When I took over from my predecessor in my current position, I inherited a bunch of machines (as you would expect). One of these was the company's oVirt hypervisor environment (on 4.3, across two servers) which he set up and I will fully admit I've never been comfortable with the innards of. Unfortunately a situation has unveiled itself that I have to deal with: namely, it seems the certificates are expiring, as the HTTPS certificate of the Virtualization Manager shows a date in December and I can only assume the rest of the system is tied to the same date. The oVirt documentation warns of dire consequences if you don't renew the certs before they expire, so I've had to look into this and what I've found has not been as illuminating as I'd like.
Some background first. oVirt was installed onto the first host (with the engine, on the same bare metal hardware) in Jan 2018, and a second physical host server was added in March 2018, onto the same joint oVirt Datacenter. Add in an Export Domain that was set up on an old Windows fileserver we're currently in the process of decommissioning (so in the long run will be canceled out), and we arrive at the current layout: ovirt-engine on the primary server, a storage domain on each of the primary and secondary servers, and a legacy export domain on an external server. As mentioned, the certificate in-browser (I assume tied to the oVirt engine part?) has an expiration date of late December, approximately 3 weeks before the 5th anniversary of the first server's setup date.
I found a procedure at https://www.ovirt.org/documentation/administration_guide/index.html#chap-Renewing_certificates_RHV_backup_restore that seems to detail what's required, but this has raised a few questions itself, that I would love someone who's actually done this before to supply some answers to:
- Which type of environment am I even running, out of standalone and self-hosted? According to the architecture definitions at https://www.ovirt.org/documentation/migrating_from_a_standalone_manager_to_a_self-hosted_engine/, neither seems to fit perfectly to my server setup: I am assuming Standalone because the ovirt-engine appears to be running on the bare metal of the primary host server, rather than as a VM within it; but it would be nice to get a second opinion.
- One of oVirt's primary benefits is that you can throw VMs from one server to another without any problems - for example, if you're upgrading them and need to keep VMs up or hosts empty during the process (some upgrades seem to need you to wipe the server first?) However, the servers have grown in used space since they were set up and we're no longer able to have all VMs running on one box. This was the case before I took over, I have never seen the environment have less than 60% disk usage. Is it possible to do this certificate renewal procedure just by shutting down/stopping VMs (regardless of them being pinned or not pinned), as well as potentially transferring some to the other server first?
- Just how risky to the oVirt environment is it likely to be? The guide says "
The engine-setup script prompts you with configuration questions." Beyond the obvious one that I'm doing this for (the renew certificates question), how much else is it going to be asking and how possible is it to torch the installation if I get something wrong? How many of the certificate fields am I going to have to supply: just the O and CN values, or more?
Finally, I assume that I'm going to have to do both the hosts first before doing the engine. Should I have had a reminder about this on the console anywhere? Because I have not had one; I only discovered this problem by chance when I was checking the SSL certificates on all my machines, following a web server's certificate expiring (that wasn't documented and as such missed on a renewal) in the recent past.
Thanks in advance!
