Administration Guide

Administration Portal

# engine-config -s MaxAverageNetworkQoSValue=2048
# systemctl restart ovirt-engine
# engine-config -s MaxAverageNetworkQoSValue=2048
# systemctl restart ovirt-engine
protocol://[host]:[port]
# neutron security-group-list
# engine-config -s CustomDeviceProperties='{type=interface;prop={vmfex=^[a-zA-Z0-9_.-]{2,32}$}}' --cver=3.6

# engine-config -g CustomDeviceProperties

# systemctl restart ovirt-engine.service

Changing certain properties (e.g. VLAN, MTU) of the management network could lead to loss of connectivity to hosts in the data center, if its underlying network infrastructure isn't configured to accommodate the changes. Are you sure you want to proceed?

forward_delay=1500
gc_timer=3765
group_addr=1:80:c2:0:0:0
group_fwd_mask=0x0
hash_elasticity=4
hash_max=512
hello_time=200
hello_timer=70
max_age=2000
multicast_last_member_count=2
multicast_last_member_interval=100
multicast_membership_interval=26000
multicast_querier=0
multicast_querier_interval=25500
multicast_query_interval=13000
multicast_query_response_interval=1000
multicast_query_use_ifaddr=0
multicast_router=1
multicast_snooping=1
multicast_startup_query_count=2
multicast_startup_query_interval=3125
--coalesce em1 rx-usecs 14 sample-interval 3 --offload em2 rx on lro on tso off --change em1 speed 1000 duplex half
--coalesce * rx-usecs 14 sample-interval 3
# yum install vdsm-hook-extra-ipv4-addrs
# engine-config -s 'UserDefinedNetworkCustomProperties=ipv4_addrs=.*'
# systemctl restart ovirt-engine.service
mode=4 xmit_hash_policy=layer2+3
mode=1 arp_interval=1 arp_ip_target=192.168.0.2
mode=1 primary=eth0
# hostnamectl set-hostname NEW_FQDN
# yum install vdsm-hook-openstacknet
# iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
yum install fence-agents
man fence_ilo4
pci-stub.ids=10de:13ba,10de:0fbc
pci-stub.ids=10de:13ba,10de:0fbc rdblacklist=nouveau
# lspci -nnk
...
01:00.0 VGA compatible controller [0300]: NVIDIA Corporation GM107GL [Quadro K2200] [10de:13ba] (rev a2)
        Subsystem: NVIDIA Corporation Device [10de:1097]
        Kernel driver in use: pci-stub
01:00.1 Audio device [0403]: NVIDIA Corporation Device [10de:0fbc] (rev a1)
        Subsystem: NVIDIA Corporation Device [10de:1097]
        Kernel driver in use: pci-stub
...
$ vi /etc/default/grub
...
GRUB_CMDLINE_LINUX="nofb splash=quiet console=tty0 ... rdblacklist=nouveau"
...
# lspci | grep VGA
00:09.0 VGA compatible controller: NVIDIA Corporation GK106GL [Quadro K4000] (rev a1)
Section "Device"
Identifier "Device0"
Driver "nvidia"
VendorName "NVIDIA Corporation"
BusID "PCI:0:9:0"
EndSection
# yum install cockpit-ovirt-uiplugin
# systemctl restart ovirt-engine.service
engine-config -s FenceKdumpDestinationAddress=A.B.C.D
# systemctl restart ovirt-fence-kdump-listener.service
# engine-config -g OPTION
# engine-config -s OPTION=value
# systemctl restart ovirt-engine.service
# engine-config --set ServerRebootTimeout=integer
# groupadd kvm -g 36
# useradd vdsm -u 36 -g 36
# chown -R 36:36 /exports/data
# chown -R 36:36 /exports/export
# chmod 0755 /exports/data
# chmod 0755 /exports/export
# mkdir -p /data/images
# chown 36:36 /data /data/images
# chmod 0755 /data /data/images
Physical device initialization failed. Please check that the device is empty and accessible by the host.
[ ERROR ] Error creating Volume Group: Failed to initialize physical device: ("[u'/dev/mapper/000000000000000000000000000000000']",)
[ ERROR ] Failed to execute stage 'Misc configuration': Failed to initialize physical device: ("[u'/dev/mapper/000000000000000000000000000000000']",)
# dd if=/dev/zero of=/dev/mapper/LUN_ID bs=1M  count=200 oflag=direct
# engine-iso-uploader --iso-domain=ISODomain upload RHEL6.iso
# gluster volume set VOLUME_NAME group virt
# gluster volume info VOLUME_NAME
protocol://[host]:[port]
# engine-config -s AttestationServer=attestationserver.example.com
# engine-config --set SANWipeAfterDelete=true

# systemctl restart ovirt-engine.service

a9cb0625-d5dc-49ab-8ad1-72722e82b0bf/a49351a7-15d8-4932-8d67-512a369f9d61 was zeroed and will be deleted

finished with VG:a9cb0625-d5dc-49ab-8ad1-72722e82b0bf LVs: {'a49351a7-15d8-4932-8d67-512a369f9d61': ImgsPar(imgs=['11f8b3be-fa96-4f6a-bb83-14c9b12b6e0d'], parent='00000000-0000-0000-0000-000000000000')}, img: 11f8b3be-fa96-4f6a-bb83-14c9b12b6e0d

rbd_secret_uuid = UUID
rbd_user = cinder
# sudo -u vdsm ssh-keygen
# sudo -u vdsm ssh-copy-id root@xenhost.example.com
# sudo -u vdsm ssh root@xenhost.example.com
# sudo -u vdsm ssh-keygen
# sudo -u vdsm ssh-copy-id root@kvmhost.example.com
# sudo -u vdsm ssh root@kvmhost.example.com
# yum install ovirt-provider-ovn-driver
# git clone https://gerrit.ovirt.org/ovirt-provider-ovn
# cd ovirt-provider-ovn
# make rpm
# cd
# yum install rpmbuild/RPMS/noarch/ovirt-provider-ovn-driver-version.noarch.rpm
# systemctl start ovn-controller
# systemctl enable ovn-controller
# vdsm-tool ovn-config OVN_central_server_IP local_OVN_tunneling_IP
# firewall-cmd --zone=ZoneName --add-service=ovn-host-firewall-service --permanent
# firewall-cmd --reload
# yum install ovirt-provider-ovn
# git clone https://gerrit.ovirt.org/ovirt-provider-ovn
# cd ovirt-provider-ovn
# make rpm
# cd
# yum install rpmbuild/RPMS/noarch/ovirt-provider-ovn-version.noarch.rpm
ovn-remote=tcp:OVN_central_server_IP:6641
# firewall-cmd --zone=ZoneName --add-service=ovirt-provider-ovn --permanent
# firewall-cmd --zone=ZoneName --add-service=ovirt-provider-ovn-central --permanent
# firewall-cmd --reload
# systemctl start ovirt-provider-ovn
# systemctl enable ovirt-provider-ovn
# ovn-sbctl set-connection ptcp:6642
# ovn-nbctl set-connection ptcp:6641
# engine-backup --mode=backup
# engine-backup --mode=restore
# engine-backup --scope=all --mode=backup --file=file_name --log=log_file_name
# engine-backup --scope=files --scope=db --mode=backup --file=file_name --log=log_file_name
# engine-backup --mode=restore --file=file_name --log=log_file_name --provision-db --restore-permissions
engine-backup --mode=restore --file=file_name --log=log_file_name --provision-db --provision-dwh-db --restore-permissions
# engine-backup --mode=restore --scope=files --scope=db --file=file_name --log=log_file_name --provision-db --restore-permissions
# engine-backup --mode=restore --scope=files --scope=dwhdb --file=file_name --log=log_file_name --provision-dwh-db --restore-permissions
You should now run engine-setup.
Done.
# engine-setup
# engine-cleanup
# engine-backup --mode=restore --file=file_name --log=log_file_name --restore-permissions
# engine-backup --mode=restore --scope=files --scope=db --file=file_name --log=log_file_name --restore-permissions
# engine-backup --mode=restore --scope=dwhdb --file=file_name --log=log_file_name --restore-permissions
You should now run engine-setup.
Done.
# engine-setup
# engine-cleanup
# su postgres
$ psql
postgres=# alter role user_name encrypted password 'new_password';
# engine-backup --mode=restore --file=file_name --log=log_file_name --change-db-credentials --db-host=database_location --db-name=database_name --db-user=engine --db-password --no-restore-permissions
engine-backup --mode=restore --file=file_name --log=log_file_name --change-db-credentials --db-host=database_location --db-name=database_name --db-user=engine --db-password --change-dwh-db-credentials --dwh-db-host=database_location --dwh-db-name=database_name --dwh-db-user=ovirt_engine_history --dwh-db-password --no-restore-permissions
# engine-backup --mode=restore --scope=files --scope=db --file=file_name --log=log_file_name --change-db-credentials --db-host=database_location --db-name=database_name --db-user=engine --db-password --no-restore-permissions
# engine-backup --mode=restore --scope=files --scope=dwhdb --file=file_name --log=log_file_name --change-dwh-db-credentials --dwh-db-host=database_location --dwh-db-name=database_name --dwh-db-user=ovirt_engine_history --dwh-db-password --no-restore-permissions
You should now run engine-setup.
Done.
# engine-setup
# systemctl stop ovirt-engine.service
# engine-backup --scope=files --scope=db --mode=backup --file=file_name --log=log_file_name
# scp /tmp/engine.dump root@new.database.server.com:/tmp
# yum install ovirt-engine-tools-backup
# engine-backup --mode=restore --scope=files --scope=db --file=file_name --log=log_file_name --provision-db --no-restore-permissions
# systemctl start ovirt-engine.service
POST /api/vms/11111111-1111-1111-1111-111111111111/snapshots/ HTTP/1.1
Accept: application/xml
Content-type: application/xml

<snapshot>
    <description>BACKUP</description>
</snapshot>
GET /api/vms/11111111-1111-1111-1111-111111111111/snapshots/11111111-1111-1111-1111-111111111111 HTTP/1.1
Accept: application/xml
Content-type: application/xml
GET /api/vms/11111111-1111-1111-1111-111111111111/snapshots/11111111-1111-1111-1111-111111111111/disks HTTP/1.1
Accept: application/xml
Content-type: application/xml
POST /api/vms/22222222-2222-2222-2222-222222222222/diskattachments/ HTTP/1.1
Accept: application/xml
Content-type: application/xml

<disk_attachment>
	<active>true</active>
	<interface>virtio_scsi</interface>
	<disk id="11111111-1111-1111-1111-111111111111">
	<snapshot id="11111111-1111-1111-1111-111111111111"/>
	</disk>
</disk_attachment>

DELETE /api/vms/22222222-2222-2222-2222-222222222222/diskattachments/11111111-1111-1111-1111-111111111111  HTTP/1.1
Accept: application/xml
Content-type: application/xml

DELETE /api/vms/11111111-1111-1111-1111-111111111111/snapshots/11111111-1111-1111-1111-111111111111 HTTP/1.1
Accept: application/xml
Content-type: application/xml
POST /api/vms/22222222-2222-2222-2222-222222222222/disks/ HTTP/1.1
Accept: application/xml
Content-type: application/xml

<disk id="11111111-1111-1111-1111-111111111111">
</disk>

DELETE /api/vms/22222222-2222-2222-2222-222222222222/disks/11111111-1111-1111-1111-111111111111 HTTP/1.1
Accept: application/xml
Content-type: application/xml

<action>
    <detach>true</detach>
</action>

POST /api/vms/ HTTP/1.1
Accept: application/xml
Content-type: application/xml

<vm>
    <cluster>
        <name>cluster_name</name>
    </cluster>
    <name>NAME</name>
    ...
</vm>
POST /api/vms/33333333-3333-3333-3333-333333333333/disks/ HTTP/1.1
Accept: application/xml
Content-type: application/xml

<disk id="11111111-1111-1111-1111-111111111111">
</disk>

# yum install ansible
# yum install ovirt-ansible-roles
# cat passwords.yml
  ---
  engine_password: youruserpassword
# ansible-vault encrypt passwords.yml
New Vault password: 
Confirm New Vault password:
# cat engine_vars.yml 
---
engine_url: https://example.engine.redhat.com/ovirt-engine/api
engine_user: admin@internal
engine_cafile: /etc/pki/ovirt-engine/ca.pem
# cat rhv_infra.yml
---
- name: RHV infrastructure
  hosts: localhost
  connection: local
  gather_facts: false

  vars_files:
    # Contains variables to connect to the Manager
    - engine_vars.yml
    # Contains encrypted `engine_password` variable using ansible-vault
    - passwords.yml

  pre_tasks:
    - name: Login to RHV
      ovirt_auth:
        url: "{{ engine_url }}"
        username: "{{ engine_user }}"
        password: "{{ engine_password }}"
        ca_file: "{{ engine_cafile | default(omit) }}"
        insecure: "{{ engine_insecure | default(true) }}"
      tags:
        - always

  vars:
    data_center_name: mydatacenter
    data_center_description: mydatacenter
    data_center_local: false
    compatibility_version: 4.1

  roles:
    - ovirt-datacenters

  post_tasks:
    - name: Logout from RHV
      ovirt_auth:
        state: absent
        ovirt_auth: "{{ ovirt_auth }}"
      tags:
        - always

# ansible-playbook --ask-vault-pass rhv_infra.yml
# yum install ovirt-engine-extension-aaa-ldap-setup
# ovirt-engine-extension-aaa-ldap-setup
Available LDAP implementations:
 1 - 389ds
 2 - 389ds RFC-2307 Schema
 3 - Active Directory
 4 - IBM Security Directory Server
 5 - IBM Security Directory Server RFC-2307 Schema
 6 - IPA
 7 - Novell eDirectory RFC-2307 Schema
 8 - OpenLDAP RFC-2307 Schema
 9 - OpenLDAP Standard Schema
10 - Oracle Unified Directory RFC-2307 Schema
11 - RFC-2307 Schema (Generic)
12 - RHDS
13 - RHDS RFC-2307 Schema
14 - iPlanet
Please select:

It is highly recommended to use DNS resolution for LDAP server.
If for some reason you intend to use hosts or plain address disable DNS usage.
Use DNS (Yes, No) [Yes]:
1 - Single server
2 - DNS domain LDAP SRV record
3 - Round-robin between multiple hosts
4 - Failover between multiple hosts
Please select:
NOTE:
It is highly recommended to use secure protocol to access the LDAP server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure):
Please enter the password:
Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous):  uid=user1,ou=Users,ou=department-1,dc=example,dc=com
Enter search user password:
Please enter base DN (dc=redhat,dc=com) [dc=redhat,dc=com]:  ou=department-1,dc=redhat,dc=com
Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]:
Please specify profile name that will be visible to users:redhat.com
NOTE:
It is highly recommended to test drive the configuration before applying it into engine.
Login sequence is executed automatically, but it is recommended to also execute Search sequence manually after successful Login sequence.

Please provide credentials to test login flow:
Enter user name: 
Enter user password: 
[ INFO  ] Executing login sequence...
...
[ INFO  ] Login sequence executed successfully

Please make sure that user details are correct and group membership meets expectations (search for PrincipalRecord and GroupRecord titles).
Abort if output is incorrect.
Select test sequence to execute (Done, Abort, Login, Search) [Abort]:

Select test sequence to execute (Done, Abort, Login, Search) [Search]: Search
Select entity to search (Principal, Group) [Principal]:
Term to search, trailing '*' is allowed: testuser1 
Resolve Groups (Yes, No) [No]:

Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Done 
[ INFO  ] Stage: Transaction setup
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Package installation
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Transaction commit
[ INFO  ] Stage: Closing up
CONFIGURATION SUMMARY
Profile name is: redhat.com
The following files were created:
    /etc/ovirt-engine/aaa/redhat.com.properties
    /etc/ovirt-engine/extensions.d/redhat.com.properties
    /etc/ovirt-engine/extensions.d/redhat.com-authn.properties
[ INFO  ] Stage: Clean up
Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20171004101225-mmneib.log:
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination
# systemctl restart ovirt-engine.service
# yum install ovirt-engine-extension-aaa-ldap-setup
# ovirt-engine-extension-aaa-ldap-setup
Available LDAP implementations:
 1 - 389ds
 2 - 389ds RFC-2307 Schema
 3 - Active Directory
 4 - IBM Security Directory Server
 5 - IBM Security Directory Server RFC-2307 Schema
 6 - IPA
 7 - Novell eDirectory RFC-2307 Schema
 8 - OpenLDAP RFC-2307 Schema
 9 - OpenLDAP Standard Schema
10 - Oracle Unified Directory RFC-2307 Schema
11 - RFC-2307 Schema (Generic)
12 - RHDS
13 - RHDS RFC-2307 Schema
14 - iPlanet
Please select: 3
Please enter Active Directory Forest name: ad-example.redhat.com
[ INFO  ] Resolving Global Catalog SRV record for ad-example.redhat.com
[ INFO  ] Resolving LDAP SRV record for ad-example.redhat.com
NOTE:
It is highly recommended to use secure protocol to access the LDAP server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTLS]: startTLS
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File
Please enter the password:
Enter search user DN (empty for anonymous): uid=user1,ou=Users,dc=test,dc=redhat,dc=com
Enter search user password:
Please specify profile name that will be visible to users:redhat.com
NOTE:
It is highly recommended to test drive the configuration before applying it into engine.
Perform at least one Login sequence and one Search sequence.
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Login
Enter search user name: testuser1
Enter search user password:
[ INFO  ] Executing login sequence...
...
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Search
Select entity to search (Principal, Group) [Principal]:
Term to search, trailing '*' is allowed: testuser1
Resolve Groups (Yes, No) [No]:
[ INFO  ] Executing login sequence...
...
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Done
[ INFO  ] Stage: Transaction setup
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Package installation
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Transaction commit
[ INFO  ] Stage: Closing up
          CONFIGURATION SUMMARY
          Profile name is: redhat.com
          The following files were created:
              /etc/ovirt-engine/aaa/redhat.com.properties
              /etc/ovirt-engine/extensions.d/redhat.com-authz.properties
              /etc/ovirt-engine/extensions.d/redhat.com-authn.properties
[ INFO  ] Stage: Clean up
          Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20160114064955-1yar9i.log:
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination
# yum install ovirt-engine-extension-aaa-ldap
# cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/. /etc/ovirt-engine
# mv /etc/ovirt-engine/aaa/profile1.properties /etc/ovirt-engine/aaa/example.properties
# mv /etc/ovirt-engine/extensions.d/profile1-authn.properties /etc/ovirt-engine/extensions.d/example-authn.properties
# mv /etc/ovirt-engine/extensions.d/profile1-authz.properties /etc/ovirt-engine/extensions.d/example-authz.properties
#  vi /etc/ovirt-engine/aaa/example.properties
# Select one
#
include = <openldap.properties>
#include = <389ds.properties>
#include = <rhds.properties>
#include = <ipa.properties>
#include = <iplanet.properties>
#include = <rfc2307-389ds.properties>
#include = <rfc2307-rhds.properties>
#include = <rfc2307-openldap.properties>
#include = <rfc2307-edir.properties>
#include = <rfc2307-generic.properties>

# Server
#
vars.server = ldap1.company.com

# Search user and its password.
#
vars.user = uid=search,cn=users,cn=accounts,dc=company,dc=com
vars.password = 123456

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

# Create keystore, import certificate chain and uncomment
# if using tls.
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = /full/path/to/myrootca.jks
pool.default.ssl.truststore.password = password
# vi /etc/ovirt-engine/extensions.d/example-authn.properties
ovirt.engine.extension.name = example-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = example
ovirt.engine.aaa.authn.authz.plugin = example-authz
config.profile.file.1 = ../aaa/example.properties
# vi /etc/ovirt-engine/extensions.d/example-authz.properties
ovirt.engine.extension.name = example-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/example.properties
# chown ovirt:ovirt /etc/ovirt-engine/aaa/example.properties
# chmod 600 /etc/ovirt-engine/aaa/example.properties
# systemctl restart ovirt-engine.service
# rm /etc/ovirt-engine/extensions.d/profile1-authn.properties
# rm /etc/ovirt-engine/extensions.d/profile1-authz.properties
# rm /etc/ovirt-engine/aaa/profile1.properties

# systemctl restart ovirt-engine
# kadmin
kadmin> addprinc -randkey HTTP/fqdn-of-rhevm@REALM.COM
kadmin> ktadd -k /tmp/http.keytab HTTP/fqdn-of-rhevm@REALM.COM
kadmin> quit
# scp /tmp/http.keytab root@rhevm.example.com:/etc/httpd
# chown apache /etc/httpd/http.keytab
# chmod 400 /etc/httpd/http.keytab
# yum install ovirt-engine-extension-aaa-misc ovirt-engine-extension-aaa-ldap mod_auth_gssapi mod_session
# cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple-sso/. /etc/ovirt-engine
# mv /etc/ovirt-engine/aaa/ovirt-sso.conf /etc/httpd/conf.d
# vi /etc/httpd/conf.d/ovirt-sso.conf
<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
  <If "req('Authorization') !~ /^(Bearer|Basic)/i">
    RewriteEngine on
    RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
    RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
    RequestHeader set X-Remote-User %{REMOTE_USER}s

    AuthType GSSAPI
    AuthName "Kerberos Login"

    # Modify to match installation
    GssapiCredStore keytab:/etc/httpd/http.keytab
    GssapiUseSessions On
    Session On
    SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;

    Require valid-user
    ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
  </If>
</LocationMatch>
# mv /etc/ovirt-engine/aaa/profile1.properties /etc/ovirt-engine/aaa/example.properties
# mv /etc/ovirt-engine/extensions.d/profile1-http-authn.properties /etc/ovirt-engine/extensions.d/example-http-authn.properties
# mv /etc/ovirt-engine/extensions.d/profile1-http-mapping.properties /etc/ovirt-engine/extensions.d/example-http-mapping.properties
# mv /etc/ovirt-engine/extensions.d/profile1-authz.properties /etc/ovirt-engine/extensions.d/example-authz.properties
#  vi /etc/ovirt-engine/aaa/example.properties
# Select one
include = <openldap.properties>
#include = <389ds.properties>
#include = <rhds.properties>
#include = <ipa.properties>
#include = <iplanet.properties>
#include = <rfc2307-389ds.properties>
#include = <rfc2307-rhds.properties>
#include = <rfc2307-openldap.properties>
#include = <rfc2307-edir.properties>
#include = <rfc2307-generic.properties>

# Server
#
vars.server = ldap1.company.com

# Search user and its password.
#
vars.user = uid=search,cn=users,cn=accounts,dc=company,dc=com
vars.password = 123456

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = /full/path/to/myrootca.jks
pool.default.ssl.truststore.password = password
# vi /etc/ovirt-engine/extensions.d/example-http-authn.properties
ovirt.engine.extension.name = example-http-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = example-http
ovirt.engine.aaa.authn.authz.plugin = example-authz
ovirt.engine.aaa.authn.mapping.plugin = example-http-mapping
config.artifact.name = HEADER
config.artifact.arg = X-Remote-User
#  vi /etc/ovirt-engine/extensions.d/example-authz.properties
ovirt.engine.extension.name = example-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/example.properties
# vi /etc/ovirt-engine/extensions.d/example-http-mapping.properties
ovirt.engine.extension.name = example-http-mapping
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapAuthRecord.type = regex
config.mapAuthRecord.regex.mustMatch = true
config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}
# chown ovirt:ovirt /etc/ovirt-engine/aaa/example.properties
# chown ovirt:ovirt /etc/ovirt-engine/extensions.d/example-http-authn.properties
# chown ovirt:ovirt /etc/ovirt-engine/extensions.d/example-http-mapping.properties
# chown ovirt:ovirt /etc/ovirt-engine/extensions.d/example-authz.properties
# chmod 600 /etc/ovirt-engine/aaa/example.properties
# chmod 640 /etc/ovirt-engine/extensions.d/example-http-authn.properties
# chmod 640 /etc/ovirt-engine/extensions.d/example-http-mapping.properties
# chmod 640 /etc/ovirt-engine/extensions.d/example-authz.properties
# systemctl restart httpd.service
# systemctl restart ovirt-engine.service
# ovirt-aaa-jdbc-tool user add test1 --attribute=firstName=John --attribute=lastName=Doe 
adding user test1...
user added successfully
# ovirt-aaa-jdbc-tool user password-reset test1 --password-valid-to="2025-08-01 12:00:00-0800"
Password:
Reenter password:
updating user test1...
user updated successfully

# engine-config --set UserSessionTimeOutInterval=integer
# /usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh pbe-encode
# /usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh pbe-encode --password=file:file
# ovirt-aaa-jdbc-tool user password-reset test1 --password-valid-to="2025-08-01 12:00:00-0800" --encrypted

Password:
Reenter password:
updating user test1...
user updated successfully
# ovirt-aaa-jdbc-tool user show test1
# ovirt-aaa-jdbc-tool user edit test1 --attribute=email=jdoe@example.com
# ovirt-aaa-jdbc-tool user delete test1
# ovirt-aaa-jdbc-tool user edit admin --flag=+disabled
# ovirt-aaa-jdbc-tool group add group1
# ovirt-aaa-jdbc-tool group-manage useradd group1 --user=test1
# ovirt-aaa-jdbc-tool group show group1
# ovirt-aaa-jdbc-tool group add group1
# ovirt-aaa-jdbc-tool group add group1-1
# ovirt-aaa-jdbc-tool group-manage groupadd group1 --group=group1-1
# ovirt-aaa-jdbc-tool query --what=user
# ovirt-aaa-jdbc-tool query --what=group
# ovirt-aaa-jdbc-tool query --what=user --pattern="name=j*"
# ovirt-aaa-jdbc-tool query --what=group --pattern="department=marketing"
# ovirt-aaa-jdbc-tool settings set --name=MAX_LOGIN_MINUTES --value=60
# ovirt-aaa-jdbc-tool settings set --name=MAX_FAILURES_SINCE_SUCCESS --value=3
cp /usr/share/ovirt-engine/services/ovirt-engine-notifier/ovirt-engine-notifier.conf /etc/ovirt-engine/notifier/notifier.conf.d/90-email-notify.conf

#---------------------#
# EMAIL Notifications #
#---------------------#

# The SMTP mail server address. Required.
MAIL_SERVER=myemailserver.example.com

# The SMTP port (usually 25 for plain SMTP, 465 for SMTP with SSL, 587 for SMTP with TLS)
MAIL_PORT=25

# Required if SSL or TLS enabled to authenticate the user. Used also to specify 'from' user address if mail server
# supports, when MAIL_FROM is not set. Address is in RFC822 format
MAIL_USER=

# Required to authenticate the user if mail server requires authentication or if SSL or TLS is enabled
SENSITIVE_KEYS="${SENSITIVE_KEYS},MAIL_PASSWORD"
MAIL_PASSWORD=

# Indicates type of encryption (none, ssl or tls) should be used to communicate with mail server.
MAIL_SMTP_ENCRYPTION=none

# If set to true, sends a message in HTML format.
HTML_MESSAGE_FORMAT=false

# Specifies 'from' address on sent mail in RFC822 format, if supported by mail server.
MAIL_FROM=rhevm2017@example.com

# Specifies 'reply-to' address on sent mail in RFC822 format.
MAIL_REPLY_TO=

# Interval to send smtp messages per # of IDLE_INTERVAL
MAIL_SEND_INTERVAL=1

# Amount of times to attempt sending an email before failing.
MAIL_RETRIES=4

# systemctl daemon-reload
# systemctl enable ovirt-engine-notifier.service
# systemctl restart ovirt-engine-notifier.service
# vi /etc/ovirt-engine/notifier/notifier.conf.d/20-snmp.conf
SNMP_MANAGERS="manager1.example.com manager2.example.com:162"
SNMP_COMMUNITY=public
SNMP_OID=1.3.6.1.4.1.2312.13.1.1

FILTER="include:*(snmp:) ${FILTER}"
FILTER="include:*:ERROR(snmp:) ${FILTER}"
FILTER="include:*:ALERT(snmp:) ${FILTER}"
FILTER="include:VDC_START(snmp:mail@example.com) ${FILTER}"
FILTER="exclude:VDC_START include:*(snmp:) ${FILTER}"
FILTER="exclude:*"
# systemctl start ovirt-engine-notifier.service
# systemctl enable ovirt-engine-notifier.service
# /usr/share/ovirt-engine/setup/bin/ovirt-engine-rename
# /usr/share/ovirt-engine/setup/bin/ovirt-engine-rename
During execution engine service will be stopped (OK, Cancel) [OK]:
New fully qualified server name:[new name]
# names="websocket-proxy imageio-proxy"

# subject="$(\
    openssl x509 \
    -in /etc/pki/ovirt-engine/certs/apache.cer \
    -noout \
    -subject | \
        sed \
            's;subject= \(.*\);\1;'
  )"
# . /usr/share/ovirt-engine/bin/engine-prolog.sh
# for name in $names; do
    /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh \
        --name="${name}" \
        --password=mypass \
        --subject="${subject}" \
        --keep-key \
        --san=DNS:"${ENGINE_FQDN}"
  done
# engine-config --help
# engine-config --list
# engine-config --all
# engine-config --get [KEY_NAME]
# engine-config --set [KEY_NAME]=[KEY_VALUE] --cver=[VERSION]
# systemctl restart ovirt-engine.service
# systemctl restart ovirt-engine.service
ovirt-log-collector [options] list [all, clusters, datacenters]
ovirt-log-collector [options] collect
# ovirt-log-collector
INFO: Gathering oVirt Engine information...
INFO: Gathering PostgreSQL the oVirt Engine database and log files from localhost...
Please provide REST API password for the admin@internal oVirt Engine user (CTRL+D to abort):
About to collect information from 3 hypervisors. Continue? (Y/n):
INFO: Gathering information from selected hypervisors...
INFO: collecting information from 192.168.122.250
INFO: collecting information from 192.168.122.251
INFO: collecting information from 192.168.122.252
INFO: finished collecting information from 192.168.122.250
INFO: finished collecting information from 192.168.122.251
INFO: finished collecting information from 192.168.122.252
Creating compressed archive...
INFO Log files have been collected and placed in /tmp/logcollector/sosreport-rhn-account-20110804121320-ce2a.tar.xz.
The MD5 for this file is 6d741b78925998caff29020df2b2ce2a and its size is 26.7M
engine-iso-uploader [options] list
engine-iso-uploader [options] upload [file].[file]...[file]
# engine-iso-uploader --nfs-server=storage.demo.redhat.com:/iso/path upload RHEL6.0.iso
# engine-iso-uploader list
Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to abort):
ISO Storage Domain Name   | Datacenter          | ISO Domain Status
ISODomain                 | Default             | active
# engine-iso-uploader --iso-domain=[ISODomain] upload [RHEL6.iso]
Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to abort):
# engine-iso-uploader --iso-domain=[ISODomain] upload /usr/share/virtio-win/virtio-win.iso /usr/share/virtio-win/virtio-win_x86.vfd /usr/share/virtio-win/virtio-win_amd64.vfd /usr/share/rhev-guest-tools-iso/rhev-tools-setup.iso
$ engine-setup
...
[ INFO  ] Stage: Environment customization
...
Perform full vacuum on the engine database engine@localhost?
This operation may take a while depending on this setup health and the
configuration of the db vacuum process.
See https://www.postgresql.org/docs/9.2/static/sql-vacuum.html
(Yes, No) [No]:

engine-vacuum
engine-vacuum [option]
engine-vacuum -f -v -t vm_dynamic -t vds_dynamic
$ killall - u $USER spice-vdagent 
$ spice-vdagent -x -d [-d] [ ∣& tee spice-vdagent.log ]

#  remote-viewer --spice-debug

# remote-viewer --spice-debug /path/to/console.vv

remote-viewer --spice-debug path\to\console.vv

# semanage port -a -t syslogd_port_t -p udp 514
$template TmplAuth, "/var/log/%fromhost%/secure" 
$template TmplMsg, "/var/log/%fromhost%/messages" 

$RuleSet remote
authpriv.*   ?TmplAuth
*.info,mail.none;authpriv.none,cron.none   ?TmplMsg
$RuleSet RSYSLOG_DefaultRuleset
$InputUDPServerBindRuleset remote

#$ModLoad imudp
#$UDPServerRun 514
# systemctl restart rsyslog.service
# yum install squid
http_access deny CONNECT !SSL_ports
http_access deny CONNECT !Safe_ports
# systemctl start squid.service
# iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
# service iptables save
# engine-config -s SpiceProxyDefault=someProxy
# systemctl restart ovirt-engine.service
protocol://[host]:[port]
$ ssh root@[IP of Manager]
# engine-config -s SpiceProxyDefault=""
# systemctl restart ovirt-engine.service
# openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -subject

subject= /C=US/O=Example Inc./CN=engine.example.com.81108

/C=US/O=Example Inc./CN=proxy.example.com
# openssl req -newkey rsa:2048 -subj '/C=US/O=Example Inc./CN=proxy.example.com' -nodes -keyout proxy.key -out proxy.req

# scp proxy.req engine.example.com:/etc/pki/ovirt-engine/requests/.

# /usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=proxy --days=3650 --subject='/C=US/O=Example Inc./CN=proxy.example.com'

# scp engine.example.com:/etc/pki/ovirt-engine/certs/proxy.cer .

# ls -l proxy.key proxy.cer

# yum install squid

# cp proxy.key proxy.cer /etc/squid/.

# chgrp squid /etc/squid/proxy.*
# chmod 640 /etc/squid/proxy.*

# scp engine.example.com:/etc/pki/ovirt-engine/ca.pem /etc/squid/.

# chgrp squid /etc/squid/ca.pem
# chmod 640 /etc/squid/ca.pem

# yum install policycoreutils-python
# semanage port -m -p tcp -t http_cache_port_t 443

https_port 443 key=/etc/squid/proxy.key cert=/etc/squid/proxy.cer ssl-bump defaultsite=engine.example.com
cache_peer engine.example.com parent 443 0 no-query originserver ssl sslcafile=/etc/squid/ca.pem name=engine
cache_peer_access engine allow all
ssl_bump allow all
http_access allow all

# systemctl restart squid.service

https://proxy.example.com/UserPortal/org.ovirt.engine.ui.userportal.UserPortal/UserPortal.html
# engine-cleanup

Do you want to remove all components? (Yes, No) [Yes]: No

Do you want to remove the engine? (Yes, No) [Yes]: No

Do you want to remove the WebSocket proxy? (Yes, No) [No]: Yes

# engine-config -g UserDefinedVMProperties
# engine-config -g UserDefinedVMProperties
UserDefinedVMProperties:  version: 3.6
UserDefinedVMProperties:  version: 4.0
UserDefinedVMProperties : memory=^[0-9]+$ version: 4.0
# engine-config -s UserDefinedVMProperties='memory=^[0-9]+$;smartcard=^(true|false)$' --cver=4.0
# engine-config -g UserDefinedVMProperties
UserDefinedVMProperties:  version: 3.6
UserDefinedVMProperties:  version: 4.0
UserDefinedVMProperties : memory=^[0-9]+$;smartcard=^(true|false)$ version: 4.0
# systemctl restart ovirt-engine.service
# engine-config -g CustomDeviceProperties
# engine-config -g CustomDeviceProperties
CustomDeviceProperties:  version: 3.6
CustomDeviceProperties:  version: 4.0
# engine-config -s CustomDeviceProperties="{type=interface;prop={speed=^([0-9]{1,5})$;duplex=^(full|half)$}}" --cver=4.0
# engine-config -g CustomDeviceProperties
UserDefinedVMProperties:  version: 3.6
UserDefinedVMProperties:  version: 4.0
UserDefinedVMProperties : {type=interface;prop={speed=^([0-9]{1,5})$;duplex=^(full|half)$}} version: 4.0
# systemctl restart ovirt-engine.service
#!/usr/bin/python

import os
import sys

if os.environ.has_key('key1'):
	sys.stderr.write('key1 value was : %s\n' % os.environ['key1'])
else:
    sys.exit(0)

vdsm ALL=(ALL) NOPASSWD: /bin/chown
retcode = subprocess.call( ["/usr/bin/sudo", "/bin/chown", "root", "/my_file"] )
numaset=^(interleave|strict|preferred):[\^]?\d+(-\d+)?(,[\^]?\d+(-\d+)?)*$
#!/usr/bin/python

import os
import sys
import hooking
import traceback

'''
numa hook
=========
add numa support for domain xml:

<numatune>
    <memory mode="strict" nodeset="1-4,^3" />
</numatune>

memory=interleave|strict|preferred

numaset="1" (use one NUMA node)
numaset="1-4" (use 1-4 NUMA nodes)
numaset="^3" (don't use NUMA node 3)
numaset="1-4,^3,6" (or combinations)

syntax:
    numa=strict:1-4
'''

if os.environ.has_key('numa'):
    try:
        mode, nodeset = os.environ['numa'].split(':')

        domxml = hooking.read_domxml()

        domain = domxml.getElementsByTagName('domain')[0]
        numas = domxml.getElementsByTagName('numatune')

        if not len(numas) > 0:
            numatune = domxml.createElement('numatune')
            domain.appendChild(numatune)

            memory = domxml.createElement('memory')
            memory.setAttribute('mode', mode)
            memory.setAttribute('nodeset', nodeset)
            numatune.appendChild(memory)

            hooking.write_domxml(domxml)
        else:
            sys.stderr.write('numa: numa already exists in domain xml')
            sys.exit(2)
    except:
        sys.stderr.write('numa: [unexpected error]: %s\n' % traceback.format_exc())
        sys.exit(2)

# engine-config -s UserDefinedNetworkCustomProperties=ethtool_opts=.* --cver=4.0

# systemctl restart ovirt-engine.service
# yum install vdsm-hook-ethtool-options
# engine-config -g UserDefinedNetworkCustomProperties
# engine-config -s UserDefinedNetworkCustomProperties='fcoe=^((enable|dcb|auto_vlan)=(yes|no),?)*$'

# systemctl restart ovirt-engine.service
# yum install vdsm-hook-fcoe
# engine-config -g UserDefinedNetworkCustomProperties
# engine-config -s # engine-config -s UserDefinedNetworkCustomProperties='default_route=^(true|false)$'
# engine-config -g UserDefinedNetworkCustomProperties

# systemctl restart ovirt-engine
// Access plug-in API using 'parent' due to this code being evaluated within the context of an iframe element.
// As 'parent.pluginApi' is subject to Same-Origin Policy, this will only work when WebAdmin HTML page and plug-in
// host page are served from same origin. WebAdmin HTML page and plug-in host page will always be on same origin
// when using UI plug-in infrastructure support to serve plug-in resource files.
var api = parent.pluginApi('MyPlugin');

// Runtime configuration object associated with the plug-in (or an empty object).
var config = api.configObject();

// Register event handler function(s) for later invocation by UI plug-in infrastructure.
api.register({
	    // UiInit event handler function.
		UiInit: function() {
				// Handle UiInit event.
					window.alert('Favorite music band is ' + config.band);
					    }
});

// Notify UI plug-in infrastructure to proceed with plug-in initialization.
api.ready();

{
    "name": "HelloWorld",
    "url": "/ovirt-engine/webadmin/plugin/HelloWorld/start.html",
    "resourcePath": "hello-files"
}

<!DOCTYPE html><html><head>
<script>
    var api = parent.pluginApi('HelloWorld');
    api.register({
	UiInit: function() { window.alert('Hello world'); }
    });
    api.ready();
</script>
</head><body></body></html>

# cp -p /etc/pki/ovirt-engine/keys/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12.bck
# cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12
# openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /tmp/apache.key
# openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /tmp/apache.cer

# cp /tmp/3rd-party-ca-cert.pem /etc/pki/ca-trust/source/anchors
# update-ca-trust
# rm /etc/pki/ovirt-engine/apache-ca.pem
# cp /tmp/3rd-party-ca-cert.pem /etc/pki/ovirt-engine/apache-ca.pem
# cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.bck
# cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.bck
# cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass
# cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer
# systemctl restart httpd.service
# vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
# vi /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass

# systemctl restart ovirt-engine.service
# vi /etc/ovirt-engine/logcollector.conf.d/99-custom-ca-cert.conf
[LogCollector]
cert-file=/etc/pki/ovirt-engine/apache-ca.pem
$ keytool -importcert -noprompt -trustcacerts -alias myrootca -file /tmp/myrootca.pem -keystore /etc/ovirt-engine/aaa/myrootca.jks -storepass password
# Create keystore, import certificate chain and uncomment
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = ${local:_basedir}/myrootca.jks
pool.default.ssl.truststore.password = password
# Create keystore, import certificate chain and uncomment
pool.default.serverset.single.port = 636
pool.default.ssl.enable = true
pool.default.ssl.truststore.file = ${local:_basedir}/myrootca.jks
pool.default.ssl.truststore.password = password

Role	Privileges	Notes
UserRole	Can access and use virtual machines and pools.	Can log in to the User Portal, use assigned virtual machines and pools, view virtual machine state and details.
PowerUserRole	Can create and manage virtual machines and templates.	Apply this role to a user for the whole environment with the Configure window, or for specific data centers or clusters. For example, if a PowerUserRole is applied on a data center level, the PowerUser can create virtual machines and templates in the data center.
UserVmManager	System administrator of a virtual machine.	Can manage virtual machines and create and use snapshots. A user who creates a virtual machine in the User Portal is automatically assigned the UserVmManager role on the machine.

Role	Privileges	Notes
UserTemplateBasedVm	Limited privileges to only use Templates.	Can use templates to create virtual machines.
DiskOperator	Virtual disk user.	Can use, view and edit virtual disks. Inherits permissions to use the virtual machine to which the virtual disk is attached.
VmCreator	Can create virtual machines in the User Portal.	This role is not applied to a specific virtual machine; apply this role to a user for the whole environment with the Configure window. Alternatively apply this role for specific data centers or clusters. When applying this role to a cluster, you must also apply the DiskCreator role on an entire data center, or on specific storage domains.
TemplateCreator	Can create, edit, manage and remove virtual machine templates within assigned resources.	This role is not applied to a specific template; apply this role to a user for the whole environment with the Configure window. Alternatively apply this role for specific data centers, clusters, or storage domains.
DiskCreator	Can create, edit, manage and remove virtual disks within assigned clusters or data centers.	This role is not applied to a specific virtual disk; apply this role to a user for the whole environment with the Configure window. Alternatively apply this role for specific data centers or storage domains.
TemplateOwner	Can edit and delete the template, assign and manage user permissions for the template.	This role is automatically assigned to the user who creates a template. Other users who do not have TemplateOwner permissions on a template cannot view or use the template.
VnicProfileUser	Logical network and network interface user for virtual machine and template.	Can attach or detach network interfaces from specific logical networks.

Role	Privileges	Notes
SuperUser	System Administrator of the Red Hat Virtualization environment.	Has full permissions across all objects and levels, can manage all objects across all data centers.
ClusterAdmin	Cluster Administrator.	Possesses administrative permissions for all objects underneath a specific cluster.
DataCenterAdmin	Data Center Administrator.	Possesses administrative permissions for all objects underneath a specific data center except for storage.

Role	Privileges	Notes
TemplateAdmin	Administrator of a virtual machine template.	Can create, delete, and configure the storage domains and network details of templates, and move templates between domains.
StorageAdmin	Storage Administrator.	Can create, delete, configure, and manage an assigned storage domain.
HostAdmin	Host Administrator.	Can attach, remove, configure, and manage a specific host.
NetworkAdmin	Network Administrator.	Can configure and manage the network of a particular data center or cluster. A network administrator of a data center or cluster inherits network permissions for virtual pools within the cluster.
VmPoolAdmin	System Administrator of a virtual pool.	Can create, delete, and configure a virtual pool; assign and remove virtual pool users; and perform basic operations on a virtual machine in the pool.
GlusterAdmin	Gluster Storage Administrator.	Can create, delete, configure, and manage Gluster storage volumes.
VmImporterExporter	Import and export Administrator of a virtual machine.	Can import and export virtual machines. Able to view all virtual machines and templates exported by other users.

Field Name	Description
Name	The name of the scheduling policy. This is the name used to refer to the scheduling policy in the Red Hat Virtualization Manager.
Description	A description of the scheduling policy. This field is recommended but not mandatory.
Filter Modules	A set of filters for controlling the hosts on which a virtual machine in a cluster can run. Enabling a filter will filter out hosts that do not meet the conditions specified by that filter, as outlined below: `CpuPinning`: Hosts which do not satisfy the CPU pinning definition. `Migration`: Prevent migration to the same host. `PinToHost`: Hosts other than the host to which the virtual machine is pinned. `CPU-Level`: Hosts that do not meet the CPU topology of the virtual machine. `CPU`: Hosts with fewer CPUs than the number assigned to the virtual machine. `Memory`: Hosts that do not have sufficient memory to run the virtual machine. `VmAffinityGroups`: Hosts that do not meet the conditions specified for a virtual machine that is a member of an affinity group. For example, that virtual machines in an affinity group must run on the same host or on separate hosts. `VmToHostsAffinityGroups`: Group of hosts that do not meet the conditions specified for a virtual machine that is a member of an affinity group. For example, that virtual machines in an affinity group must run on one of the hosts in a group or on a separate host that is excluded from the group. `InClusterUpgrade`: Hosts which run an earlier operating system than the virtual machine currently runs on. `HostDevice`: Hosts that do not support host devices required by the virtual machine. `HA`: Forces the Manager virtual machine in a self-hosted engine environment to run only on hosts with a positive high availability score. `Emulated-Machine`: Hosts which do not have proper emulated machine support. `Network`: Hosts on which networks required by the network interface controller of a virtual machine are not installed, or on which the cluster's display network is not installed. `HostedEnginesSpares`: Reserves space for the Manager virtual machine on a specified number of self-hosted engine nodes. `Label`: Hosts that do not have the required labels. `Compatibility-Version`: Runs virtual machines only on hosts with the correct compatibility version support. `CPUOverloaded`: Hosts that are CPU overloaded.
Weights Modules	A set of weightings for controlling the relative priority of factors considered when determining the hosts in a cluster on which a virtual machine can run. `InClusterUpgrade`: Weight hosts in accordance with their operating system version. The weight penalizes hosts with earlier operating systems more than hosts with the same operating system, giving priority to hosts with later operating systems. `OptimalForHaReservation`: Weights hosts in accordance with their high availability score. `None`: Weights hosts in accordance with the even distribution module. `OptimalForEvenGuestDistribution`: Weights hosts in accordance with the number of virtual machines running on those hosts. `VmAffinityGroups`: Weights hosts in accordance with the affinity groups defined for virtual machines. This weight module determines how likely virtual machines in an affinity group are to run on the same host or on separate hosts in accordance with the parameters of that affinity group. `VmToHostsAffinityGroups`: Weights hosts in accordance with the affinity groups defined for virtual machines. This weight module determines how likely virtual machines in an affinity group are to run on one of the hosts in a group or on a separate host that is excluded from the group. `OptimalForCPUPowerSaving`: Weights hosts in accordance with their CPU usage, giving priority to hosts with higher CPU usage. `OptimalForEvenCpuDistribution`: Weights hosts in accordance with their CPU usage, giving priority to hosts with lower CPU usage. `HA`: Weights hosts in accordance with their high availability score. `PreferredHosts`: Preferred hosts are prioritized during virtual machine setup. `OptimalForMemoryPowerSaving`: Weights hosts in accordance with their memory usage, giving priority to hosts with lower available memory. `OptimalForMemoryEvenDistribution`: Weights hosts in accordance with their memory usage, giving priority to hosts with higher available memory.
Load Balancer	This drop-down menu allows you to select a load balancing module to apply. Load balancing modules determine the logic used to migrate virtual machines from hosts experiencing high usage to hosts experiencing lower usage.
Properties	This drop-down menu allows you to add or remove properties for load balancing modules, and is only available when you have selected a load balancing module for the scheduling policy. No properties are defined by default, and the properties that are available are specific to the load balancing module that is selected. Use the + and - buttons to add or remove additional properties to or from the load balancing module.

Icon	Status
	None of that resource added to Red Hat Virtualization.
	Shows the number of a resource with a warning status. Clicking on the icon navigates to the appropriate tab with the search limited to that resource with a warning status. The search is limited differently for each resource: Data Centers: The search is limited to data centers that are not operational or non-responsive. Hosts: The search is limited to hosts that are unassigned, in maintenance mode, installing, rebooting, preparing for maintenance, pending approval, or connecting. Storage Domains: The search is limited to storage domains that are uninitialized, unattached, inactive, in maintenance mode, preparing for maintenance, detaching, or activating. Gluster Volumes: The search is limited to gluster volumes that are powering up, paused, migrating, waiting, suspended, or powering down. Virtual Machines: The search is limited to virtual machines that are powering up, paused, migrating, waiting, suspended, or powering down. Events: The search is limited to events with the severity of warning.
	Shows the number of a resource with an up status. Clicking on the icon navigates to the appropriate tab with the search limited to resources that are up.
	Shows the number of a resource with a down status. Clicking on the icon navigates to the appropriate tab with the search limited to resources with a down status. The search is limited differently for each resource: Data Centers: The search is limited to data centers that are uninitialized, in maintenance mode, or with a down status. Hosts: The search is limited to hosts that are non-responsive, have an error, have an installation error, non-operational, initializing, or down. Storage Domains: The search is limited to storage domains that are detached or inactive. Gluster Volumes: The search is limited to Gluster volumes that are detached or inactive. Virtual Machines: The search is limited to virtual machines that are down, not responding, or rebooting.
	Shows the number of events with an alert status. Clicking on the icon navigates to the Events tab with the search limited to events with the severity of alert.
	Shows the number of events with an error status. Clicking on the icon navigates to the Events tab with the search limited to events with the severity of error.

Field Name	Description
Data Center	The data center to which the virtual machine network QoS policy is to be added. This field is configured automatically according to the selected data center.
Name	A name to represent the virtual machine network QoS policy within the Manager.
Inbound	The settings to be applied to inbound traffic. Select or clear the Inbound check box to enable or disable these settings. Average: The average speed of inbound traffic. Peak: The speed of inbound traffic during peak times. Burst: The speed of inbound traffic during bursts.
Outbound	The settings to be applied to outbound traffic. Select or clear the Outbound check box to enable or disable these settings. Average: The average speed of outbound traffic. Peak: The speed of outbound traffic during peak times. Burst: The speed of outbound traffic during bursts.

Field Name	Description
Data Center	The data center to which the host network QoS policy is to be added. This field is configured automatically according to the selected data center.
QoS Name	A name to represent the host network QoS policy within the Manager.
Description	A description of the host network QoS policy.
Outbound	The settings to be applied to outbound traffic. Weighted Share: Signifies how much of the logical link's capacity a specific network should be allocated, relative to the other networks attached to the same logical link. The exact share depends on the sum of shares of all networks on that link. By default this is a number in the range 1-100. Rate Limit [Mbps]: The maximum bandwidth to be used by a network. Committed Rate [Mbps]: The minimum bandwidth required by a network. The Committed Rate requested is not guaranteed and will vary depending on the network infrastructure and the Committed Rate requested by other networks on the same logical link.

Field	Description/Action
Name	The name of the data center. This text field has a 40-character limit and must be a unique name with any combination of uppercase and lowercase letters, numbers, hyphens, and underscores.
Description	The description of the data center. This field is recommended but not mandatory.
Type	The storage type. Choose one of the following: Shared Local Different types of storage domains (iSCSI, NFS, FC, POSIX, and Gluster) can be added to the same data center. Local and shared domains, however, cannot be mixed. You can change the storage type after the data center is initialized. See Section 4.5.6, “Changing the Data Center Storage Type”.
Compatibility Version	The version of Red Hat Virtualization. Choose one of the following: 3.6 4.0 4.1 After upgrading the Red Hat Virtualization Manager, the hosts, clusters and data centers may still be in the earlier version. Ensure that you have upgraded all the hosts, then the clusters, before you upgrade the Compatibility Level of the data center.
Quota Mode	Quota is a resource limitation tool provided with Red Hat Virtualization. Choose one of: Disabled: Select if you do not want to implement Quota Audit: Select if you want to edit the Quota settings Enforced: Select to implement Quota

Role	Privileges	Notes
DataCenterAdmin	Data Center Administrator	Can use, create, delete, manage all physical and virtual resources within a specific data center except for storage, including clusters, hosts, templates and virtual machines.
NetworkAdmin	Network Administrator	Can configure and manage the network of a particular data center. A network administrator of a data center inherits network permissions for virtual machines within the data center as well.

Field	Description/Action
Data Center	The data center that will contain the cluster. The data center must be created before adding a cluster.
Name	The name of the cluster. This text field has a 40-character limit and must be a unique name with any combination of uppercase and lowercase letters, numbers, hyphens, and underscores.
Description / Comment	The description of the cluster or additional notes. These fields are recommended but not mandatory.
Management Network	The logical network which will be assigned the management network role. The default is ovirtmgmt. On existing clusters, the management network can only be changed via the Manage Networks button in the Logical Networks tab in the details pane.
CPU Architecture	The CPU architecture of the cluster. Different CPU types are available depending on which CPU architecture is selected. undefined: All CPU types are available. x86_64: All Intel and AMD CPU types are available. ppc64: Only IBM POWER 8 is available.
CPU Type	The CPU type of the cluster. See CPU Requirements in the Planning and Prerequisites Guide for a list of supported CPU types. All hosts in a cluster must run either Intel, AMD, or IBM POWER 8 CPU type; this cannot be changed after creation without significant disruption. The CPU type should be set to the oldest CPU model in the cluster. Only features present in all models can be used. For both Intel and AMD CPU types, the listed CPU models are in logical order from the oldest to the newest.
Compatibility Version	The version of Red Hat Virtualization. Choose one of: 3.6 4.0 You will not be able to select a version earlier than the version specified for the data center.
Enable Virt Service	If this radio button is selected, hosts in this cluster will be used to run virtual machines.
Enable Gluster Service	If this radio button is selected, hosts in this cluster will be used as Red Hat Gluster Storage Server nodes, and not for running virtual machines.
Import existing gluster configuration	This check box is only available if the Enable Gluster Service radio button is selected. This option allows you to import an existing Gluster-enabled cluster and all its attached hosts to Red Hat Virtualization Manager. The following options are required for each host in the cluster that is being imported: Address: Enter the IP or fully qualified domain name of the Gluster host server. Fingerprint: Red Hat Virtualization Manager fetches the host's fingerprint, to ensure you are connecting with the correct host. Root Password: Enter the root password required for communicating with the host.
Enable to set VM maintenance reason	If this check box is selected, an optional reason field will appear when a virtual machine in the cluster is shut down from the Manager. This allows you to provide an explanation for the maintenance, which will appear in the logs and when the virtual machine is powered on again.
Enable to set Host maintenance reason	If this check box is selected, an optional reason field will appear when a host in the cluster is moved into maintenance mode from the Manager. This allows you to provide an explanation for the maintenance, which will appear in the logs and when the host is activated again.
Additional Random Number Generator source	If the check box is selected, all hosts in the cluster have the additional random number generator device available. This enables passthrough of entropy from the random number generator device to virtual machines.

Field	Description/Action
Memory Optimization	None - Disable memory overcommit: Disables memory page sharing. For Server Load - Allow scheduling of 150% of physical memory: Sets the memory page sharing threshold to 150% of the system memory on each host. For Desktop Load - Allow scheduling of 200% of physical memory: Sets the memory page sharing threshold to 200% of the system memory on each host.
CPU Threads	Selecting the Count Threads As Cores check box allows hosts to run virtual machines with a total number of processor cores greater than the number of cores in the host. The exposed host threads would be treated as cores which can be utilized by virtual machines. For example, a 24-core system with 2 threads per core (48 threads total) can run virtual machines with up to 48 cores each, and the algorithms to calculate host CPU load would compare load against twice as many potential utilized cores.
Memory Balloon	Selecting the Enable Memory Balloon Optimization check box enables memory overcommitment on virtual machines running on the hosts in this cluster. When this option is set, the Memory Overcommit Manager (MoM) will start ballooning where and when possible, with a limitation of the guaranteed memory size of every virtual machine. To have a balloon running, the virtual machine needs to have a balloon device with relevant drivers. Each virtual machine includes a balloon device unless specifically removed. Each host in this cluster receives a balloon policy update when its status changes to `Up`. If necessary, you can manually update the balloon policy on a host without having to change the status. See Section 5.2.5, “Updating the MoM Policy on Hosts in a Cluster”. It is important to understand that in some scenarios ballooning may collide with KSM. In such cases MoM will try to adjust the balloon size to minimize collisions. Additionally, in some scenarios ballooning may cause sub-optimal performance for a virtual machine. Administrators are advised to use ballooning optimization with caution.
KSM control	Selecting the Enable KSM check box enables MoM to run Kernel Same-page Merging (KSM) when necessary and when it can yield a memory saving benefit that outweighs its CPU cost.

Policy	Description
Legacy	Legacy behavior of 3.6 version. Overrides in `vdsm.conf` are still applied. The guest agent hook mechanism is disabled.
Minimal downtime	A policy that lets virtual machines migrate in typical situations. Virtual machines should not experience any significant downtime. The migration will be aborted if the virtual machine migration does not converge after a long time (dependent on QEMU iterations, with a maximum of 500 milliseconds). The guest agent hook mechanism is enabled.
Post-copy migration	This is a Technology Preview feature. Virtual machines should not experience any significant downtime similar to the minimal downtime policy. The migration will switch to post-copy if the virtual machine migration does not converge after a long time. The disadvantage of this policy is that in the post-copy phase, the virtual machine may slow down significantly as the missing parts of memory are transferred between the hosts. If anything goes wrong during the post-copy phase, such as a network failure between the hosts, then the running virtual machine instance will be lost. It is therefore not possible to abort a migration during the post-copy phase. The guest agent hook mechanism is enabled.
Suspend workload if needed	A policy that lets virtual machines migrate in most situations, including virtual machines running heavy workloads. Virtual machines may experience a more significant downtime. The migration may still be aborted for extreme workloads. The guest agent hook mechanism is enabled.

Policy	Description
Auto	Bandwidth is copied from the Rate Limit [Mbps] setting in the data center Host Network QoS. If the rate limit has not been defined, it is computed as a minimum of link speeds of sending and receiving network interfaces. If rate limit has not been set, and link speeds are not available, it is determined by local VDSM setting on sending host.
Hypervisor default	Bandwidth is controlled by local VDSM setting on sending Host.
Custom	Defined by user (in Mbps). This value is divided by the number of concurrent migrations (default is 2, to account for ingoing and outgoing migration). Therefore, the user-defined bandwidth must be large enough to accommodate all concurrent migrations. For example, if the `Custom` bandwidth is defined as 600 Mbps, a virtual machine migration's maximum bandwidth is actually 300 Mbps.

Field	Description/Action
Migrate Virtual Machines	Migrates all virtual machines in order of their defined priority.
Migrate only Highly Available Virtual Machines	Migrates only highly available virtual machines to prevent overloading other hosts.
Do Not Migrate Virtual Machines	Prevents virtual machines from being migrated.

Table 1.6. Predefined Instance Types
Name	Memory	vCPUs
Tiny	512 MB	1
Small	2 GB	1
Medium	4 GB	2
Large	8 GB	2
XLarge	16 GB	4

Table 6.7. Bonding Scenarios and Their Results
Bonding Scenario	Result
NIC + NIC	The Create New Bond window is displayed, and you can configure a new bond device. If the network interfaces carry incompatible logical networks, the bonding operation fails until you detach incompatible logical networks from the devices forming your new bond.
NIC + Bond	The NIC is added to the bond device. Logical networks carried by the NIC and the bond are all added to the resultant bond device if they are compatible. If the bond devices carry incompatible logical networks, the bonding operation fails until you detach incompatible logical networks from the devices forming your new bond.
Bond + Bond	If the bond devices are not attached to logical networks, or are attached to compatible logical networks, a new bond device is created. It contains all of the network interfaces, and carries all logical networks, of the component bond devices. The Create New Bond window is displayed, allowing you to configure your new bond. If the bond devices carry incompatible logical networks, the bonding operation fails until you detach incompatible logical networks from the devices forming your new bond.

Table 7.3. Edit fence agent Settings
Field Name	Description
Address	The address to access your host's power management device. Either a resolvable hostname or an IP address.
User Name	User account with which to access the power management device. You can set up a user on the device, or use the default user.
Password	Password for the user accessing the power management device.
Type	The type of power management device in your host. Choose one of the following: apc - APC MasterSwitch network power switch. Not for use with APC 5.x power switch devices. apc_snmp - Use with APC 5.x power switch devices. bladecenter - IBM Bladecenter Remote Supervisor Adapter. cisco_ucs - Cisco Unified Computing System. drac5 - Dell Remote Access Controller for Dell computers. drac7 - Dell Remote Access Controller for Dell computers. eps - ePowerSwitch 8M+ network power switch. hpblade - HP BladeSystem. ilo, ilo2, ilo3, ilo4 - HP Integrated Lights-Out. ilo_ssh - HP Integrated Lights-Out devices over SSH. ipmilan - Intelligent Platform Management Interface and Sun Integrated Lights Out Management devices. rsa - IBM Remote Supervisor Adapter. rsb - Fujitsu-Siemens RSB management interface. wti - WTI Network Power Switch. For more information about power management devices, see Power Management in the Technical Reference.
Port	The port number used by the power management device to communicate with the host.
Slot	The number used to identify the blade of the power management device.
Service Profile	The service profile name used to identify the blade of the power management device. This field appears instead of Slot when the device type is `cisco_ucs`.
Options	Power management device specific options. Enter these as 'key=value'. See the documentation of your host's power management device for the options available. For Red Hat Enterprise Linux 7 hosts, if you are using cisco_ucs as the power management device, you also need to append `ssl_insecure=1` to the Options field.
Secure	Select this check box to allow the power management device to connect securely to the host. This can be done via ssh, ssl, or other authentication protocols depending on the power management agent.

Property	Description
Auto Converge migrations	Allows you to set whether auto-convergence is used during live migration of virtual machines. Large virtual machines with high workloads can dirty memory more quickly than the transfer rate achieved during live migration, and prevent the migration from converging. Auto-convergence capabilities in QEMU allow you to force convergence of virtual machine migrations. QEMU automatically detects a lack of convergence and triggers a throttle-down of the vCPUs on the virtual machine. Auto-convergence is disabled globally by default. Select Inherit from global setting to use the auto-convergence setting that is set at the global level. This option is selected by default. Select Auto Converge to override the global setting and allow auto-convergence for the virtual machine. Select Don't Auto Converge to override the global setting and prevent auto-convergence for the virtual machine.
Enable migration compression	The option allows you to set whether migration compression is used during live migration of the virtual machine. This feature uses Xor Binary Zero Run-Length-Encoding to reduce virtual machine downtime and total live migration time for virtual machines running memory write-intensive workloads or for any application with a sparse memory update pattern. Migration compression is disabled globally by default. Select Inherit from global setting to use the compression setting that is set at the global level. This option is selected by default. Select Compress to override the global setting and allow compression for the virtual machine. Select Don't compress to override the global setting and prevent compression for the virtual machine.

Field	Description/Action
Select Policy	Select a policy from the drop-down list. none: Set the policy value to none to have no load or power sharing between hosts for already-running virtual machines. This is the default mode. When a virtual machine is started, the memory and CPU processing load is spread evenly across all hosts in the cluster. Additional virtual machines attached to a host will not start if that host has reached the defined CpuOverCommitDurationMinutes, HighUtilization, or MaxFreeMemoryForOverUtilized. evenly_distributed: Distributes the memory and CPU processing load evenly across all hosts in the cluster. Additional virtual machines attached to a host will not start if that host has reached the defined CpuOverCommitDurationMinutes, HighUtilization, or MaxFreeMemoryForOverUtilized. cluster_maintenance: Limits activity in a cluster during maintenance tasks. No new virtual machines may be started, except highly available virtual machines. If host failure occurs, highly available virtual machines will restart properly and any virtual machine can migrate. power_saving: Distributes the memory and CPU processing load across a subset of available hosts to reduce power consumption on underutilized hosts. Hosts with a CPU load below the low utilization value for longer than the defined time interval will migrate all virtual machines to other hosts so that it can be powered down. Additional virtual machines attached to a host will not start if that host has reached the defined high utilization value. vm_evenly_distributed: Distributes virtual machines evenly between hosts based on a count of the virtual machines. The cluster is considered unbalanced if any host is running more virtual machines than the HighVmCount and there is at least one host with a virtual machine count that falls outside of the MigrationThreshold.
Properties	The following properties appear depending on the selected policy, and can be edited if necessary: HighVmCount: Sets the minimum number of virtual machines that must be running per host to enable load balancing. The default value is 10 running virtual machines on one host. Load balancing is only enabled when there is at least one host in the cluster that has at least HighVmCount running virtual machines. MigrationThreshold: Defines a buffer before virtual machines are migrated from the host. It is the maximum inclusive difference in virtual machine count between the most highly-utilized host and the least-utilized host. The cluster is balanced when every host in the cluster has a virtual machine count that falls inside the migration threshold. The default value is 5. SpmVmGrace: Defines the number of slots for virtual machines to be reserved on SPM hosts. The SPM host will have a lower load than other hosts, so this variable defines how many fewer virtual machines than other hosts it can run. The default value is 5. CpuOverCommitDurationMinutes: Sets the time (in minutes) that a host can run a CPU load outside of the defined utilization values before the scheduling policy takes action. The defined time interval protects against temporary spikes in CPU load activating scheduling policies and instigating unnecessary virtual machine migration. Maximum two characters. The default value is 2. HighUtilization: Expressed as a percentage. If the host runs with CPU usage at or above the high utilization value for the defined time interval, the Red Hat Virtualization Manager migrates virtual machines to other hosts in the cluster until the host's CPU load is below the maximum service threshold. The default value is 80. LowUtilization: Expressed as a percentage. If the host runs with CPU usage below the low utilization value for the defined time interval, the Red Hat Virtualization Manager will migrate virtual machines to other hosts in the cluster. The Manager will power down the original host machine, and restart it again when load balancing requires or there are not enough free hosts in the cluster. The default value is 20. ScaleDown: Reduces the impact of the HA Reservation weight function, by dividing a host's score by the specified amount. This is an optional property that can be added to any policy, including none. HostsInReserve: Specifies a number of hosts to keep running even though there are no running virtual machines on them. This is an optional property that can be added to the power_saving policy. EnableAutomaticHostPowerManagement: Enables automatic power management for all hosts in the cluster. This is an optional property that can be added to the power_saving policy. The default value is true. MaxFreeMemoryForOverUtilized: Sets the minimum free memory required in MB for the minimum service level. If the host's available memory runs at, or below this value, the Red Hat Virtualization Manager migrates virtual machines to other hosts in the cluster while the host's available memory is below the minimum service threshold. Setting both MaxFreeMemoryForOverUtilized and MinFreeMemoryForUnderUtilized to 0 MB disables memory based balancing. If MaxFreeMemoryForOverUtilized is set, MinFreeMemoryForUnderUtilized must also be set to avoid unexpected behavior. This is an optional property that can be added to the power_saving and evenly_distributed policies. MinFreeMemoryForUnderUtilized: Sets the minimum free memory required in MB before the host is considered underutilized. If the host's available memory runs above this value, the Red Hat Virtualization Manager migrates virtual machines to other hosts in the cluster and will automatically power down the host machine, and restart it again when load balancing requires or there are not enough free hosts in the cluster. Setting both MaxFreeMemoryForOverUtilized and MinFreeMemoryForUnderUtilized to 0MB disables memory based balancing. If MinFreeMemoryForUnderUtilized is set, MaxFreeMemoryForOverUtilized must also be set to avoid unexpected behavior. This is an optional property that can be added to the power_saving and evenly_distributed policies. HeSparesCount: Sets the number of additional self-hosted engine nodes that must reserve enough free memory to start the Manager virtual machine if it migrates or shuts down. Other virtual machines are prevented from starting on a self-hosted engine node if doing so would not leave enough free memory for the Manager virtual machine. This is an optional property that can be added to the power_saving, vm_evenly_distributed, and evenly_distributed policies. The default value is 0.
Scheduler Optimization	Optimize scheduling for host weighing/ordering. Optimize for Utilization: Includes weight modules in scheduling to allow best selection. Optimize for Speed: Skips host weighting in cases where there are more than ten pending requests.
Enable Trusted Service	Enable integration with an OpenAttestation server. Before this can be enabled, use the `engine-config` tool to enter the OpenAttestation server's details. For more information, see Section 10.4, “Trusted Compute Pools”.
Enable HA Reservation	Enable the Manager to monitor cluster capacity for highly available virtual machines. The Manager ensures that appropriate capacity exists within a cluster for virtual machines designated as highly available to migrate in the event that their existing host fails unexpectedly.
Provide custom serial number policy	This check box allows you to specify a serial number policy for the virtual machines in the cluster. Select one of the following options: Host ID: Sets the host's UUID as the virtual machine's serial number. Vm ID: Sets the virtual machine's UUID as its serial number. Custom serial number: Allows you to specify a custom serial number.

Field	Description/Action
Define SPICE Proxy for Cluster	Select this check box to enable overriding the SPICE proxy defined in global configuration. This feature is useful in a case where the user (who is, for example, connecting via the User Portal) is outside of the network where the hypervisors reside.
Overridden SPICE proxy address	The proxy by which the SPICE client will connect to virtual machines. The address must be in the following format: protocol://[host]:[port]

Field	Description/Action
Enable fencing	Enables fencing on the cluster. Fencing is enabled by default, but can be disabled if required; for example, if temporary network issues are occurring or expected, administrators can disable fencing until diagnostics or maintenance activities are completed. Note that if fencing is disabled, highly available virtual machines running on non-responsive hosts will not be restarted elsewhere.
Skip fencing if host has live lease on storage	If this check box is selected, any hosts in the cluster that are Non Responsive and still connected to storage will not be fenced.
Skip fencing on cluster connectivity issues	If this check box is selected, fencing will be temporarily disabled if the percentage of hosts in the cluster that are experiencing connectivity issues is greater than or equal to the defined Threshold. The Threshold value is selected from the drop-down list; available values are 25, 50, 75, and 100.
Skip fencing if gluster bricks are up	This option is only available when Red Hat Gluster Storage functionality is enabled. If this check box is selected, fencing is skipped if bricks are running and can be reached from other peers. See Chapter 2. Configure High Availability using Fencing Policies and Appendix A. Fencing Policies for Red Hat Gluster Storage in Maintaining Red Hat Hyperconverged Infrastructure for more information.
Skip fencing if gluster quorum not met	This option is only available when Red Hat Gluster Storage functionality is enabled. If this check box is selected, fencing is skipped if bricks are running and shutting down the host will cause loss of quorum. See Chapter 2. Configure High Availability using Fencing Policies and Appendix A. Fencing Policies for Red Hat Gluster Storage in Maintaining Red Hat Hyperconverged Infrastructure for more information.

Field	Description
Use a common password	Tick this check box to use the same password for all hosts belonging to the cluster. Enter the password in the Password field, then click the Apply button to set the password on all hosts.
Name	Enter the name of the host.
Hostname/IP	This field is automatically populated with the fully qualified domain name or IP of the host you provided in the New Cluster window.
Root Password	Enter a password in this field to use a different root password for each host. This field overrides the common password provided for all hosts in the cluster.
Fingerprint	The host fingerprint is displayed to ensure you are connecting with the correct host. This field is automatically populated with the fingerprint of the host you provided in the New Cluster window.

Role	Privileges	Notes
ClusterAdmin	Cluster Administrator	Can use, create, delete, manage all physical and virtual resources in a specific cluster, including hosts, templates and virtual machines. Can configure network properties within the cluster such as designating display networks, or marking a network as required or non-required. However, a ClusterAdmin does not have permissions to attach or detach networks from a cluster, to do so NetworkAdmin permissions are required.
NetworkAdmin	Network Administrator	Can configure and manage the network of a particular cluster. A network administrator of a cluster inherits network permissions for virtual machines within the cluster as well.

Field Name	Description
Name	The name of the logical network. This text field must be a unique name with any combination of uppercase and lowercase letters, numbers, hyphens, and underscores. The logical network name is limited to 15 characters for Manager version 4.1.5 and earlier.
Description	The description of the logical network. This text field has a 40-character limit.
Comment	A field for adding plain text, human-readable comments regarding the logical network.
Create on external provider	Allows you to create the logical network to an OpenStack Networking instance that has been added to the Manager as an external provider. External Provider - Allows you to select the external provider on which the logical network will be created.
Enable VLAN tagging	VLAN tagging is a security feature that gives all network traffic carried on the logical network a special characteristic. VLAN-tagged traffic cannot be read by interfaces that do not also have that characteristic. Use of VLANs on logical networks also allows a single network interface to be associated with multiple, differently VLAN-tagged logical networks. Enter a numeric value in the text entry field if VLAN tagging is enabled.
VM Network	Select this option if only virtual machines use this network. If the network is used for traffic that does not involve virtual machines, such as storage communications, do not select this check box.
MTU	Choose either Default, which sets the maximum transmission unit (MTU) to the value given in the parenthesis (), or Custom to set a custom MTU for the logical network. You can use this to match the MTU supported by your new logical network to the MTU supported by the hardware it interfaces with. Enter a numeric value in the text entry field if Custom is selected.
Network Label	Allows you to specify a new label for the network or select from existing labels already attached to host network interfaces. If you select an existing label, the logical network will be automatically assigned to all host network interfaces with that label.

Field	Description/Action
Assign	Assigns the logical network to all hosts in the cluster.
Required	A Network marked "required" must remain operational in order for the hosts associated with it to function properly. If a required network ceases to function, any hosts associated with it become non-operational.
VM Network	A logical network marked "VM Network" carries network traffic relevant to the virtual machine network.
Display Network	A logical network marked "Display Network" carries network traffic relevant to SPICE and to the virtual network controller.
Migration Network	A logical network marked "Migration Network" carries virtual machine and storage migration traffic.

Field Name	Description
Network	A drop-down list of the available networks to apply the vNIC profile to.
Name	The name of the vNIC profile. This must be a unique name with any combination of uppercase and lowercase letters, numbers, hyphens, and underscores between 1 and 50 characters.
Description	The description of the vNIC profile. This field is recommended but not mandatory.
QoS	A drop-down list of the available Network Quality of Service policies to apply to the vNIC profile. QoS policies regulate inbound and outbound network traffic of the vNIC.
Network Filter	A drop-down list of the available network filters to apply to the vNIC profile. Network filters improve network security by filtering the type of packets that can be sent to and from virtual machines. The default filter is `vdsm-no-mac-spoofing`, which is a combination of `no-mac-spoofing` and `no-arp-mac-spoofing`. For more information on the network filters provided by libvirt, see the Pre-existing network filters section of the Red Hat Enterprise Linux Virtualization Deployment and Administration Guide. <No Network Filter> should be used for virtual machine VLANs and bonds. On trusted virtual machines, choosing not to use a network filter can improve performance.
Passthrough	A check box to toggle the passthrough property. Passthrough allows a vNIC to connect directly to a virtual function of a host NIC. The passthrough property cannot be edited if the vNIC profile is attached to a virtual machine. QoS, network filters, and port mirroring are disabled in the vNIC profile if passthrough is enabled.
Migratable	A check box to toggle whether or not vNICs using this profile can be migrated. Migration is enabled by default on regular vNIC profiles; the check box is selected and cannot be changed. When the Passthrough check box is selected, Migratable becomes available and can be deselected, if required, to disable migration of passthrough vNICs.
Port Mirroring	A check box to toggle port mirroring. Port mirroring copies layer 3 network traffic on the logical network to a virtual interface on a virtual machine. It it not selected by default. For further details, see Port Mirroring in the Technical Reference.
Device Custom Properties	A drop-down menu to select available custom properties to apply to the vNIC profile. Use the + and - buttons to add and remove properties respectively.
Allow all users to use this Profile	A check box to toggle the availability of the profile to all users in the environment. It is selected by default.

Role	Privileges	Notes
NetworkAdmin	Network Administrator for data center, cluster, host, virtual machine, or template. The user who creates a network is automatically assigned NetworkAdmin permissions on the created network.	Can configure and manage the network of a particular data center, cluster, host, virtual machine, or template. A network administrator of a data center or cluster inherits network permissions for virtual pools within the cluster. To configure port mirroring on a virtual machine network, apply the NetworkAdmin role on the network and the UserVmManager role on the virtual machine.
VnicProfileUser	Logical network and network interface user for virtual machine and template.	Can attach or detach network interfaces from specific logical networks.

Administration Guide

Administration Tasks in Red Hat Virtualization

Red Hat Virtualization Documentation Team

Part I. Administering and Maintaining the Red Hat Virtualization Environment

Chapter 1. Global Configuration

1.1. Roles

1.1.1. Creating a New Role

1.1.2. Editing or Copying a Role

1.1.3. User Role and Authorization Examples

1.2. System Permissions

1.2.1. User Properties

1.2.2. User and Administrator Roles

1.2.3. User Roles Explained

1.2.4. Administrator Roles Explained

1.3. Scheduling Policies

1.3.1. Creating a Scheduling Policy

1.3.2. Explanation of Settings in the New Scheduling Policy and Edit Scheduling Policy Window

1.4. Instance Types

1.4.1. Creating Instance Types

1.4.2. Editing Instance Types

1.4.3. Removing Instance Types

1.5. MAC Address Pools

1.5.1. Creating MAC Address Pools

1.5.2. Editing MAC Address Pools

1.5.3. Editing MAC Address Pool Permissions

1.5.4. Removing MAC Address Pools

Chapter 2. Dashboard

2.1. Prerequisites

2.2. Global Inventory

2.3. Global Utilization

2.3.1. Top Utilized Resources

2.4. Cluster Utilization

2.4.1. CPU

2.4.2. Memory

2.5. Storage Utilization

Part II. Administering the Resources

Chapter 3. Quality of Service

3.1. Storage Quality of Service

3.1.1. Creating a Storage Quality of Service Entry

3.1.2. Removing a Storage Quality of Service Entry

3.2. Virtual Machine Network Quality of Service

3.2.1. Creating a Virtual Machine Network Quality of Service Entry

3.2.2. Settings in the New Virtual Machine Network QoS and Edit Virtual Machine Network QoS Windows Explained

3.2.3. Removing a Virtual Machine Network Quality of Service Entry

3.3. Host Network Quality of Service

3.3.1. Creating a Host Network Quality of Service Entry

3.3.2. Settings in the New Host Network Quality of Service and Edit Host Network Quality of Service Windows Explained

3.3.3. Removing a Host Network Quality of Service Entry

3.4. CPU Quality of Service

3.4.1. Creating a CPU Quality of Service Entry

3.4.2. Removing a CPU Quality of Service Entry

Chapter 4. Data Centers

4.1. Introduction to Data Centers

4.2. The Storage Pool Manager

4.3. SPM Priority

4.4. Using the Events Tab to Identify Problem Objects in Data Centers

4.5. Data Center Tasks

4.5.1. Creating a New Data Center

4.5.2. Explanation of Settings in the New Data Center and Edit Data Center Windows

4.5.3. Re-Initializing a Data Center: Recovery Procedure

4.5.4. Removing a Data Center

4.5.5. Force Removing a Data Center

4.5.6. Changing the Data Center Storage Type

4.5.7. Changing the Data Center Compatibility Version

4.6. Data Centers and Storage Domains

4.6.1. Attaching an Existing Data Domain to a Data Center

4.6.2. Attaching an Existing ISO domain to a Data Center

4.6.3. Attaching an Existing Export Domain to a Data Center

4.6.4. Detaching a Storage Domain from a Data Center

4.7. Data Centers and Permissions

4.7.1. Managing System Permissions for a Data Center

4.7.2. Data Center Administrator Roles Explained

4.7.3. Assigning an Administrator or User Role to a Resource

4.7.4. Removing an Administrator or User Role from a Resource

Chapter 5. Clusters

5.1. Introduction to Clusters

5.2. Cluster Tasks

5.2.1. Creating a New Cluster

5.2.2. Explanation of Settings and Controls in the New Cluster and Edit Cluster Windows

5.2.2.1. General Cluster Settings Explained

Field Name	Description
Host Cluster	The cluster and data center to which the host belongs.
Use Foreman/Satellite	Select or clear this check box to view or hide options for adding hosts provided by Satellite host providers. The following options are also available: Discovered Hosts Discovered Hosts - A drop-down list that is populated with the name of Satellite hosts discovered by the engine. Host Groups -A drop-down list of host groups available. Compute Resources - A drop-down list of hypervisors to provide compute resources. Provisioned Hosts Providers Hosts - A drop-down list that is populated with the name of hosts provided by the selected external provider. The entries in this list are filtered in accordance with any search queries that have been input in the Provider search filter. Provider search filter - A text field that allows you to search for hosts provided by the selected external provider. This option is provider-specific; see provider documentation for details on forming search queries for specific providers. Leave this field blank to view all available hosts.
Name	The name of the cluster. This text field has a 40-character limit and must be a unique name with any combination of uppercase and lowercase letters, numbers, hyphens, and underscores.
Comment	A field for adding plain text, human-readable comments regarding the host.
Affinity Labels	Add or remove a selected Affinity Label.
Address	The IP address, or resolvable hostname of the host.
Password	The password of the host's root user. This can only be given when you add the host; it cannot be edited afterwards.
SSH PublicKey	Copy the contents in the text box to the `/root/.known_hosts` file on the host to use the Manager's ssh key instead of using a password to authenticate with the host.
Automatically configure host firewall	When adding a new host, the Manager can open the required ports on the host's firewall. This is enabled by default. This is an Advanced Parameter.
SSH Fingerprint	You can fetch the host's SSH fingerprint, and compare it with the fingerprint you expect the host to return, ensuring that they match. This is an Advanced Parameter.

Field Name	Description
Enable Power Management	Enables power management on the host. Select this check box to enable the rest of the fields in the Power Management tab.
Kdump integration	Prevents the host from fencing while performing a kernel crash dump, so that the crash dump is not interrupted. In Red Hat Enterprise Linux 7.1 and later, kdump is available by default. If kdump is available on the host, but its configuration is not valid (the kdump service cannot be started), enabling Kdump integration will cause the host (re)installation to fail. If this is the case, see Section 7.6.4, “fence_kdump Advanced Configuration”.
Disable policy control of power management	Power management is controlled by the Scheduling Policy of the host's cluster. If power management is enabled and the defined low utilization value is reached, the Manager will power down the host machine, and restart it again when load balancing requires or there are not enough free hosts in the cluster. Select this check box to disable policy control.
Agents by Sequential Order	Lists the host's fence agents. Fence agents can be sequential, concurrent, or a mix of both. If fence agents are used sequentially, the primary agent is used first to stop or start a host, and if it fails, the secondary agent is used. If fence agents are used concurrently, both fence agents have to respond to the Stop command for the host to be stopped; if one agent responds to the Start command, the host will go up. Fence agents are sequential by default. Use the up and down buttons to change the sequence in which the fence agents are used. To make two fence agents concurrent, select one fence agent from the Concurrent with drop-down list next to the other fence agent. Additional fence agents can be added to the group of concurrent fence agents by selecting the group from the Concurrent with drop-down list next to the additional fence agent.
Add Fence Agent	Click the plus (+) button to add a new fence agent. The Edit fence agent window opens. See the table below for more information on the fields in this window.
Power Management Proxy Preference	By default, specifies that the Manager will search for a fencing proxy within the same cluster as the host, and if no fencing proxy is found, the Manager will search in the same dc (data center). Use the up and down buttons to change the sequence in which these resources are used. This field is available under Advanced Parameters.

Field Name	Description
Override display address	Select this check box to override the display addresses of the host. This feature is useful in a case where the hosts are defined by internal IP and are behind a NAT firewall. When a user connects to a virtual machine from outside of the internal network, instead of returning the private address of the host on which the virtual machine is running, the machine returns a public IP or FQDN (which is resolved in the external network to the public IP).
Display address	The display address specified here will be used for all virtual machines running on this host. The address must be in the format of a fully qualified domain name or IP.

Field Name	Description
Hostdev Passthrough & SR-IOV	Enables the IOMMU flag in the kernel to allow a host device to be used by a virtual machine as if the device is a device attached directly to the virtual machine itself. The host hardware and firmware must also support IOMMU. The virtualization extension and IOMMU extension must be enabled on the hardware. See Configuring a Host for PCI Passthrough in the Installation Guide. IBM POWER8 has IOMMU enabled by default.
Nested Virtualization	Enables the vmx or svm flag to allow you to run virtual machines within virtual machines. This option is only intended for evaluation purposes and not supported for production purposes. The `vdsm-hook-nestedvt` hook must be installed on the host.
Unsafe Interrupts	If IOMMU is enabled but the passthrough fails because the hardware does not support interrupt remapping, you can consider enabling this option. Note that you should only enable this option if the virtual machines on the host are trusted; having the option enabled potentially exposes the host to MSI attacks from the virtual machines. This option is only intended to be used as a workaround when using uncertified hardware for evaluation purposes.
PCI Reallocation	If your SR-IOV NIC is unable to allocate virtual functions because of memory issues, consider enabling this option. The host hardware and firmware must also support PCI reallocation. This option is only intended to be used as a workaround when using uncertified hardware for evaluation purposes.
Kernel command line	This field allows you to append more kernel parameters to the default parameters.

Variable	Description	Default	Note
LISTENER_ADDRESS	Defines the IP address to receive fence_kdump messages on.	0.0.0.0	If the value of this parameter is changed, it must match the value of `FenceKdumpDestinationAddress` in `engine-config`.
LISTENER_PORT	Defines the port to receive fence_kdump messages on.	7410	If the value of this parameter is changed, it must match the value of `FenceKdumpDestinationPort` in `engine-config`.
HEARTBEAT_INTERVAL	Defines the interval in seconds of the listener's heartbeat updates.	30	If the value of this parameter is changed, it must be half the size or smaller than the value of `FenceKdumpListenerTimeout` in `engine-config`.
SESSION_SYNC_INTERVAL	Defines the interval in seconds to synchronize the listener's host kdumping sessions in memory to the database.	5	If the value of this parameter is changed, it must be half the size or smaller than the value of `KdumpStartedTimeout` in `engine-config`.
REOPEN_DB_CONNECTION_INTERVAL	Defines the interval in seconds to reopen the database connection which was previously unavailable.	30	-
KDUMP_FINISHED_TIMEOUT	Defines the maximum timeout in seconds after the last received message from kdumping hosts after which the host kdump flow is marked as FINISHED.	60	If the value of this parameter is changed, it must be double the size or higher than the value of `FenceKdumpMessageInterval` in `engine-config`.

Variable	Description	Default	Note
FenceKdumpDestinationAddress	Defines the hostname(s) or IP address(es) to send fence_kdump messages to. If empty, the Manager's FQDN is used.	Empty string (Manager FQDN is used)	If the value of this parameter is changed, it must match the value of `LISTENER_ADDRESS` in the fence_kdump listener configuration file, and all hosts with Kdump integration enabled must be reinstalled.
FenceKdumpDestinationPort	Defines the port to send fence_kdump messages to.	7410	If the value of this parameter is changed, it must match the value of `LISTENER_PORT` in the fence_kdump listener configuration file, and all hosts with Kdump integration enabled must be reinstalled.
FenceKdumpMessageInterval	Defines the interval in seconds between messages sent by fence_kdump.	5	If the value of this parameter is changed, it must be half the size or smaller than the value of `KDUMP_FINISHED_TIMEOUT` in the fence_kdump listener configuration file, and all hosts with Kdump integration enabled must be reinstalled.
FenceKdumpListenerTimeout	Defines the maximum timeout in seconds since the last heartbeat to consider the fence_kdump listener alive.	90	If the value of this parameter is changed, it must be double the size or higher than the value of `HEARTBEAT_INTERVAL` in the fence_kdump listener configuration file.
KdumpStartedTimeout	Defines the maximum timeout in seconds to wait until the first message from the kdumping host is received (to detect that host kdump flow has started).	30	If the value of this parameter is changed, it must be double the size or higher than the value of `SESSION_SYNC_INTERVAL` in the fence_kdump listener configuration file, and `FenceKdumpMessageInterval`.

Role	Privileges	Notes
StorageAdmin	Storage Administrator	Can create, delete, configure and manage a specific storage domain.
GlusterAdmin	Gluster Storage Administrator	Can create, delete, configure and manage Gluster storage volumes.

Term	Definition
Brick	A brick is the GlusterFS basic unit of storage, represented by an export directory on a server in the trusted storage pool. A Brick is expressed by combining a server with an export directory in the following format: `SERVER:EXPORT` For example: `myhostname:/exports/myexportdir/`
Block Storage	Block special files or block devices correspond to devices through which the system moves data in the form of blocks. These device nodes often represent addressable devices such as hard disks, CD-ROM drives, or memory-regions. Red Hat Gluster Storage supports XFS file system with extended attributes.
Cluster	A trusted pool of linked computers, working together closely thus in many respects forming a single computer. In Red Hat Gluster Storage terminology a cluster is called a trusted storage pool.
Client	The machine that mounts the volume (this may also be a server).
Distributed File System	A file system that allows multiple clients to concurrently access data spread across multiple servers/bricks in a trusted storage pool. Data sharing among multiple locations is fundamental to all distributed file systems.
Geo-Replication	Geo-replication provides a continuous, asynchronous, and incremental replication service from site to another over Local Area Networks (LAN), Wide Area Network (WAN), and across the Internet.
glusterd	The Gluster management daemon that needs to run on all servers in the trusted storage pool.
Metadata	Metadata is data providing information about one or more other pieces of data.
N-way Replication	Local synchronous data replication typically deployed across campus or Amazon Web Services Availability Zones.
Namespace	Namespace is an abstract container or environment created to hold a logical grouping of unique identifiers or symbols. Each Red Hat Gluster Storage trusted storage pool exposes a single namespace as a POSIX mount point that contains every file in the trusted storage pool.
POSIX	Portable Operating System Interface (for Unix) is the name of a family of related standards specified by the IEEE to define the application programming interface (API), along with shell and utilities interfaces for software compatible with variants of the UNIX operating system. Red Hat Gluster Storage exports a fully POSIX compatible file system.
RAID	Redundant Array of Inexpensive Disks (RAID) is a technology that provides increased storage reliability through redundancy, combining multiple low-cost, less-reliable disk drives components into a logical unit where all drives in the array are interdependent.
RRDNS	Round Robin Domain Name Service (RRDNS) is a method to distribute load across application servers. RRDNS is implemented by creating multiple A records with the same name and different IP addresses in the zone file of a DNS server.
Server	The machine (virtual or bare-metal) which hosts the actual file system in which data will be stored.
Scale-Up Storage	Increases the capacity of the storage device, but only in a single dimension. An example might be adding additional disk capacity to a single computer in a trusted storage pool.
Scale-Out Storage	Increases the capability of a storage device in multiple dimensions. For example adding a server to a trusted storage pool increases CPU, disk capacity, and throughput for the trusted storage pool.
Subvolume	A subvolume is a brick after being processed by at least one translator.
Translator	A translator connects to one or more subvolumes, does something with them, and offers a subvolume connection.
Trusted Storage Pool	A storage pool is a trusted network of storage servers. When you start the first server, the storage pool consists of that server alone.
User Space	Applications running in user space do not directly interact with hardware, instead using the kernel to moderate access. User Space applications are generally more portable than applications in kernel space. Gluster is a user space application.
Virtual File System (VFS)	VFS is a kernel software layer that handles all system calls related to the standard Linux file system. It provides a common interface to several kinds of file systems.
Volume File	The volume file is a configuration file used by GlusterFS process. The volume file will usually be located at: `/var/lib/glusterd/vols/VOLNAME`.
Volume	A volume is a logical collection of bricks. Most of the Gluster management operations happen on the volume.

Field Name	Description
Volume Type	Displays the type of volume. This field cannot be changed; it was set when you created the volume.
Server	The server where the bricks are hosted.
Brick Directory	The brick directory or mountpoint.

Field Name	Description
Template	The template and template sub version on which the virtual machine pool is based. If you create a pool based on the `latest` sub version of a template, all virtual machines in the pool, when rebooted, will automatically receive the latest template version. For more information on configuring templates for virtual machines see Virtual Machine General Settings Explained and Explanation of Settings in the New Template and Edit Template Windows in the Virtual Machine Management Guide.
Description	A meaningful description of the virtual machine pool.
Comment	A field for adding plain text human-readable comments regarding the virtual machine pool.
Prestarted VMs	Allows you to specify the number of virtual machines in the virtual machine pool that will be started before they are taken and kept in that state to be taken by users. The value of this field must be between `0` and the total number of virtual machines in the virtual machine pool.
Number of VMs/Increase number of VMs in pool by	Allows you to specify the number of virtual machines to be created and made available in the virtual machine pool. In the edit window it allows you to increase the number of virtual machines in the virtual machine pool by the specified number. By default, the maximum number of virtual machines you can create in a pool is 1000. This value can be configured using the `MaxVmsInPool` key of the `engine-config` command.
Maximum number of VMs per user	Allows you to specify the maximum number of virtual machines a single user can take from the virtual machine pool at any one time. The value of this field must be between `1` and `32,767`.
Delete Protection	Allows you to prevent the virtual machines in the pool from being deleted.