Manuals / Brands / Computer Equipment / Server / Citrix Systems / Computer Equipment / Server

Citrix Systems 6 Auditing, How Does XenServer Compute the Roles for the Session?

1 207

Download 207 pages, 1.98 Mb

20

1. Run the commands:

xe subject-role-remove uuid=<subject uuid> role-name= \

<role_name_to_remove>

xe subject-role-add uuid=<subject uuid > role-name= \

<role_name_to_add>

To ensure that the new role takes effect, the user should be log ged out and logged back in again (this requires

the "Logout Active User Connections" permission - available to a Pool Administrator or Pool Operator).

Warning:

Once you have added or removed a pool-admin subject, there can be a delay of a few seconds

for ssh sessions associated to this subject to be accepted by all hosts of the pool.

Auditing

The RBAC audit log will record any operation taken by a logged-in user.

• the message will explicitly record the Subject ID and user name associated with the session that invoked the

operation.

• if an operation is invoked for which the subject does not have authorization, this will be logged.

• if the operation succeeded then this is recorded; if the operation failed then the error code is logged.

Audit Log xe CLI Commands

xe audit-log-get [since=<timestamp>] filename=<output filename>

This command downloads to a file all the available records of the RBAC audit file in the pool. If the optional

parameter 'since' is present, then it only downloads the records from that specific point in time.

To Obtain All Audit Records From the Pool

Run the following command:

xe audit-log-get filename=/tmp/auditlog-pool-actions.out

To Obtain Audit Records of the Pool Since a Precise Millisecond Timestamp

Run the following command:

xe audit-log-get since=2009-09-24T17:56:20.530Z \

filename=/tmp/auditlog-pool-actions.out

To Obtain Audit Records of the Pool Since a Precise Minute Timestamp

Run the following command:

xe audit-log-get since=2009-09-24T17:56Z \

filename=/tmp/auditlog-pool-actions.out

How Does XenServer Compute the Roles for the Session?

1. The subject is authenticated via the Active Directory server to verify which containing groups the subject may

also belong to.

2. XenServer then verifies which roles have been assigned both to the subject, and to its containing groups.

3. As subjects can be members of multiple Active Directory groups, they will inherit all of the permissions of the

associated roles.

Contents

Main Page Contents Page Page Page Page Page Monitoring and Managing XenServer ........................................................... 106 Page Page Page Page Page Page Page B. Workload Balancing Service Commands ................................................... 186 Page Document Overview Introducing XenServer Benefits of Using XenServer Using XenServer reduces costs by: Using XenServer increases flexibility by: New Features in XenServer 6.0 Integrated Site Recovery (Disaster Recovery): Integrated StorageLink: GPU Pass-Through: Virtual Appliance Support (vApp): Page VM Protection and Recovery: NFS Support for High Availability: XenCenter Improvements: Host Architectural Improvements: XenServer Documentation Managing Users Authenticating Users With Active Directory (AD) Understanding Active Directory Authentication in the XenServer Environment Upgrading XenServer Configuring Active Directory Authentication Page Enabling external authentication on a pool Disabling external authentication User Authentication Allowing a user access to XenServer using the CLI Removing access for a user using the CLI Listing subjects with access Removing Access for a User Terminating all authenticated sessions using xe Terminating individual user sessions using xe Leaving an AD Domain Role Based Access Control RBAC process Roles A user's role can be changed in two ways: Definitions of RBAC Roles and Permissions Table 1. Permissions available for each role Page Definitions of Permissions Table 2. Definitions of permissions Page Page Using RBAC with the CLI To List All the Available Defined Roles in XenServer To Display a List of Current Subjects: To Add a Subject to RBAC To Assign an RBAC Role to a Created subject To Change a Subject's RBAC Role: Auditing Audit Log xe CLI Commands To Obtain All Audit Records From the Pool To Obtain Audit Records of the Pool Since a Precise Millisecond Timestamp To Obtain Audit Records of the Pool Since a Precise Minute Timestamp Page XenServer Hosts and Resource Pools Hosts and Resource Pools Overview Requirements for Creating Resource Pools Creating a Resource Pool To join XenServer hosts host1 and host2 into a resource pool using the CLI Naming a resource pool Creating Heterogeneous Resource Pools To add a heterogeneous XenServer host to a resource pool using the xe CLI Adding Shared Storage Adding NFS shared storage to a resource pool using the CLI Removing a XenServer Host from a Resource Pool To remove a host from a resource pool using the CLI Preparing a Pool of XenServer Hosts for Maintenance To prepare a XenServer host in a pool for maintenance operations using the CLI High Availability HA Overview Overcommitting Overcommitment Warning Host Fencing Configuration Requirements Restart Priorities Enabling HA on a XenServer Pool Enabling HA Using the CLI Removing HA Protection from a VM using the CLI Recovering an Unreachable Host Shutting Down a host When HA is Enabled Host Power On Powering on Hosts Remotely Using the CLI to Manage Host Power On To Enable Host Power On Using the CLI To Turn on Hosts Remotely Using the CLI Configuring a Custom Script for XenServer's Host Power On Feature Key/Value Pairs host.power_on_mode host.power_on_config Sample Script Page Storage Storage Overview Storage Repositories (SRs) Virtual Disk Images (VDIs) Physical Block Devices (PBDs) Virtual Block Devices (VBDs) Summary of Storage objects Virtual Disk Data Formats VHD-based VDIs VHD Chain Coalescing LUN-based VDIs Storage Repository Types Local LVM Creating a Local LVM SR (lvm) Local EXT3 VHD Creating a Local EXT3 SR (ext) udev ISO Software iSCSI Support XenServer Host iSCSI configuration Citrix StorageLink SRs Upgrading XenServer with StorageLink SRs Creating a Shared StorageLink SR To Create a CSL SR Using XenCenter Page Page Managing Hardware Host Bus Adapters (HBAs) Sample QLogic iSCSI HBA setup Removing HBA-based SAS, FC or iSCSI Device Entries LVM over iSCSI Creating a Shared LVM Over iSCSI SR Using the Software iSCSI Initiator (lvmoiscsi) Creating a Shared LVM over Fibre Channel / iSCSI HBA or SAS SR (lvmohba) 47 NFS VHD Creating a Shared NFS SR (NFS) LVM over Hardware HBA Storage Configuration Creating Storage Repositories Upgrading LVM Storage from XenServer 5.0 or Earlier LVM Performance Considerations VDI Types Creating a Raw Virtual Disk Using the xe CLI Converting Between VDI Formats Probing an SR Page Page Storage Multipathing To enable storage multipathing using the xe CLI MPP RDAC Driver Support for LSI Arrays. Managing Storage Repositories Destroying or Forgetting a SR Introducing an SR Resizing an SR Converting Local Fibre Channel SRs to Shared SRs Moving Virtual Disk Images (VDIs) Between SRs Copying All of a VMs VDIs to a Different SR Copying Individual VDIs to a Different SR Adjusting the Disk IO Scheduler Automatically Reclaiming Space When Deleting Snapshots Reclaiming Space Using the Off Line Coalesce Tool Virtual Disk QoS Settings Page Configuring VM Memory What is Dynamic Memory Control (DMC)? The Concept of Dynamic Range The Concept of Static Range DMC Behaviour How Does DMC Work? Memory Constraints Supported Operating Systems xe CLI Commands Display the Static Memory Properties of a VM Display the Dynamic Memory Properties of a VM Updating Memory Properties Update Individual Memory Properties Upgrade Issues Workload Balancing Interaction Xen Memory Usage Setting Control Domain Memory Page Networking Networking Support vSwitch Networks XenServer Networking Overview Network Objects Networks VLANs Using VLANs with Management Interfaces Using VLANs with Virtual Machines Using VLANs with Dedicated Storage NICs Page Switch Configuration Active-Active Bonding Active-Passive Bonding Initial Networking Configuration Managing Networking Configuration Cross-Server Private networks Creating Networks in a Standalone Server To add a new network using the CLI Creating Networks in Resource Pools Creating VLANs To connect a network to an external VLAN using the CLI Creating NIC Bonds on a Standalone Host Creating a NIC bond Bonding two NICs Controlling the MAC Address of the Bond Reverting NIC bonds Creating NIC bonds in resource pools Adding NIC bonds to new resource pools Adding NIC bonds to an existing pool Configuring a dedicated storage NIC To assign NIC functions using the xe CLI Using SR-IOV Enabled NICs Assigning a SR-IOV NIC VF to a VM Controlling the rate of outgoing data (QoS) Changing networking configuration options Hostname DNS servers Changing IP address configuration for a standalone host Changing IP address configuration in resource pools Changing the IP address of a member host (not pool master) Networking Troubleshooting Diagnosing network corruption Recovering from a bad network configuration Disaster Recovery and Backup Understanding XenServer DR DR Infrastructure Requirements Deployment Considerations Steps to Take Before a Disaster Steps to Take After a Disaster Steps to Take After a Recovery Enabling Disaster Recovery in XenCenter Recovering VMs and vApps in the Event of Disaster (Failover) Restoring VMs and vApps to the Primary Site After Disaster (Failback) Test Failover To perform a test failover of VMs and vApps to a secondary site vApps Creating vApps Using the Manage vApps dialog box in XenCenter Backing Up and Restoring XenServer Hosts and VMs To backup pool metadata To backup host configuration and software To backup a VM To backup VM metadata only Backing up Virtual Machine metadata Backing up single host installations Backing up pooled installations Subsequently restoring this backup on a brand new set of hosts Backing up XenServer hosts To back up a XenServer host To restore a running XenServer host Restarting a crashed XenServer host Backing up VMs VM Snapshots Regular Snapshots Quiesced Snapshots Snapshots with memory Creating a VM Snapshot Creating a snapshot with memory To list all of the snapshots on a XenServer pool To list the snapshots on a particular VM Restoring a VM to its previous state Deleting a snapshot Snapshot Templates Creating a template from a snapshot Exporting a snapshot to a template Advanced Notes for Quiesced Snapshots VM Protection and Recovery Naming convention for VM archive folders Coping with machine failures Member failures Master failures Pool failures To restore a completely failed pool Coping with Failure due to Configuration Errors To restore host software and configuration Physical Machine failure To restore a pool with all hosts failed To restore a VM when VM storage is not available Monitoring and Managing XenServer Alerts Customizing Alerts Valid VM Elements Valid Host Elements Configuring Email Alerts Custom Fields and Tags Custom Searches Determining throughput of physical bus adapters To determine PBD throughput Troubleshooting XenServer host logs Sending host log messages to a central server To write logs to a remote server XenCenter logs Troubleshooting connections between XenCenter and the XenServer host Appendix A. Command Line Interface Basic xe Syntax Special Characters and Syntax Command Types Parameter Types Low-level Parameter Commands Low-level List Commands xe Command Reference Appliance Commands Appliance Parameters appliance-assert-can-be-recovered appliance-create Audit Commands Bonding Commands Bond Parameters bond-create bond-destroy CD Commands cd-list Console Commands Console Parameters Disaster Recovery (DR) Commands drtask-create Page Event Commands Event Classes event-wait GPU Commands Physical GPU (pGPU) Parameters GPU Group Parameters Virtual GPU (vGPU) Parameters vgpu-create vgpu-destroy Host Commands Host Selectors Host Parameters Page Page host-backup host-bugreport-upload host-crashdump-destroy host-crashdump-upload host-disable host-emergency-management-reconfigure host-enable host-evacuate host-forget host-get-system-status host-get-system-status-capabilities host-is-in-emergency-mode host-apply-edition host-license-add host-license-view host-logs-download host-management-reconfigure host-power-on host-get-cpu-features host-set-cpu-features host-set-power-on host-restore host-set-hostname-live host-shutdown host-syslog-reconfigure host-data-source-list host-data-source-record host-data-source-forget host-data-source-query Log Commands log-set-output Message Commands Message Parameters message-create Network Commands Network Parameters network-create network-destroy Patch (Update) Commands Patch Parameters patch-apply patch-clean patch-pool-apply PBD Commands PBD Parameters pbd-create pbd-destroy pbd-plug PIF Commands PIF Parameters Page pif-forget pif-introduce pif-plug pif-reconfigure-ip pif-scan Pool Commands Pool Parameters pool-designate-new-master pool-dump-database Page Storage Manager Commands SM Parameters SR Commands SR Parameters sr-create sr-destroy sr-enable-database-replication sr-disable-database-replication sr-forget sr-introduce Task Commands Task Parameters task-cancel Template Commands Template Parameters Page Page Page Page Page template-export Update Commands update-upload User Commands user-password-change VBD Commands VBD Parameters vbd-create vbd-destroy vbd-eject vbd-insert vbd-plug VDI Commands VDI Parameters vdi-clone vdi-copy vdi-create vdi-destroy vdi-forget vdi-import vdi-introduce vdi-resize VIF Commands VIF Parameters Page vif-create vif-destroy vif-plug vif-unplug VLAN Commands vlan-create pool-vlan-create vlan-destroy VM Commands VM Selectors VM Parameters Page Page Page Page Page Page vm-assert-can-be-recovered vm-cd-add vm-cd-eject vm-cd-insert vm-cd-list vm-clone vm-compute-maximum-memory vm-copy vm-crashdump-list vm-data-source-list vm-data-source-record vm-data-source-forget vm-data-source-query vm-destroy vm-disk-add vm-disk-list vm-disk-remove vm-export vm-import vm-install vm-memory-shadow-multiplier-set vm-migrate vm-reboot vm-recover vm-reset-powerstate vm-resume vm-shutdown vm-start vm-suspend vm-uninstall Workload Balancing XE Commands pool-initialize-wlb pool-param-set other-config Page pool-deconfigure-wlb pool-retrieve-wlb-configuration pool-retrieve-wlb-recommendations pool-retrieve-wlb-report pool-send-wlb-configuration Page Appendix B. Workload Balancing Service Commands Service Commands Logging in to the Workload Balancing Virtual Appliance To log in to the Workload Balancing virtual appliance service workloadbalancing restart Modifying the Workload Balancing configuration options To run the wlbconfig command Editing the Workload Balancing configuration file To edit the wlb.conf file Increasing the Detail in the Workload Balancing Log