Orchestrator and multi-tenant

I use Orchestrator in a multi-tenancy environment.  What I try to do is:

Set up a master orchestrator instance where I can centralize workflow execution.

Implemented the slave instances in environments different tenant I can call with the plugin multiple nodes.

The problem is that the environments are separate and accessible only via a vpn tunnel.

How should I configure master orchestrator and the slave to connect via vpn?

I must:

1. use a "plugin of VPN connection' if there is one, to establish a connection via vpn?
2. use the plug-in of HTTP-rest and give the two VCOs, one IP address public and some time to public web interface, if it can be done safely, perhaps to paste the slave vCO in the DMZ?

3 another way?

Thanks for the input!

If you have an always on the VPN connection to the remote/slave instances then just opening the firewall ports to allow the master to connect to the instance of remote/slave.

Ports are listed on page 38 & 39:

http://pubs.VMware.com/vSphere-55/topic/com.VMware.ICbase/PDF/vCenter-Orchestrator-552-install-config-Guide.PDF

Documentation of the plugin of several nodes:

http://pubs.VMware.com/Orchestrator-plugins/topic/com.VMware.ICbase/PDF/using-multi-node-plugin-10-Guide.PDF

From what I can tell, you would need the following ports open between the master (source) and remote/slave (destination):

  • TCP - 8230 - the main port to communicate with the server Orchestrator (JNDI port).
  • Trust TCP - 8250 - for SSL (multi-noeuds plugin documentation - "Activate Orchestrator for the remote execution Workflow")

Tags: VMware

Similar Questions

  • See multi-tenant

    I'm sure there must be a discussion, I'm not finding on this, but here's what I'm looking for:

    Currently, view (5 or 6) can belong only to a single domain.

    VCloud multi tenant implementations are OK with having more than one domain (or subdomain) within the tenant space, but as far as I can see, ONLY supports files with different permissions and roles within each of records (or higher level).  It is possible to configure a trust between the domains for authentication, but which places a burden on the 'original' area if you want to configure domain based prominent roles.

    Has anyone seen or heard any information that points to it becomes a true multi domain or solution tenant multi outside the incorporation of views in a cell vCloud?

    Thank you

    Roger

    You're right, view of the Horizon is not intended to be used in an environment when you need to multi-tenant real, there are ways to get it to work this way, but generally require a lot of manual steps and you could get in configurations not supported.

    Fortunately, there's a solution to this, its called VMware DaasS (formerly Desktone), it is built for shared all along.

    Linjo

  • Question of design on unique constraints while moving to multi-tenant

    Hi all

    Please see the definition of this simple table:
    CREATE TABLE emp 
    ( 
     id INTEGER  NOT NULL , 
     name VARCHAR2 (30 CHAR)  NOT NULL , 
     birthdate DATE  NOT NULL , 
     username VARCHAR2 (10 CHAR) ,
     CONSTRAINT PK_ PRIMARY KEY ( id ) ,
     CONSTRAINT UC_emp_username UNIQUE ( username )
    );
    In this framework, each user can (not essential, authorized NULL) have a user name. A user name can only be used once. An application that uses this type of table is not multi-tenant capable.

    Now if I run the application of several tenants, I add a column tenant_id like this:
    CREATE TABLE emp 
    ( 
     id INTEGER  NOT NULL , 
     name VARCHAR2 (30 CHAR)  NOT NULL , 
     birthdate DATE  NOT NULL , 
     username VARCHAR2 (10 CHAR) ,
     tenant_id INTEGER  NOT NULL ,
     CONSTRAINT PK_ PRIMARY KEY ( id ) ,
     CONSTRAINT UC_emp_tenant_username UNIQUE ( tenant_id, username )
    );
    I have archived almost my goal:
    However, a user can (not essential, authorized NULL) have a user name. A user name cannot be used once BY the TENANT (see changed CPU). Of course, each tenant must be provided with an account named 'administrator', so the CPU must include the tenant_id. But what does not work:

    As soon as I add a 2nd employee for a tenant and this user doesn't have a login name (and therefore no user name), the UC has banned the addition of this user.
    It was no problem in the 1st case, because the CPU included a single column and a row in the base table with a NULL value in this column is simply ignored in the index.
    In the 2nd case, each row in the base table is included in the CPU, because the tenant_id column is NOT NULL. If the combination {tenant_id:1, username: NULL} cannot exist only once. This means that almost all employees must have a user name.

    What is the solution here?
    Drop the CPU is not a solution.
    Is it really necessary to move the user name column to a new table, as in the following? It just doesn't feel good to introduce a table of relationship for a 1:1 relationship.
    CREATE TABLE emp 
    ( 
     id INTEGER  NOT NULL , 
     name VARCHAR2 (30 CHAR)  NOT NULL , 
     birthdate DATE  NOT NULL , 
     tenant_id INTEGER  NOT NULL ,
     CONSTRAINT PK_emp PRIMARY KEY ( id )
    ) ;

CREATE TABLE username 
    ( 
     id INTEGER  NOT NULL , 
     emp_id INTEGER  NOT NULL , 
     username VARCHAR2 (30 CHAR)  NOT NULL , 
     tenant_id INTEGER  NOT NULL ,
     CONSTRAINT PK_username PRIMARY KEY ( id ) ,
     CONSTRAINT UC_username_emp UNIQUE ( emp_id ) ,
     CONSTRAINT UC_username_username_tenant UNIQUE ( username , tenant_id ) ,
     CONSTRAINT FK_username_emp FOREIGN KEY ( emp_id ) REFERENCES emp ( id ) 
    ) 
;
    Any ideas or links to books that are greatly appreciated.

    Thank you
    Blama

    Hi, Lawrence.

    Sorry, I'm not sure you understand the problem. It would be useful that you posted some INSERT statements that should be allowed, and some that must fail because they violate the rule of oneness. Or by post at least a scneario of business that you might neeed to model. For example "tenant 1 has 3 employees: 11, 12 and 13." Employee 11A username "FFL". 12 has no username. 13 should be able to choose any username except "Elf", or not having a (just like the 12). 2 a 2 employees... »

    You can create an index based on a single function. For example, if the user name is optional:

    CREATE UNIQUE INDEX emp_name_unique ON
username ( NVL2 (username, tenant_id, NULL)
         , username
         );

    If username is NULL, then the two expressions of the index will be NULL and no index entry will be. So there may be a number any lines with the same tenant_id, but no user name, but only one line for each (tenant_id, username) combination when there is a user name.

    Laurent wrote:
    ... Is it really necessary to move the user name column to a new table, as in the following? It just doesn't feel good to introduce a table of relationship for a 1:1 relationship.

    Good instinct; It's weird (but not necessarily bad) to have a one-to-one relationship between the tables, but do you? When you say things like

    ... A user name cannot be used once a TENANT...

    or

    ... As soon as I add a 2nd employee for a tenant...

    Looks like you have a one-to-many relationship, or maybe a many-to-many relationship, or maybe even two relationships, neither of which is unequivocal.

    Published by: Frank Kulash, October 26, 2012 09:15

  • Orchestrator and vCD

    If Orchestrator is currently your orchestration and integration platform, and you want to implement vCD, how are Orchestrator and vCD?  Is orchestrator tool to use for integration, if you use vCD for virtual machines from a portal providing web front end?

    Technically, you can integrate with vCD API using REST, SDK, Orchestrator and PowerCLI.

    For the integration of band South (blocking tasks, notification, extensibility API) any iterfacing client with rabbitMQ would work but the mechanism of this integration is available in this package: tasks of vCloud Director 5.1/5.5 and notification using AMQP package locking

  • How to set up a multi-lingual and multi-currency site

    I've been reding this article

    How to set up a multi-lingual and multi-currency site to installing a multilingual and Multicurrency site

    I want to know if I have 3 or more areas:

    • www.yourcompany.pt- Portugal
    • US.yourcompany.com - United States
    • UK.yourcompany.com - United Kingdom
    • www.yourcompany.com - China
    • www.yourcompany.fr-France

    do I have to create 5 versions of the site in five different languages?

    Also I have to create five different versions of a product for the corresponding five languages?

    Hello

    Please take a look at the following site,

    Tutorials

    Let me know if you have any question.

  • Multi-tenant IOS Firewall and security even subinterfaces 9.0

    Hi all

    I'm so used to< 8.3="" and="" am="" having="" great="" difficulty="" getting="" an="" environment="" working="" properly="" so="" i'm="" now="" going="" to="" leverage="" the="" cisco="">

    We set up a network with clients behind a pair of 5510 s.  All of these clients will have their own dedicated sous-interface in their own VLAN.  Out the door, I got inter - allowed security-same interface and all networks communicate with each other.  I certainly don't want that, so I have disabled this command and now each network client is unable to communicate with each other, as expected.

    The problem now lies in networks where a customer have 2 VLANS separated (say a staging and a prod environment) where they need to communicate.  Is it feasible if they are of the same security level and even security allowed inter-interface is disabled?  I just need to create an ACL for the networks to talk?  Is there a better way to do this with the same security allowed active inter-interface?

    8.3 pre, I have same security allowed active inter-interface, but traffic could not speak to the other interface unless I created an exemption NAT and ACLs.  Always create a NAT exemption?

    Hello

    The basic problem that you run with different software levels is the parameter 'nat-control' that exists in 8.2 (or earlier version), but does not exist in version 8.3 (or subsequent version of the Software ASA).

    In the 8.2 and pre software you got with the nat configuration change 'control' of requiring a connection to have a NAT configuration to be able to pass traffic through the ASA. Of course this coupled with the 'security level' gave you more changes to control traffic without resorting to the ACL.

    However, in the new software of 8.3 and later the "nat-control" level no longer exists and that a connection has a NAT configuration that be applied or not ASA still allows the connection (subject other ASA controls allow) so basically you won't need NAT configurations between your local interface. The most common NAT configurations should be between your local interface and the "external" ASA interface.

    If you try to control traffic between interfaces with the global configuration commands you mention, you will eventually be 'juggling' with the 'security level' configurations autour constantly so that the correct rules for traffic is applied.

    This question came up on these forums every now and then, and I almost always offer the same approach which is to set up an ACL on EACH interface of the ASA.

    • Remember to leave the 'same-security-traffic"on the SAA configurations. It is because even if you have interface ACL allowing traffic, if they are for some reason any left with identical "security level"custom ACL be sufficient to allow the traffic. "
    • Configure each interface an ACL
    • Initially to configure the ACL to create a "object-group" that will contain EACH network behind your local interface of firewall (except the "outside" ofcourse)
    • Use this category 'object' at THE start of ACL interface to BLOCK ALL traffic behind this interface to these networks
    • After that allow or block different/Out Internet - linked as usual traffic
    • In the same networks 2 (or more) behind the need of different interfaces to communicate with each other, set up a statement that allows early each ACL. The already existing 'decline' exposed with the 'object' group already will ensure that other traffic between networks are blocked

    A very simple example, you might want to consider the following

    Networks:

    • LAN1: 10.10.10.0/24
    • LAN2: 10.10.20.0/24
    • DMZ1: 192.168.100.0/24
    • DMZ2: 192.168.200.0/24

    permit same-security-traffic inter-interface

    Interface GigabitEthernet0/0

    Description box

    interface GigabitEthernet0/0.10

    VLAN 10

    nameif LAN1

    security-level 100

    IP 10.10.10.1 255.255.255.0

    interface GigabitEthernet0/0.20

    VLAN 20

    nameif LAN2

    security-level 100

    IP 10.10.20.1 255.255.255.0

    interface GigabitEthernet0/0.100

    VLAN 100

    nameif DMZ1

    security-level 100

    IP 192.168.100.1 address 255.255.255.0

    interface GigabitEthernet0/0,200

    VLAN 200

    nameif DMZ2

    security-level 100

    192.168.200.1 IP address 255.255.255.0

    object-group network BLOCK-LOCAL-NETWORKS

    object-network 10.10.10.0 255.255.255.0

    object-network 10.10.20.0 255.255.255.0

    object-network 192.168.10.0 255.255.255.0

    object-network 192.168.20.0 255.255.255.0

    access-list LAN1 - IN note allow HTTP / HTTPS in the DMZ1 Server

    access-list LAN1 - permit tcp 10.10.10.0 255.255.0 host 192.168.100.100 eq www

    access-list LAN1 - permit tcp 10.10.10.0 255.255.0 host 192.168.100.100 eq https

    LAN1-IN access-list note block traffic to another local network

    access-list LAN1 - deny ip any object-group NETWORK-LOCAL-BLOCK

    Note LAN1-IN access list allows any outbound

    access-list IN LAN1 ip 10.10.10.0 allow 255.255.255.0 any

    LAN1-IN group access to the LAN1 interface

    And of course all other ACL would follow the same model in one form or another. You would really have to worry about traffic is allowed between interfaces, but rather the most work would probably add "allowed" in the upper part of each ACL when required for communication inter-interface. But I guess that the amount of these additions would remain also to a manageable level for FW admins.

    Naturally in environments the biggest you would probably get a high-end ASA and virtualize it and separate each customer environment in their own security context where you would avoid this situation together. Naturally the biggest points against this solution usually can be fresh and the fact that virtualize the ASA multiple context mode disables some essential operational capability of the SAA, which the most important is probably the Client VPN connections (VPN L2L is supported in the software in multiple context Mode 9.x)

    Hope this helps

    Don't forget to mark the reply as the answer if it answered your question. And/or useful response rates

    Request more if needed

    -Jouni

  • Multi-tenant and different charactersets

    It is possible to have different files with different charactersets PDB is a CBD?

    No, this is not possible. All PDB files have the same charactersets as the CBD:

    https://docs.Oracle.com/database/121/NLSPG/ch2charset.htm#NLSPG1035

  • Media player and multi disk sets

    Any suggestions on how to manage entire multi-plate. I can't find a colum for "Disc #" I do not see Custom 1 and custom 2 is it possible to assign one of those disc #.

    Thank you

    Unfortunately, the WMP library does not support the tag (or 'Set' in Advanced Tag Editor) disc number very well. To work around the problem, you can give each disk drive to another title of the Album, for exampleGreatest Hits CD1 and Greatest Hits CD2 . Tim Baets
    http://www.BM-productions.TK

  • Not available TWAIN and multi page unavailable

    I have a scanner fujitsu fi6150 can I connect to Remote Scan using the WIA driver but not TWAIN driver. Not necessarily a big deal, but I don't have the ability to select several pages under WIA. The only way I can get around this must apply multi pages.

    My questions are:
    (1) why not TWAIN be available when the TWAIN driver is loaded.
    Why 2) is the disabled multi page option and how can I get around this? Is there an INI setting that I can change?

    Thank you.

    Hello

    Usually if RemoteScan is unable to 'see' a TWAIN driver locally, it's because the TWAIN driver has not been installed or does not work, you can always test it locally in a compatible scanning TWAIN as a Microsoft Office application. You want to speak to problems with the scanner driver Fujitsu himself.

    RemoteScan inherit the functionality of the scanner driver that is used, you will want to check the WIA driver locally (by running a scan in Microsoft PAINT, which is only compatible WIA) to ensure that it with not problems with MultiPage scans. If you are able to do scans multi-page locally with this driver and are having problems with RemoteScan for some reason, you want to call our support team at the 406-721-0276.

    Thank you

  • Pro vs ultimate: is the difference of ONLY between Win7Pro and Win7Ult the language support of Bitlocker and Multi?

    I have Vista Ultimate and want to upgrade. It looks to me that Vista Ultimate should be upgraded to Win7Pro if your not using or nededing Bitlocker or a multi-language support. I can only find the compairison simplified feature and it makes me worried that I might make a mistake. Ultimate in Vista has features like support for live wallpapers. Will it be a feature included in Windows 7 Pro version, or what I need to keep on the path of the ultimate.

    In point: Fact Windows 7 Professional have ALL but 2 offers this Windows 7 Ultimate seporate?

    Its combination of things. BitLocker data provide a protection on the disks, internal and external, DirectAccess provides a transparent connectivity to your corporate network.  (requires Windows Server 2008 R2), clerical management reduced time waiting to open the file on the network with BranchCache. (requires Windows Server 2008 R2), prevent from running with AppLocker unauthorized software. In addition, the features that were formerly available Windows Vista Ultimate Dreamscene and Ultimate Extras are no more a part of Windows 7. In addition, you can't keep these features during the upgrade of Windows Vista Edition full of Windows 7, they will be deleted. Andre Da Costa http://adacosta.spaces.live.com http://www.activewin.com

  • First film edited with Premiere - proxy, audio questions and multi-cames

    I have several questions that I have not found in the videos and forums, at least not for my situation. I'm finishing the revision of sequences now adding comments in prelude and will begin soon to change it. Please excuse the long post.

    Background:

    I'm working on my first film, a documentary. Most of my work is 10-11 interviews, about an hour each. The majority is 4K Panasonic GH4, but some of the images is an Olympus MDGS EM5 II 1080.

    I recorded the sound using a LAV and a shotgun microphone, each goes in its own channel in a Tascam DR - 70 d, an external audio recorder, with a line going into the camera for reference. Audio and video files (at least one, since GH4 brings several) will have a slate tone to the head, created by the audio recorder. The recorder has captured the audio 24-bit, 16-bit audio captured camera. The recorder fooled also two other channels to lower 12db audio in the case of audio peaks.

    I will be changing on Mac laptop - 2013 MacBook Pro, OS 10.11.5, 2.9 Ghz Intel Core i7 memory of 16GB 1600 MHz DDR3, NVIDIA GeForce GT 650 M 1024 MB graphics card. I think I need to create my images 4 K proxies.

    All images is storage on my external drive of G. The interviews are separated and are located in the folders of each interviewee.

    The final project will be 1080, not 4K.

    Questions:

    Naming - being a hybrid, the GH4 breaks an interview of an hour in several separate files. Should I change the names of all files, or keep them in folders named in Premiere Pro? If I should change them, should I do it before swallowing?

    First synchronize audio and video, but since I have an audio file and several video files, I synchronize each video file individually or assemble them somehow, then synchronize? If each of these excerpts from the interview is sewn together, wouldn't that make editing more easy?

    When you create proxy for video files, also create proxy for audio files separate? Once synchronized, will be presented first the Hi output version of the resolution of the video and audio?

    Multicamera - in one case, I have an interview with two 1080 cameras. But for the rest, I've shot with a camera in 4K, so I intend to use a section cropped interview (zoom) when an important statement is mentioned, simulating a two cameras set up. Given that I have to create a sequence of multi camera after I ingest proxy files, first will be a problem activating/deactivating files proxy for the salvation of the res files?

    B - roll is added later, once the interviews are published about. It will be a few (not 4K) images and photos. Make the proxies of these too or first care to have all files proxy or a mixture?

    Finally, I have never edited a video which has been more than 10 minutes. This film could be of 40 minutes or up to 90. Everything I need to know to make the editing more smooth? I am a beginner!

    Thank you for bearing with me and thank you in advance for any idea!

    -SK

    1. allow only file names.  Make your organization with records (hard drive) and ferries (project).

    2. Manual of multi-camera method

    3. the audio files are small and will not need of proxies.  Export will always use the original media.

    4. possibly.  My first attempt was a disaster that froze the machine so badly, I had to do a hard reset.  However, you need not go back to the original of the sequence to make your cut-ins.  Proxy media will do fine work.  Simply place a copy of the plans at the 50% level in V1 and a second copy on the scale of 100% in V2 when creating the source multicam sequence...  Will allow you to see the full versions and then cropped the multicam editing.

    5. the photos no need of proxies.  If the B-roll change, make proxies for those.  PP not care a spirit to keep all the images the same.

    6. $ 2,000 custom PC vs $ 4,000 Mac Pro - YouTube

  • Integration Orchestrator and VIPR

    Looking at integration with vRO and VIPR and a few questions:

    I use vrealize automation, so that pretty much defines vRO as the engine of orchestration in terms of sizing the virtual machine and vCloud. When should I take the EMC storage associated aspects I must orchestrate and use VRO to them directly and when should I stand up VIPR and have vRO make calls to VIPR?

    Hello

    I think that the two strategies are valid and possible. I would contact EMC for the ViPR plugin and information on its roadmap.

    If the plugin provides on the workflows of box for the tasks you want to automate, while probably will allow you to create your solution with much less effort.

    Also, if EMC maintains the ViPR plugin in the future, you will not be worrying a lot of back-end storage systems updates, ViPR and the ViPR plugin because (hopefully) the details of the version and maintains the compatible plugin.

    On the other side, if you now (and for the foreseeable future) only have a little small (aka easy to implement) tasks of automation to the storage system that you need for your global sourcing of VM / life cycle process, then adding ViPR is perhaps an overdose (and introduce more complexity in the overall architecture as necessary).

    So as usual, the answer is: it depends on :-)

    I hope this helps!

    Joerg

  • Orchestrator and Hytrust

    When I use Hytrust vCenter HyTrust records which is actually based on the user connected to vCenter.  But when I use 'Share a single session' orchestrator, then my account service is what vCenter records as long as measures, and the user who set up the workflow is known as orchestrtator, is not vCenter or Hytrust.  It must be this way in orchestrator so that the flow of regular work to manage the infrastructure is not dependent on AD to one employee account.  However that impacts my logging and controls around vCenter because now that logging for those scheduled workflows are vRO and not vCenter, and information that the user tries to run this workflow are known only orchestrator. vCenter sees only the service account is trying to do something.

    To a Cloud Computing infrastructure more automation and actions of vCenter happen through vRO and vCenter.  How the previous regime of forest management and authorization in vCenter with Hytrust map to a new concept where I am penetrating orchestrator tasks and using "share a single session"?

    Hello

    I see two possible solutions:

    1. go into hytrust and convince, they fit with vRO. As in vRO very clearly to each execution of the workflow is saved, with the corresponding user, it would be simple enough to analyze / audit this.

    2. use vRO servers, configured with a shared session for scheduled tasks and a separate for the manual workflow began, using the session by user parameters (with all the disadvantages of :-/).

    Indeed analyse vRO level seems to be the "cleanest" approach

    Kind regards

    Joerg

  • Importing data in a multi-tenant environment

    I need a solution in a multitenant environment where customers can send large amounts of data by post on a physical storage device, and we can import into the data center.  How can I design my infrastructure for this?  Should I create an intermediate storage solution, where I can plug in a USB device and copy them to a special data store that has special security and containment and then selectively allow it to transfer to selective areas only?  The problem is that if the customer must give us a virtual machine to import with 4 TB of data, it is no good way to download where we would have controls real network set up to analyze the data and to ensure that what can be done on the vpn connection.

    However if a storage device can be browsed in the data center that we do not know what is on it, it could potentially have anything on that.  That means good design to enable this to happen look like when I determine what this client USB storage device will connect to the and where the entry point so that the data will be in our environment?

    Hello

    You could, but especially you'd before the data is loaded just to be sure. You have your "trustzone infiltration" and 'transfer trustzone', then 'tenant '. This way your penetration device (USB over IP, whatever) cannot directly touch the tenant. I put what I consider each area to be in parentheses.

    Penetration: (red, untrusted, outside)

    USB over IP w/target penetration VM w/tenant data VMDK.

    You can check here malware if you wish, but this virtual machine is connected USB I'll just say he is corrupt and accept it.

    After transfer, disconnect the tenant data VMDK.

    Transfer: (Orange: inspect, confidence, DMZ)

    Mount the 'tenant data VMDK' transfer VM.

    Perform all your audit for AV, etc. No data clean them as needed.

    Yes listening on the network of the "call home", etc.

    Make sure the transfer area is intact and clean.

    When you are SURE there are no problems:

    Then transfer the data to the box renter directly if he is small enough, or take it apart the tenant data VMDK.

    Tenant area (green, confidence, internal)

    Mount the VMDK of tenant data to the VM that requires it.

    Connect the application

    Best regards
    Edward L. Haletky
    VMware communities user moderator, VMware vExpert 2009-2015

    Author of the books ' VMWare ESX and ESXi in the business: Planning Server Virtualization Deployment, Copyright 2011 Pearson Education. ' Of VMware VSphere and Virtual Infrastructure Security: securing the virtual environment ', Copyright 2009 Pearson Education.

    Virtualization and Cloud Security Analyst: The Practice of virtualization, LLC - vSphere Upgrade Saga - virtualization security Table round Podcast

  • Orchestrator and plugin development

    I need orchestrator to talk to a number of third-party systems for which no plugin has been developed yet.  It's all part of a single process of provisioning of Vm.  Should I create a plugin for each system for which no plugin exists, or should I create a plugin "Vm provisioning" giant who can talk to multiple systems?

    It depends; both options have advantages and disadvantages.

    I would go for a plugin by approach because it is more flexible (for example. If a new system appears in the future, you will only need to write a plug-in for it and add it to the photo instead of updating the giant's fits-them-all plug-ins).

    You can also consider using the existing plug-in dynamic Types. Initially, you could make a rapid prototyping with him and later when you become more familiar/feel more comfortable with a 3rd party data API system, to implement a 'good' plugin for it.

Maybe you are looking for