2.1. Deploying the Controller


If you need to change certificates used in deployment (e.g., replace self-signed ones with those from a trusted CA) or change controller hostname, rerun the vzapi-installer controller command with the new parameters. To change the controller hostname while keeping the same self-signed certificates, use the --force-cert-gen parameter.

To deploy the controller, do the following on the host chosen to be the controller:

  1. (CentOS 7 only) Disable SELinux. To do this, set SELINUX=disabled in /etc/sysconfig/selinux file and reboot the system.

  2. (CentOS 7 only) Import the key Virtuozzo PowerPanel packages are signed with:

    # rpm --import https://docs.virtuozzo.com/keys/VIRTUOZZO_GPG_KEY
  3. Install the pp-release package. It will add the repository with PowerPanel packages.

    # yum install http://repo.virtuozzo.com/pp/releases/2.0.4/x86_64/os/Packages/p/pp-release-2.0.4-3.vl7.noarch.rpm
  4. Install the vzapi-installer package. It will provide the Ansible playbooks necessary to deploy PowerPanel and the vzapi-installer script that automates said deployment.

    # yum install vzapi-installer
  5. Launch the deployment script. A self-signed certificate is generated and used by default, however, you are recommended to use your own certificate, private key, and certificate authority (CA) files. If you have one or more intermediate certificates, you can specify them as well to indicate a chain of trust. Every intermediate certificate will be handled by openssl verify as untrusted. The deployment script will automatically concatenate the certificates and use the resulting file during installation. The original CA file will added to httpd configs.

    • If you have an SSL certificate and key from a third-party trusted CA, run the deployment script as follows:

      # vzapi-installer controller --ask-passwd --private-ip <IP_address> --ssl-ca-file <path_to_file> --ssl-cert-file <path_to_file> --ssl-key-file <path_to_file>
    • If you have your own CA file that you used to generate an SSL key and a certificate that requires intermediate certificates for resolution, run the deployment script as follows:

      # vzapi-installer controller --ask-passwd --private-ip <IP_address> --ssl-ca-file <path_to_file> --ssl-cert-file <path_to_file> --ssl-key-file <path_to_file> --ssl-intermediate-cert <path_to_file> [--ssl-intermediate-cert <path_to_file> ...]
    • If you want to deploy with a generated self-signed certificate, run the deployment script as follows:

      # vzapi-installer controller --ask-passwd --private-ip <IP_address>

    The --private-ip <IP_address> is the required parameter that sets the IP address of the network interface that the controller will use to communicate with compute nodes. Controller services used for internal communication will listen only on this network interface. This can be useful if you have a private network for the controller and compute nodes and do not want controller services to be accessible from other networks.

    During setup, you will be asked to provide the administrator’s password that will be required to log in to PowerPanel in the admin mode. If you need to specify the password in the command line, you can replace --ask-passwd with -p <admin_passwd>.


    Once set, the administrator’s password is stored in the file /var/lib/vzapi-installer/group_vars/all alongside with automatically generated passwords for other services used by PowerPanel.

    If you have a firewall enabled, the deploy script will create rules to open the required ports (see Appendix A: Controller and Compute Ports).

    When deployment is completed successfully, you will see a recap from Ansible and information on how to access Virtuozzo PowerPanel web interface. For example:

    PLAY RECAP *********************************************************************
    ctrl.example.com         : ok=57   changed=49   unreachable=0    failed=0
    Controller has been deployed successfully!
    Virtuozzo PowerPanel web UI can be accessed at https://ctrl.example.com
    with this username/password: admin/password
  6. If you used a self-signed certificate generated during deployment, import its file /var/lib/vzapi/vzapi_rootCA.crt into the browser in which you will open Virtuozzo PowerPanel web interface.

If you later need to redeploy or update the controller without changing the admininstrator’s password, skip password-related options and run

# vzapi-installer controller


By default, each user is allowed to create 3 backups of each of their VEs. Any changes to this backup limit are applied only to VEs added to the Virtuozzo PowerPanel infrastructure after the change. If you need to change the default backup limit from the start, do so before deploying the compute nodes. For instructions, see Setting the Backup Limit.