static CPU pinning.



4

• Next Edit the file and add the following to the XML:

<cputune><vcpupin vcpu='0' cpuset='11'/><vcpupin vcpu='1' cpuset='51'/><vcpupin vcpu='2' cpuset='12'/><vcpupin vcpu='3' cpuset='52'/><vcpupin vcpu='4' cpuset='13'/><vcpupin vcpu='5' cpuset='53'/><vcpupin vcpu='6' cpuset='14'/><vcpupin vcpu='7' cpuset='54'/><vcpupin vcpu='8' cpuset='15'/><vcpupin vcpu='9' cpuset='55'/><vcpupin vcpu='10' cpuset='16'/><vcpupin vcpu='11' cpuset='56'/><vcpupin vcpu='12' cpuset='17'/><vcpupin vcpu='13' cpuset='57'/><vcpupin vcpu='14' cpuset='18'/><vcpupin vcpu='15' cpuset='58'/><vcpupin vcpu='16' cpuset='19'/><vcpupin vcpu='17' cpuset='59'/>

</cputune>

• Now define the VM: virsh define vjsa-tacon.xml



5

• Here is the example output that you should see:

tjencks@svc-virtual1:/vm$ virsh dumpxml jsa7.3.1-tacon<domain type='kvm'><name>vjsa-tacon</name><uuid>957426e8-e225-4874-ac8f-6a2b7a3236a1</uuid><memory unit='KiB'>67108864</memory><currentMemory unit='KiB'>67108864</currentMemory><memoryBacking><hugepages/>

</memoryBacking><vcpu placement='static' cpuset='11-19,51-59'>18</vcpu><cputune><vcpupin vcpu='0' cpuset='11'/><vcpupin vcpu='1' cpuset='51'/><vcpupin vcpu='2' cpuset='12'/><vcpupin vcpu='3' cpuset='52'/><vcpupin vcpu='4' cpuset='13'/><vcpupin vcpu='5' cpuset='53'/><vcpupin vcpu='6' cpuset='14'/><vcpupin vcpu='7' cpuset='54'/><vcpupin vcpu='8' cpuset='15'/><vcpupin vcpu='9' cpuset='55'/><vcpupin vcpu='10' cpuset='16'/><vcpupin vcpu='11' cpuset='56'/><vcpupin vcpu='12' cpuset='17'/><vcpupin vcpu='13' cpuset='57'/><vcpupin vcpu='14' cpuset='18'/><vcpupin vcpu='15' cpuset='58'/><vcpupin vcpu='16' cpuset='19'/><vcpupin vcpu='17' cpuset='59'/>

</cputune>



6

• Now start the VM and console into it with the following commands:virsh start vjsa-taconvirsh console vjsa-tacon

• Login as root / no password should be required.

• Step through the install wizard for the virtual appliance type you are creating in this case a Threat Analytics Console or (all in one)


INSTALL INSTRUCTIONS ON KVM CONTINUED

7

• Login as root at the prompt no password should be required. If you are prompted for a password something has gone wrong with the install please contact Juniper Support.

• Accept the EULA license and proceed



8



9



10



11



12



13



14



15



16



17

• The below indicates that the installation has started. This process can take up to 6 hours depending on the speed of your system. Be patient and give the system an opportunity to complete, the system can seem hung or frozen at times when really the install just runs for a very long time.



18

• The following output indicates a successful install of a Console system:

Installing Qradar changes...psql: could not connect to server: No such file or directory

Is the server running locally and acceptingconnections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?

Activating system with key 003V41-5T7A3E-077N7N-54512G.Appliance ID is 3199.Installing 'TA Threat Analytics "All-In-One" or Console' with id 3199.Configuring network...Setting time server to ntp.juniper.net.Synching time with server 'ntp.juniper.net'8 Oct 16:42:41 ntpdate[10395]: adjust time server 66.129.233.81 offset -0.000348 secRestarting postgresql-qrdRunning changeQradarPasswordStopping hostcontextStopping httpdStopping tomcat1: waiting for port 7676 to start2: waiting for port 7676 to start3: waiting for port 7676 to startMon Oct 8 16:43:39 PDT 2018 [setup-imq.sh] OK: IMQ Setup CompletedStopping httpdStopping tomcatUpdating db user passwordOK: Post Import Actions For Vulnerability Tables Are Successfully Completed.OK: Reseting Of Sequences Of Asset Related q_catalog Tables Is Successfully CompleteInstalling DSM rpms: done.Decompressing QidMap file /opt/qradar/conf/templates/1522167900442.qidmap-import.xml.xz...Importing /opt/qradar/conf/templates/1522167900442.qidmap-import.xmlFinished updating QIDMap, took 1073 seconds to complete.Modifying postgresql config...done!



19

• Known Issue: If during the “Checking that tomcat is running and ready (attempt 0/30)” phase goes past ”(attempt 10/30)” it is recommended to use another SSH session to login to the systems IP during install and remove the imqbroker lock file as well as restart the imqbroker service as follows:

• If the install times out it is recommend to reboot the system and run through the setup for a second time. The second time through it should complete without issue.


KNOWN INSTALL ISSUES AND WORKAROUND

20

• Known Issue: If during the “Checking that tomcat is running and ready (attempt 0/30)” phase goes past ”(attempt 10/30)” it is recommended to use another SSH session to login to the systems IP during install and remove the imqbroker lock file as well as restart the imqbroker service as follows:

• If the install times out it is recommend to reboot the system and run through the setup for a second time. The second time through it should complete without issue.


DISK IMAGE EXPANSION


DISK EXPANSION

Currently the QCOW2 image is based on an image that is 512G in size. It may be desirable to increase the amount of storage allocated to a particular partition on the disk image. The following instructions cover the steps in order to expand the /storepartition.

• First expand the qcow2 disk image. Please note the VM must be shutdown in order to perform this operation. Otherwise disk corruption of the qcow2 image file will occur.

sudo qemu-img resize --preallocation=falloc vjsa-tacon.qcow2 +512G

Image resized.

• Ensure the disk file is in good shape after the expansion.

sudo qemu-img check -r all /vm/vjsa-tacon.qcow2

No errors were found on the image.

8388608/8388608 = 100.00% allocated, 0.00% fragmented, 0.00% compressed clusters

Image end offset: 549856870400

• Now boot the disk image

virsh start vjsa-tacon

22


DISK EXPANSION

• Now login via console or SSH

virsh console vjsa-tacon

• Now run parted on the disk /dev/vda. Make sure to type fix when prompted

parted /dev/vda

GNU Parted 3.1

Using /dev/vda

Welcome to GNU Parted! Type 'help' to view a list of commands.

(parted) print

Error: The backup GPT table is not at the end of the disk, as it should be.

This might mean that another operating system believes the disk is smaller.

Fix, by moving the backup to the end (and removing the old backup)?

Fix/Ignore/Cancel? Fix

Warning: Not all of the space available to /dev/vda appears to be used, you can

fix the GPT to use all of the space (an extra 1073741824 blocks) or continue

with the current setting? 23


DISK EXPANSION

• Now reboot so the new partition table is reflected

reboot

• Now run parted to display free space and note beginning and ending blocks

(parted) unit s print free

Model: Virtio Block Device (virtblk)

Disk /dev/vda: 2147483648s

Sector size (logical/physical): 512B/512B

Partition Table: gpt

Disk Flags: pmbr_boot

Number Start End Size File system Name Flags

34s 2047s 2014s Free Space

1 2048s 4095s 2048s bios_grub

2 4096s 2101247s 2097152s xfs

3 2101248s 69210111s 67108864s xfs24


DISK EXPANSION

• Now reboot to make sure the new partition fixes are reflected in the partition table

• create a new partition at the end of the existing partition

(parted) mkpart

Partition name? []?

File system type? [ext2]?

Start? 1073737728

End? 2147483614







Number Start End Size File system Name Flags25


DISK EXPANSION

• Now set the partition as an lvm partition

(parted) set 7 lvm on







Number Start End Size File system Name Flags

34s 2047s 2014s Free Space

1 2048s 4095s 2048s bios_grub

2 4096s 2101247s 2097152s xfs

3 2101248s 69210111s 67108864s xfs

4 69210112s 882888703s 813678592s lvm 26


DISK EXPANSION

• Quit parted and add the new lvm partition as a physical volume to lvm

sudo pvs

PV VG Fmt Attr PSize PFree

/dev/vda4 storerhel lvm2 a-- <387.99g 0

/dev/vda5 rootrhel lvm2 a-- 67.00g 0

pvcreate /dev/vda7

File descriptor 63 (pipe:[3410678]) leaked on pvcreate invocation. Parent PID 8346: -bash

Physical volume "/dev/vda7" successfully created.

• Now extend the volume group

[root@vjsa-tacon ~]# vgextend storerhel /dev/vda7

File descriptor 63 (pipe:[3831444]) leaked on vgextend invocation. Parent PID 8346: -bash

Volume group "storerhel" successfully extended

[root@vjsa-tacon ~]# vgs

File descriptor 63 (pipe:[4057371]) leaked on vgs invocation. Parent PID 8346: -bash27


DISK EXPANSION

• Now that the physical volume group is extended, extend the logical volume

df -h

Filesystem Size Used Avail Use% Mounted on

/dev/mapper/rootrhel-root 13G 3.0G 9.5G 24% /

devtmpfs 32G 0 32G 0% /dev

tmpfs 32G 20K 32G 1% /dev/shm

tmpfs 32G 34M 32G 1% /run

tmpfs 32G 0 32G 0% /sys/fs/cgroup

/dev/mapper/rootrhel-tmp 3.0G 135M 2.9G 5% /tmp

/dev/vda3 32G 4.8G 28G 15% /recovery

/dev/mapper/storerhel-store 311G 21G 290G 7% /store

/dev/mapper/rootrhel-opt 13G 4.3G 8.3G 34% /opt

/dev/mapper/rootrhel-home 1014M 33M 982M 4% /home

/dev/mapper/rootrhel-storetmp 15G 44M 15G 1% /storetmp

/dev/mapper/storerhel-transient 78G 34M 78G 1% /transient 28


DISK EXPANSION

• Now that the logical volume is extended … extend the file system:

xfs_growfs /store

meta-data=/dev/mapper/storerhel-store isize=512 agcount=4, agsize=20341376 blks

= sectsz=512 attr=2, projid32bit=1

= crc=1 finobt=0 spinodes=0

data = bsize=4096 blocks=81365504, imaxpct=25

= sunit=0 swidth=0 blks

naming =version 2 bsize=4096 ascii-ci=0 ftype=1

log =internal bsize=4096 blocks=39729, version=2

= sectsz=512 sunit=0 blks, lazy-count=1

realtime =none extsz=4096 blocks=0, rtextents=0

data blocks changed from 81365504 to 134217728

29

JSA KVM SUPPORT · 2018-10-17 · network:default,model=virtio--graphics vnc--console...

Documents

Transcript of JSA KVM SUPPORT · 2018-10-17 · network:default,model=virtio--graphics vnc--console...