This document is for test and educational purposes only.
This document is still under review; sections of this document could change and further enhancements and/or options can be introduced on the same.
The goal of this document is to offer a solution to deploy Oracle Linux KVM (OL-KVM) and Oracle Linux Virtualization Manager (OLVM) 4.3 release as a Virtual Desktop Infrastructure.
Virtual Desktop Infrastructure (VDI) solutions have been a technological reality for some time but many companies have not adopted it as they do not imagine the need to provide virtualized corporate desktops since all their users and employees have a desktop or laptop for use in the company or remotely.
Providing a VDI infrastructure means giving the possibility to use a standardized desktop (the version of the S.O. and set of corporate applications). This ensures that all users will have the same user experience and even employees who do not have a corporate laptop can make use of this solution from a secure connection and a browser.
To make VDI available, it is necessary to have a virtualization cluster, in our case, using Oracle Linux Virtualization Manager (OLVM) to integrate with an external authentication mechanism such as an Active Directory or a Directory using FreeIPA or similar. Have a virtual machine model installed with a desktop operating system adopted by the company and configured to meet corporate needs (e-mail, meetings, applications, security software, etc ...).
Using OLVM you create a pool of virtual machines using this desktop model and defining the total number of copies that can be launched. These VMS can be dynamically allocated and discarded, that is, by shutting down your disk and local data are discarded, or they can be persistent VMS keeping user data and settings within the VM until this instance is removed.
When a user accesses the User Portal and launches a VM from a pool, using a persistent profile, that instance will be allocated to that user and can be started anytime the user needs it.
Next, we will see how these steps are carried out.
To perform the steps in this article you will need:
· OLVM cluster up and running.
· Installation ISO image of a Desktop operating system, in this example, I will use Windows.
· Para-virtualized drivers for Windows.
If you do not already have an Oracle Linux Virtualization Manager cluster up and running, you can access the Oracle Linux Virtualization Manager home page at https://docs.oracle.com/en/virtualization/oracle-linux-virtualization-manager/index.html to see the Getting Started Guide.
You can integrate Oracle Linux Virtualization Manager with an external authentication mechanism such as an LDAP Directory such as Oracle Unified Directory or FreeIPA, or Active Directory. It is possible to create internal users, but this is not recommended.
· Start by installing the LDAP extension package:
[root@manager ~]# yum -y install ovirt-engine-extension-aaa-ldap-setup
Loaded plugins: ulninfo, versionlock
--> Running transaction check
Configure external authentication using the ovirt-engine-extension-aaa-ldap-setup command.
· The execution of this command can be seen below
[root@manager ~]# ovirt-engine-extension-aaa-ldap-setup
[ INFO ] Stage: Environment customization
Welcome to LDAP extension configuration program
Available LDAP implementations:
1 - 389ds
2 - 389ds RFC-2307 Schema
3 - Active Directory
4 - IBM Security Directory Server
5 - IBM Security Directory Server RFC-2307 Schema
6 - IPA
7 - Novell eDirectory RFC-2307 Schema
8 - OpenLDAP RFC-2307 Schema
9 - OpenLDAP Standard Schema
10 - Oracle Unified Directory RFC-2307 Schema
11 - RFC-2307 Schema (Generic)
12 - RHDS
13 - RHDS RFC-2307 Schema
14 - iPlanet
Please select: 6
Use DNS (Yes, No) [Yes]: [ENTER]
Available policy method:
1 - Single server
2 - DNS domain LDAP SRV record
3 - Round-robin between multiple hosts
4 - Failover between multiple hosts
Please select: 1
Please enter host address: ipa.br.olsclab.net
Please select protocol to use (startTLS, ldaps, plain) [startTLS]: [ENTER]
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): URL
[ INFO ] Connecting to LDAP using 'ldap://ipa.br.olsclab.net:389'
[ INFO ] Executing startTLS
[ INFO ] Connection succeeded
Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous):
Enter search user password:
[ INFO ] Attempting to bind using 'uid=olvmadmin,cn=users,cn=accounts,dc=br,dc=olscl ab,dc=net'
Please enter base DN (dc=br,dc=olsclab,dc=net) [dc=br,dc=olsclab,dc=net]: [ENTER]
Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: No
Please specify profile name that will be visible to users [ipa.br.olsclab.net]: br.olsclab.net
Please provide credentials to test login flow:
Enter user name: olvmadmin
Enter user password:
[ INFO ] Login sequence executed successfully
Please make sure that user details are correct and group membership meets expectations (search
for PrincipalRecord and GroupRecord titles).
Abort if output is incorrect.
Select test sequence to execute (Done, Abort, Login, Search) [Done]: [ENTER]
[ INFO ] Stage: Transaction setup
[ INFO ] Stage: Misc configuration (early)
[ INFO ] Stage: Package installation
[ INFO ] Stage: Misc configuration
[ INFO ] Stage: Transaction commit
[ INFO ] Stage: Closing up
Profile name is: br.olsclab.net
The following files were created:
[ INFO ] Stage: Clean up
Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20200412142636-f4y9rl.log:
[ INFO ] Stage: Pre-termination
[ INFO ] Stage: Termination
· For this configuration to take effect, restart ovirt-engine service
[root@manager ~]# systemctl restart ovirt-engine
Before a domain user can log in to the OLVM web interface, an OLVM administrator must add the user or a group to the OLVM and give the UserRole access permission, other permissions will be inherited from each existing object. Other levels of access can be granted.
· Through the manager's web interface, go to Administration → Users and click the Add button. On the next screen, you need to select the Profile and Namespace. You can search for a specific user or click GO to list all available users. Select the user or group you want to give access to and click Add and Close button.
· Back in the OLVM Users screen, click on the username you just added to set access permission.
· On the next screen, click Permissions and click Add System Permissions button.
· Use the drop-down box and select UserRole. Click OK to close.
Now this user will be able to access the Oracle Linux Virtualization Manager VM Portal web interface at https://manager.br.olsclab.net/ovirt-engine/sso/login.html
To create a new VM, go to Compute → Virtual Machines and click the New button at the right top of the center screen.
On the next screen, in Operating System select the O.S. that will be installed, in this example, it will be Windows 10 x64, Optimized for Desktop, assign a Name to the VM. A little further down, in Instance Images, you should create a virtual disk where the O.S. will be installed, click on the Create button.
The best way to optimize the performance of your instance is using VirtIO-SCSI or VirtIO devices. For that it is necessary to use para-virtualized drivers. Unfortunately, Windows does not bring these drivers by default, so we will select an IDE device that we will change later, after installing the S.O. and the para-virtualized drivers provided by Oracle. These drivers are available on Oracle Software Delivery Cloud at https://edelivery.oracle.com
You can see the release announcement and release notes for this release in the Announcing Oracle VirtIO Drivers 1.1.5 for Microsoft Windows article at https://blogs.oracle.com/linux/announcing-oracle-virtio-drivers-115-for-microsoft- Windows
You can see this setting on the following screen:
· Click OK, back to the previous screen, select the network to which the VM should be connected, click the drop-down box and select the desired network. Your screen should look like the following:
· Click OK to create the VM.
· Now let's install the O.S. Back to the manager screen, select the newly created VM and click on the Run drop-down box and select Run Once.
· On the next screen, check the CheckBox Attach CD and select the Windows installation ISO image.
· The VM will start and the manager screen will show the Powering Up status on that VM.
To access the VM console, you can use a noVNC web client already integrated with Manager directly on the browser screen or you can install the native client, virt-viewer which can be downloaded from https://virt-manager.org/download/
Note: If you need more information on how to install the native client read this article that shows you how to proceed.
Now access the VM console by clicking on the Console button and complete the O.S. installation. When finished, it may be necessary to turn off the VM to change the CD image.
We know that during Windows installation it is common to reboot VM a few times until it is really finished.
Once the installation is finished, we will install the para-virtualized drivers that will activate all hardware components that have not yet been configured correctly. At this time, the Windows installation DVD is active at the VM. We need to change the media and select winvirtio.iso.
· Access the manager's web interface, select VM and, on the button bar, click options and select Change CD.
· On the next screen, click on the drop-down box and select winvirtio.iso and click OK.
Go back to your VM's console. You should have an Action alert to run, choose Run ... or access the CD and run the Setup program. Follow the instructions on the screen to install the para-virtualized drivers. At the end, do not restart your VM. Choose to be restarted later.
After installing the para-virtualized drivers, we need to edit VM settings. Shut down the VM, do not restart.
· Back to the manager web interface, select the newly installed VM and click the Edit button. In the instance image configuration, click the Edit button.
· On the next screen, under Interface, select the VirtIO-SCSI type and click OK.
· Click OK again to save your changes. Now we can start our VM with optimized performance.
· On the manager screen, select the VM and click the Run button and, once the VM is available, click the console button. Now it's time for you to customize your instance, install apps, email clients, meetings, and whatever else you need. When finished, we can use Sysprep to generalize your VM. To use this feature and its functionality, you need to create a registration key on the VM.
· Run the Registry Editor, click OK to authorize running Regedit with system permissions.
o In HKEY_LOCAL_MACHINE → System → Setup create a key called UnnatendFile of type String Value with the content A:\sysprep.inf.
Like many other Operating Systems, Windows stores machine-specific information such as MAC address, security certificates, and machine codes. To remove this unique data from the VM and make it generic as at the time the installation of the O.S. ended, run the command
Check the Generalize checkbox and in Shutdown Options choose the option Shutdown.
Once the VM is shut down, we can create the template from that image.
Note: If you turn that VM back on at any time, make any changes and want to update the template, this Sysprep procedure will need to be performed again.
You now have a customized image with your applications and settings and it has been sealed using Sysprep.
· To create a template from that VM, make sure it is off, select it and click more → Make Template.
· On the next screen, set a name for the new template and, in Disk Allocation → Format, select QCOW2. The other options can be kept as is.
This procedure will take some time, when finished we will have a copy of the created image, in QCOW2 format that will be used as the basis for new VMS based on this template.
A pool is a collection of virtual machines created from the same template. Each VM in a pool can be used by any user on-demand, but an instance launched from a pool cannot be shared between multiple users at the same time. When a user requests a desktop from a pool, a VM is launched from the pool template, using a snapshot to allow you to revert any disk changes quickly. The information recorded on the launched instance's disk will be stored until the instance is returned to the pool. The pool can be configured for automatic return when the instance is shut down or can be done manually at any time by the user or the administrator. This behavior can be changed at any time in the pool configuration.
You can have multiple pools for different purposes, for example, one pool for financial VMs, another pool for sales, another for marketing, each with customized settings.
When launching a VM from a pool, the user will get the first available VM, making it difficult to receive a previously launched VM.
To create a pool it is necessary to have a template of the VM previously created.
Through the manager interface, access Compute → Pools and click the New button.
The next screen is very similar to creating a VM but has some additional options. You need to choose which template will be used to create the pool, define the maximum number of VMs that can be launched in that pool, whether a minimum number of VMs should be available (on) even if unused and how many instances a user can connect to simultaneously.
· See the following screen already filled.
· By clicking OK, 10 new VMs will be created. You can confirm these VMs were created by going to Compute → Virtual Machines.
Now we have the necessary infrastructure for the VDI solution to work properly.
· When accessing https://manager.br.olsclab.net click on VM Portal.
· On the next screen, make sure that the profile is the same provided by the external authentication mechanism and enter your username and password.
· After login, a screen similar to this one should display the VMs that the user has the right to access.
The Corp-Desktop VM is the pool we just configured, to launch an instance click Run. The system will start a Corp-Desktop instance from that pool. On the browser screen, you will see this instance change the status between Waiting for launch, Powering up and Running. When finished, you will be able to access the VM console. The difference is that you will be able to choose between VNC Console using the native virt-viewer client, VNC Console (Browser) and RDP Console. For the latter option to work, it is necessary that the Single Sign-On option of the external authentication mechanism has been set during the integration of OLVM with IPA.
Further details on Oracle Linux Virtualization Manager are available at Oracle Documentation Library.