Nutanix_Home_Lab_Mentor_6 - itnett/FTD02H-N GitHub Wiki

Complete Setup Documentation and Scripts for VLAN 100 (Management) with Nutanix Prism and Management VMs

1. Overview

This guide will provide the necessary scripts and documentation to set up the Management VLAN (VLAN 100) with the IP range 10.0.10.0/24. The setup includes configuring Nutanix Prism and creating management VMs.

2. Prerequisites

  • Nutanix Community Edition (CE) Installed: Ensure Nutanix CE is installed on your hardware.
  • Networking Hardware: Managed switch that supports VLAN tagging.
  • SSH Access: Ensure SSH access to the Nutanix AHV host and CVM.
  • Terraform and Ansible Installed: For automation scripts.

3. VLAN Configuration on Nutanix Prism

Step 1: Create VLAN 100 in Nutanix Prism

# Connect to the Nutanix CVM via SSH
ssh nutanix@<CVM_IP>

# Use the nCLI to create VLAN 100
ncli vlan create name=Management vlan-id=100 ip-gateway=10.0.10.1 ip-prefix=10.0.10.0/24

Step 2: Configure Networking for VLAN 100

  • Access the network configuration in Nutanix Prism.
  • Assign VLAN 100 to the NICs connected to your management VMs.
  • Ensure the gateway for VLAN 100 is set to 10.0.10.1.

4. Automating VM Creation with Terraform

Step 1: Write Terraform Script to Create Management VMs

Create a file named main.tf:

provider "nutanix" {
  username = "admin"
  password = "your_password"
  prism_element_ip = "10.0.10.10"  # Prism Element IP
}

resource "nutanix_virtual_machine" "management_vm" {
  name        = "Management-VM"
  description = "Management VM for VLAN 100"
  num_vcpus_per_socket = 2
  num_sockets = 1
  memory_size_mib = 4096
  power_state = "ON"
  
  nic_list {
    vlan = 100
    ip_list {
      ip = "10.0.10.20"
    }
  }

  guest_os {
    vm_guest_os = "CentOS_7"
  }

  disk_list {
    device_properties {
      disk_address {
        device_bus = "SCSI"
        device_index = 0
      }
    }
    vm_disk_clone {
      disk_address {
        vmdisk_uuid = "your_disk_image_uuid" # Replace with your image UUID
      }
    }
    vm_disk_create {
      storage_container_uuid = "your_storage_container_uuid" # Replace with your storage container UUID
      size = "20GiB"
    }
  }
}

Step 2: Initialize and Apply the Terraform Configuration

# Initialize Terraform
terraform init

# Apply the configuration
terraform apply

This script will create a VM named Management-VM on VLAN 100 with a static IP of 10.0.10.20.


5. Ansible Playbook for VM Configuration

Step 1: Write the Ansible Playbook

Create a file named management_vm_setup.yml:

---
- name: Configure Management VM
  hosts: management
  become: yes
  vars:
    admin_user: "admin"
    admin_password: "your_admin_password"
    
  tasks:
    - name: Update and upgrade the system
      apt:
        update_cache: yes
        upgrade: dist

    - name: Install basic management tools
      apt:
        name:
          - curl
          - vim
          - net-tools
        state: present

    - name: Set hostname
      hostname:
        name: management-vm

    - name: Configure static IP
      template:
        src: /templates/ifcfg-template.j2
        dest: /etc/sysconfig/network-scripts/ifcfg-eth0
        mode: 0644

    - name: Restart networking
      service:
        name: network
        state: restarted

Step 2: Create the Network Configuration Template

Create a template file named ifcfg-template.j2:

DEVICE=eth0
BOOTPROTO=static
ONBOOT=yes
IPADDR=10.0.10.20
NETMASK=255.255.255.0
GATEWAY=10.0.10.1
DNS1=8.8.8.8
DNS2=8.8.4.4

Step 3: Run the Ansible Playbook

# Run the playbook
ansible-playbook -i inventory management_vm_setup.yml

Ensure that your inventory file contains the management VM’s IP:

[management]
10.0.10.20 ansible_user=admin ansible_password=your_password

6. Configuring Nutanix Prism

Step 1: Access Nutanix Prism

  • Open a web browser and go to https://10.0.10.10:9440.
  • Login using your admin credentials.

Step 2: Configure Nutanix Prism

  • Set up cluster management, add nodes if necessary, and ensure all network settings are correctly applied to VLAN 100.

Step 3: Assign IP Addresses to VMs

  • For each management VM, assign a static IP in the 10.0.10.0/24 range.

7. Additional Configurations

  • Firewall Rules: Configure pfSense to manage traffic to and from VLAN 100.
  • Monitoring: Integrate with Zabbix for monitoring Prism services and VM performance.
  • Backup: Set up regular backups of Prism configurations and management VMs using TrueNAS.

8. Conclusion

This guide has provided detailed steps and scripts for setting up the Management VLAN (VLAN 100) using Nutanix Prism and management VMs. The use of Terraform and Ansible ensures that the process is automated and repeatable, allowing for efficient management of your Nutanix CE environment.

Additional Configurations: Automating and Documenting Firewall Rules, Monitoring, and Backup


1. Firewall Rules: Configuring pfSense to Manage Traffic to and from VLAN 100

Objective: Configure pfSense to manage traffic for VLAN 100, allowing essential traffic while restricting unauthorized access.


Step 1: Set Up pfSense for VLAN 100

  • Log into pfSense:

    • Access the web interface: https://<pfSense_IP>
    • Login using your admin credentials.
  • Create a VLAN for Management:

    • Navigate to Interfaces > Assignments.
    • Click on VLANs tab and add a new VLAN.
    • Parent Interface: Choose the interface connected to your switch.
    • VLAN Tag: 100
    • Description: Management VLAN 100
    • Click Save.
  • Assign the VLAN Interface:

    • Go back to the Interfaces > Assignments.
    • Add a new interface using the created VLAN.
    • Name the interface as VLAN100.
    • Enable the interface and assign the following settings:
      • Static IP: 10.0.10.1
      • Subnet Mask: 255.255.255.0
    • Click Save and Apply Changes.

Step 2: Create Firewall Rules for VLAN 100

Outbound Rules:

  • Allow Management Traffic:
    • Navigate to Firewall > Rules.
    • Select VLAN100 and add a new rule.
    • Action: Pass
    • Protocol: TCP/UDP
    • Source: VLAN100 net
    • Destination: Any (or specify specific IPs if needed)
    • Description: Allow management traffic from VLAN 100.
    • Click Save and Apply Changes.

Inbound Rules:

  • Allow SSH and HTTPS:
    • Navigate to Firewall > Rules under VLAN100.
    • Add new rules for SSH and HTTPS.
    • Action: Pass
    • Protocol: TCP
    • Source: Any (or specify IP ranges)
    • Destination: This firewall (for HTTPS) or specific IPs.
    • Port: 22 for SSH, 443 for HTTPS
    • Description: Allow SSH and HTTPS access.
    • Click Save and Apply Changes.

Step 3: Automate pfSense Configuration Using Ansible

Create an Ansible playbook named pfsense_vlans_firewall.yml:

---
- name: Configure pfSense VLAN and Firewall Rules
  hosts: pfsense
  become: yes
  tasks:

    - name: Create VLAN 100
      uri:
        url: "https://{{ pfsense_host }}/api/v1/interface/vlan"
        method: POST
        body_format: json
        headers:
          Content-Type: "application/json"
        body:
          parent_interface: "em0"  # Adjust according to your setup
          vlan_tag: 100
          description: "Management VLAN 100"
        status_code: 201
        validate_certs: no
        force_basic_auth: yes
        user: "{{ pfsense_user }}"
        password: "{{ pfsense_password }}"

    - name: Assign VLAN Interface
      uri:
        url: "https://{{ pfsense_host }}/api/v1/interface/assign"
        method: POST
        body_format: json
        headers:
          Content-Type: "application/json"
        body:
          interface: "vlan100"
          enable: true
          ipaddr: "10.0.10.1"
          subnet: "24"
        status_code: 201
        validate_certs: no
        force_basic_auth: yes
        user: "{{ pfsense_user }}"
        password: "{{ pfsense_password }}"

    - name: Create Firewall Rules
      uri:
        url: "https://{{ pfsense_host }}/api/v1/firewall/rule"
        method: POST
        body_format: json
        headers:
          Content-Type: "application/json"
        body:
          interface: "vlan100"
          action: "pass"
          protocol: "tcp/udp"
          source: "10.0.10.0/24"
          destination: "any"
          description: "Allow management traffic"
        status_code: 201
        validate_certs: no
        force_basic_auth: yes
        user: "{{ pfsense_user }}"
        password: "{{ pfsense_password }}"

Run the Playbook:

ansible-playbook -i inventory pfsense_vlans_firewall.yml

2. Monitoring: Integrate Zabbix for Monitoring Nutanix Prism Services and VM Performance

Objective: Deploy Zabbix in the Monitoring VLAN to monitor Nutanix Prism services and VM performance.


Step 1: Deploy Zabbix Server

Ansible Playbook:

Create zabbix_server_setup.yml:

---
- name: Set up Zabbix Server
  hosts: monitoring
  become: yes
  vars:
    zabbix_db_password: "your_db_password"
  tasks:
    - name: Install required packages
      apt:
        name:
          - zabbix-server-mysql
          - zabbix-frontend-php
          - zabbix-agent
          - apache2
          - mysql-server
        state: present

    - name: Start and enable Apache and MySQL
      service:
        name: "{{ item }}"
        state: started
        enabled: true
      loop:
        - apache2
        - mysql

    - name: Create Zabbix database
      mysql_db:
        name: zabbix
        state: present

    - name: Create Zabbix database user
      mysql_user:
        name: zabbix
        password: "{{ zabbix_db_password }}"
        priv: 'zabbix.*:ALL'
        state: present

    - name: Configure Zabbix Server
      template:
        src: templates/zabbix_server.conf.j2
        dest: /etc/zabbix/zabbix_server.conf

    - name: Start and enable Zabbix server
      service:
        name: zabbix-server
        state: started
        enabled: true

Configuration Template for Zabbix (zabbix_server.conf.j2):

DBHost=localhost
DBName=zabbix
DBUser=zabbix
DBPassword={{ zabbix_db_password }}

Step 2: Configure Zabbix for Nutanix Prism Monitoring

  • Add Nutanix Prism as a Host:

    • Access the Zabbix web interface: http://<zabbix_ip>/zabbix.
    • Login with the default credentials (Admin/zabbix).
    • Navigate to Configuration > Hosts.
    • Click Create Host and enter details for Nutanix Prism.
    • Assign the host to an appropriate group (e.g., Management).
    • Add items to monitor specific services like CPU, memory, and network usage.
  • Create Triggers and Actions:

    • Set up triggers for critical thresholds (e.g., CPU usage > 80%).
    • Configure actions to notify admins via email or SMS.

3. Backup: Set Up Regular Backups of Prism Configurations and Management VMs Using TrueNAS

Objective: Automate the backup of Nutanix Prism configurations and management VMs using TrueNAS.


Step 1: Set Up TrueNAS for Backup

  • Create a New Dataset:

    • Access TrueNAS web interface: http://<truenas_ip>.
    • Navigate to Storage > Pools and create a new dataset for backups.
  • Create an NFS Share:

    • Go to Sharing > Unix (NFS) Shares.
    • Create a new share pointing to the dataset created for backups.
    • Configure network access and permissions to allow Nutanix CE access.

Step 2: Automate Backups Using Ansible

Ansible Playbook: truenas_backup_setup.yml

---
- name: Set up NFS Mount for Backups
  hosts: management
  become: yes
  tasks:
    - name: Install NFS client
      apt:
        name: nfs-common
        state: present

    - name: Create mount directory
      file:
        path: /mnt/nutanix_backups
        state: directory

    - name: Mount NFS Share
      mount:
        path: /mnt/nutanix_backups
        src: "<truenas_ip>:/mnt/pool/backups"
        fstype: nfs
        opts: defaults
        state: mounted

    - name: Add mount to /etc/fstab
      lineinfile:
        path: /etc/fstab
        line: "<truenas_ip>:/mnt/pool/backups /mnt/nutanix_backups nfs defaults 0 0"

    - name: Backup Nutanix Prism Config
      command: >
        tar -czvf /mnt/nutanix_backups/prism_backup_$(date +%F).tar.gz /home/nutanix/prism
      cron:
        name: "Prism Backup"
        minute: 0
        hour: 

3
        user: root
        job: "tar -czvf /mnt/nutanix_backups/prism_backup_$(date +%F).tar.gz /home/nutanix/prism"

    - name: Backup Management VMs
      command: >
        virsh dumpxml Management-VM > /mnt/nutanix_backups/Management-VM_$(date +%F).xml
      cron:
        name: "VM Backup"
        minute: 30
        hour: 3
        user: root
        job: "virsh dumpxml Management-VM > /mnt/nutanix_backups/Management-VM_$(date +%F).xml"

Step 3: Schedule Backups

The Ansible playbook configures cron jobs for daily backups of Nutanix Prism configurations and management VMs at 3:00 AM.

Run the Playbook:

ansible-playbook -i inventory truenas_backup_setup.yml

Conclusion

This comprehensive guide has automated the configuration of firewall rules with pfSense, set up Zabbix monitoring for Nutanix Prism, and established regular backups of your critical management infrastructure using TrueNAS. By using Terraform, Ansible, and well-organized network architecture, you can manage and secure your Nutanix environment efficiently.

To set up Nutanix Community Edition (CE) on your rig and configure essential services like pfSense and others, we'll follow a phased approach. The initial steps will involve setting up Nutanix CE, creating the necessary VLANs, and deploying initial virtual machines (VMs) and services, including pfSense. Once pfSense is up and running, we'll then configure the firewall, monitoring, and backup solutions as previously described.

Phased Setup Plan

1. Setting Up Nutanix Community Edition

Step 1: Install Nutanix CE

  • Download Nutanix CE: Obtain the latest Nutanix CE ISO from the Nutanix website.
  • Create a Bootable USB: Use tools like Rufus or Balena Etcher to create a bootable USB from the Nutanix CE ISO.
  • Install Nutanix CE:
    • Boot your rig from the USB drive.
    • Follow the installation prompts to install Nutanix CE on your Samsung 850 EVO 500GB SSD.
    • Configure the network settings during installation (use a temporary IP like 192.168.1.10 for initial setup).

Step 2: Initial Configuration of Nutanix CE

  • Access Nutanix Prism:

    • Once installed, access Nutanix Prism by visiting https://<temporary_IP>:9440 in your browser.
    • Login with the default credentials (admin/admin).
    • Change the default password.
  • Configure Storage:

    • Create a storage pool and a container using the available SSD and NVMe drives.
  • Enable and Set Up AHV:

    • Enable AHV as the hypervisor.
    • Configure your network to use a temporary management VLAN until pfSense is up.

2. Create Initial VLANs and Deploy VMs

Step 1: Create Initial VLANs in Nutanix Prism

  • Create VLAN 100 (Management):

    • Navigate to Network > VLANs in Prism.
    • Create a new VLAN named Management, assign VLAN ID 100, and configure it with IP range 10.0.10.0/24.
  • Create Additional VLANs: Repeat the process for other VLANs like VLAN 110 (Monitoring), VLAN 120 (Production), etc., as needed.

Step 2: Deploy Initial VMs

  • Deploy pfSense VM:

    • Create a VM: Name it pfSense-VM.
    • Resources:
      • CPUs: 2 vCPUs
      • Memory: 2 GB
      • Disk: 20 GB from the storage container
    • Networking: Attach the VM to VLAN 100.
    • Install pfSense:
      • Attach the pfSense ISO as the boot disk.
      • Follow the prompts to install pfSense on the VM.
      • Assign 10.0.10.1 as the management IP for pfSense on VLAN 100.
  • Deploy Additional VMs (Optional):

    • Deploy other critical management VMs if required, like a Zabbix server, using similar steps.

3. Configuring pfSense

Step 1: Basic Configuration of pfSense

  • Access pfSense Web Interface:

    • Visit https://10.0.10.1 in your browser to access pfSense.
    • Login with default credentials and change the password.
  • Configure Interfaces:

    • Verify that the interfaces are correctly assigned to VLAN 100 for management.
  • Enable DHCP on VLAN 100 (Optional):

    • Go to Services > DHCP Server.
    • Enable DHCP for VLAN 100 and configure an appropriate IP range.

Step 2: Configure Firewall Rules

  • Allow Traffic on VLAN 100:

    • Configure rules to allow necessary management traffic on VLAN 100.
  • Set Up NAT (if required):

    • Set up outbound NAT to manage internet access for your management VMs.

4. Set Up Monitoring and Backup Services

Once pfSense is up, you can proceed to deploy and configure monitoring and backup services as follows:

Step 1: Deploy Zabbix for Monitoring

  • Deploy Zabbix Server on VLAN 110:
    • Create a new VM, attach it to VLAN 110, and install Zabbix using the Ansible playbook provided earlier.

Step 2: Set Up TrueNAS for Backups

  • Deploy TrueNAS VM on VLAN 150:
    • Deploy TrueNAS on a new VM attached to VLAN 150.
    • Configure NFS shares and set up the backup automation using the provided Ansible playbook.

Step 3: Automate the Configuration of Firewall Rules, Monitoring, and Backup

  • Run Ansible Playbooks:
    • Use the playbooks provided in the previous sections to automate the configuration of pfSense, Zabbix, and TrueNAS.

Final Steps

After setting up Nutanix CE, pfSense, and the critical services, ensure the network is segmented correctly and all traffic routed through pfSense. You can deploy additional services and VMs within your Nutanix environment as needed.

This phased approach ensures that your core infrastructure is operational before moving on to more complex configurations and deployments.

Installing Nutanix Community Edition (CE) on the Kingston NV2 NVMe SSD 1TB is actually a good idea for several reasons:

  1. Higher Performance: The NVMe SSD will offer much faster read and write speeds compared to the SATA SSD, which can significantly improve the performance of your Nutanix environment, especially when it comes to I/O-intensive operations like running virtual machines, handling storage operations, and overall system responsiveness.

  2. Efficient Use of Resources: By installing Nutanix CE on the NVMe SSD, you can reserve the SATA SSD (Samsung 850 EVO 500GB) and other drives for additional storage pools, caching, or other specialized tasks within your Nutanix environment. This allows for more efficient use of the available hardware resources.

  3. Future-Proofing: NVMe drives are more aligned with modern infrastructure setups. Using the NVMe SSD for the primary installation ensures that your setup is future-proof and can handle newer, more demanding workloads as your needs grow.

Updated Plan: Installing Nutanix CE on Kingston NV2 NVMe SSD

1. Preparing for Installation

  1. Download Nutanix CE ISO: Obtain the Nutanix CE ISO from the official Nutanix website.

  2. Create a Bootable USB: Use a tool like Rufus to create a bootable USB drive with the Nutanix CE ISO.

  3. Backup Data: If there is any existing data on the Kingston NVMe SSD, back it up before proceeding with the installation, as this process will wipe the drive.

2. Installing Nutanix CE on Kingston NVMe SSD

  1. Boot from USB:

    • Insert the bootable USB into your rig.
    • Boot the system from the USB drive. You may need to enter the BIOS/UEFI to change the boot order.
  2. Start Installation:

    • When the Nutanix CE installer loads, select the Kingston NV2 NVMe SSD 1TB as the target drive for the installation.
  3. Network Configuration:

    • During installation, you will be prompted to configure the network settings.
    • Assign a temporary IP address for initial access (e.g., 192.168.1.10).
  4. Complete the Installation:

    • Follow the on-screen prompts to complete the installation.
    • After installation, the system will reboot, and Nutanix CE will boot from the NVMe SSD.

3. Initial Configuration of Nutanix CE

  1. Access Nutanix Prism:

    • Use a browser to access the Nutanix Prism interface at https://192.168.1.10:9440.
    • Log in with the default credentials (admin/admin).
    • Change the default password and configure the basic settings.
  2. Configure Storage Pool:

    • Create a storage pool using the remaining drives, including the Samsung 850 EVO SSD and the 4TB SATA HDD.
    • Configure storage containers as needed for your virtual machines and applications.

4. Setting Up VLANs and Deploying pfSense

  1. Create VLANs:

    • In Nutanix Prism, navigate to the network section and create the necessary VLANs for your environment, starting with VLAN 100 for management.
  2. Deploy pfSense on VLAN 100:

    • Create a VM for pfSense on VLAN 100, assign appropriate resources, and install pfSense.
    • Configure pfSense with the IP 10.0.10.1 and set up basic firewall rules.

5. Deploying and Configuring Additional Services

After pfSense is operational, you can go ahead and deploy additional services such as Zabbix for monitoring and TrueNAS for backup, as outlined in the previous steps.

Conclusion

Installing Nutanix CE on the Kingston NV2 NVMe SSD 1TB leverages the high performance of NVMe storage, optimizing your setup for current and future workloads. This approach ensures that your Nutanix environment is fast, efficient, and capable of handling intensive operations while making the best use of your hardware resources.

⚠️ **GitHub.com Fallback** ⚠️