KVM安装部署

kvm简单介绍

KVM，是Keyboard Video Mouse的缩写，KVM 通过直接连接键盘、视频和鼠标 (KVM) 端口，能够访问和控制计算机。KVM 技术无需目标服务器修改软件。这就意味着可以在BIOS环境下，随时访问目标计算机。KVM 提供真正的主板级别访问，并支持多平台服务器和串行设备。KVM 技术已经从最初的基础SOHO办公型，发展成为企业 IT 基础机房设施管理系统。可以从kvm 客户端管理软件轻松的直接访问位于多个远程位置的服务器和设备。KVM over IP 解决方案具备完善的多地点故障转移功能、符合新服务器管理标准 (IPMI) 的直接界面，以及将本地存储媒体映射至远程位置的功能。
KVM 是实现拦截虚机的 I/O 请求的原理：
现代 CPU 本身实现了对特殊指令的截获和重定向的硬件支持，甚至新硬件会提供额外的资源来帮助软件实现对关键硬件资源的虚拟化从而提高性能。以 X86 平台为例，支持虚拟化技术的 CPU 带有特别优化过的指令集来控制虚拟化过程。通过这些指令集，VMM 很容易将客户机置于一种受限制的模式下运行，一旦客户机试图访问物理资源，硬件会暂停客户机运行，将控制权交回给 VMM 处理。VMM 还可以利用硬件的虚级化增强机制，将客户机在受限模式下对一些特定资源的访问，完全由硬件重定向到 VMM 指定的虚拟资源，整个过程不需要暂停客户机的运行和 VMM 的参与。由于虚拟化硬件提供全新的架构，支持操作系统直接在上面运行，无需进行二进制转换，减少了相关的性能开销，极大简化了VMM的设计，使得VMM性能更加强大。从 2005 年开始，Intel 在其处理器产品线中推广 Intel Virtualization Technology 即 IntelVT 技术。
KVM：
首先初始化内部的数据结构；
做好准备后，KVM 模块检测当前的 CPU，然后打开 CPU 控制及存取 CR4 的虚拟化模式开关，并通过执行 VMXON 指令将宿主操作系统置于虚拟化模式的根模式；
最后，KVM 模块创建特殊设备文件 /dev/kvm 并等待来自用户空间的指令。
KVM 的功能列表
KVM 所支持的功能包括：

支持 CPU 和 memory 超分（Overcommit）
支持半虚拟化 I/O （virtio）
支持热插拔 （cpu，块设备、网络设备等）
支持对称多处理（Symmetric Multi-Processing，缩写为 SMP ）
支持实时迁移（Live Migration）
支持 PCI 设备直接分配和 单根 I/O 虚拟化 （SR-IOV）
支持 内核同页合并 （KSM ）
支持 NUMA （Non-Uniform Memory Access，非一致存储访问结构 ）
3. KVM 工具集合
libvirt：操作和管理KVM虚机的虚拟化 API，使用 C 语言编写，可以由 Python,Ruby, Perl, PHP, Java 等语言调用。可以操作包括 KVM，vmware，XEN，Hyper-v, LXC 等在内的多种 Hypervisor。
Virsh：基于 libvirt 的 命令行工具 （CLI）
Virt-Manager：基于 libvirt 的 GUI 工具
virt-v2v：虚机格式迁移工具
virt-* 工具：包括 Virt-install （创建KVM虚机的命令行工具）， Virt-viewer （连接到虚机屏幕的工具），Virt-clone（虚机克隆工具），virt-top 等
sVirt：安全工具
KVM安装
环境：centos 7.7-1908
外网:10.0.0.41
内网: 172.16.1.41
1、关闭防火墙与selinux

[root@ c7-41 ~]# systemctl stop firewalld
[root@ c7-41 ~]# systemctl disable firewalld
[root@ c7-41 ~]# setenforce 0
[root@ c7-41 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

2、安装依赖

[root@ c7-41 ~]# yum -y install epel-release vim wget net-tools unzip zip gcc gcc-c++

3、配置环境、修改网站访问并发量

[root@ c7-41 ~]# vim /etc/security/limits.conf   ###在末尾添加
* soft nofile 65535
* hard nofile 65535 
[root@ c7-41 ~]# cat /etc/security/limits.conf |grep -w '*' | grep -v '^#'
* soft nofile 65535
* hard nofile 65535

[root@ c7-41 ~]# vim /etc/pam.d/login        ###在末尾添加
session    required     /lib/security/pam_limits.so

[root@ c7-41 ~]# vim /etc/profile                   ###在末尾添加
ulimit -n 65535
[root@ c7-41 ~]# source /etc/profile          ###生效
[root@ c7-41 ~]# ulimit -n
65535
###星号代表全局， soft为软件，hard为硬件，nofile为这里指可打开文件数。

4、验证CPU是否支持KVM；如果结果中有vmx（Intel）或svm(AMD)字样，就说明CPU的支持的
关闭虚拟机设置

[root@ c7-41 ~]# egrep -o 'vmx|svm' /proc/cpuinfo
vmx

5、kvm安装

[root@ c7-41 ~]# yum -y install qemu-kvm qemu-kvm-tools qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils libguestfs-tools

6、启动服务，验证安装结果

[root@ c7-41 ~]# systemctl start libvirtd
[root@ c7-41 ~]# systemctl enable libvirtd
[root@ c7-41 ~]# systemctl status libvirtd
[root@ c7-41 ~]# lsmod|grep kvm
kvm_intel             188644  0
kvm                   621480  1 kvm_intel
irqbypass              13503  1 kvm
[root@ c7-41 ~]# virsh -c qemu:///system list
 Id    Name                           State
----------------------------------------------------
[root@ c7-41 ~]# ln -s /usr/libexec/qemu-kvm /usr/bin/qemu-kvm
[root@ c7-41 ~]# ll /usr/bin/qemu-kvm
lrwxrwxrwx 1 root root 21 May  5 11:16 /usr/bin/qemu-kvm -> /usr/libexec/qemu-kvm

kvm web管理界面安装
kvm 的 web 管理界面是由 webvirtmgr 程序提供的
1.安装依赖

[root@ c7-41 ~]# yum -y install git python-pip libvirt-python libxml2-python python-websockify supervisor nginx python-devel
##升级pip
[root@ c7-41 ~]# pip install --upgrade pip -i https://pypi.tuna.tsinghua.edu.cn/simple   
Collecting pip
  Downloading https://pypi.tuna.tsinghua.edu.cn/packages/54/2e/df11ea7e23e7e761d484ed3740285a34e38548cf2bad2bed3dd5768ec8b9/pip-20.1-py2.py3-none-any.whl (1.5MB)
    100% |████████████████████████████████| 1.5MB 256kB/s
Installing collected packages: pip
  Found existing installation: pip 8.1.2
    Uninstalling pip-8.1.2:
      Successfully uninstalled pip-8.1.2
Successfully installed pip-20.1

pip 20.0.2文档 https://pip.pypa.io/en/stable/user_guide/#config-file
pip是一个很好用的第三方库安装方式，但是默认的源没法连接，就算有时候可以成功率也很低，所以换成国内镜像源比较方便。
将pip源更换到国内镜像

用pip管理工具安装库文件时，默认使用国外的源文件，因此在国内的下载速度会比较慢，可能只有50KB/s。幸好，国内的一些顶级科研机构已经给我们准备好了各种镜像，下载速度可达2MB/s。

临时方法

阿里云 https://mirrors.aliyun.com/pypi/simple/
中国科技大学 https://pypi.mirrors.ustc.edu.cn/simple/
豆瓣(douban) https://pypi.douban.com/simple/ 
清华大学 https://pypi.tuna.tsinghua.edu.cn/simple/
中国科学技术大学 http://pypi.mirrors.ustc.edu.cn/simple/
华中理工大学：http://pypi.hustunique.com/
山东理工大学：http://pypi.sdutlinux.org/

从github上下载webvirtmgr代码

[root@ c7-41 ~]# cd /usr/local/src/
[root@ c7-41 src]# git clone git://github.com/retspen/webvirtmgr.git

检查sqlite3是否安装

[root@ c7-41 webvirtmgr]# python
Python 2.7.5 (default, Aug  7 2019, 00:51:29)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import sqlite3
>>> exit()

8、初始化帐号信息

[root@ c7-41 webvirtmgr]# python manage.py syncdb
WARNING:root:No local_settings file found.
Creating tables ...
Creating table auth_permission
Creating table auth_group_permissions
Creating table auth_group
Creating table auth_user_groups
Creating table auth_user_user_permissions
Creating table auth_user
Creating table django_content_type
Creating table django_session
Creating table django_site
Creating table servers_compute
Creating table instance_instance
Creating table create_flavor

You just installed Django's auth system, which means you don't have any superusers defined.
Would you like to create one now? (yes/no): yes  ##是否创建超级管理员帐号
Username (leave blank to use 'root'):  ##回车默认为root
Email address: 1279087939@qq.com  ##设置超级管理员邮箱
Password: 123456       ##设置超级管理员密码
Password (again):123456
Superuser created successfully.
Installing custom SQL ...
Installing indexes ...
Installed 6 object(s) from 1 fixture(s)

拷贝web网页至指定目录

[root@ c7-41 webvirtmgr]# mkdir /var/www
[root@ c7-41 webvirtmgr]# cp -r /usr/local/src/webvirtmgr/ /var/www/
[root@ c7-41 webvirtmgr]# chown -R nginx.nginx /var/www/webvirtmgr/

生成密钥
首次生成直接回车，不是则Overwrite (y/n)? y 选择覆盖
一路回车

[root@ c7-41 webvirtmgr]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):  
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:FBWgwlyptDF8dem65poTlImt5c1Qm63bf9Mp2WDJGSs root@c7-41
The key's randomart image is:
+---[RSA 2048]----+
|   .  .o+o+o     |
|   o=.o..o.      |
|   .+O.+.=       |
|    +.B.o o  .   |
|     = +So  . =  |
|    . o =  E B   |
|       . +  o +..|
|      ..+ .  ooo.|
|      o=.  ..... |
+----[SHA256]-----+

由于这里webvirtmgr和kvm服务部署在同一台机器，所以这里本地信任。如果kvm部署在其他机器，则需要更换ip

[root@ c7-41 webvirtmgr]# ssh-copy-id 10.0.0.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.0.0.41 (10.0.0.41)' can't be established.
ECDSA key fingerprint is SHA256:AxAn8ho/KqTHrRuTeSOokFBDmQK36JAdH49GlnnjoOg.
ECDSA key fingerprint is MD5:57:79:69:72:65:46:7e:04:7d:f5:55:0e:c6:44:65:70.
Are you sure you want to continue connecting (yes/no)? yes     ##yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.0.0.41's password:        ##123456

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '10.0.0.41'"
and check to make sure that only the key(s) you wanted were added.

端口转发，查看

[root@ c7-41 ~]# ssh 10.0.0.41 -L localhost:8000:localhost:8000 -L localhost:6080:localhost:60
Last login: Tue May  5 11:50:04 2020 from 10.0.0.1
[root@ c7-41 ~]# ss -antl
State       Recv-Q Send-Q          Local Address:Port                         Peer Address:Port
LISTEN      0      100                 127.0.0.1:25                                      *:*
LISTEN      0      128                 127.0.0.1:6010                                    *:*
LISTEN      0      128                 127.0.0.1:6080                                    *:*
LISTEN      0      128                 127.0.0.1:8000                                    *:*
LISTEN      0      128                         *:111                                     *:*
LISTEN      0      5               192.168.122.1:53                                      *:*
LISTEN      0      128                         *:22                                      *:*
LISTEN      0      100                     [::1]:25                                   [::]:*
LISTEN      0      128                     [::1]:6010                                 [::]:*
LISTEN      0      128                     [::1]:6080                                 [::]:*
LISTEN      0      128                     [::1]:8000                                 [::]:*
LISTEN      0      128                      [::]:111                                  [::]:*
LISTEN      0      128                      [::]:22                                   [::]:*

配置nginx

[root@ c7-41 ~]# vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80;
        server_name  localhost;

        include /etc/nginx/default.d/*.conf;

        location / {
                root html;
                index index.html index.htm;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
}

添加webvirtmgr.conf

[root@ c7-41 ~]# vim /etc/nginx/conf.d/webvirtmgr.conf
server {
listen 80 default_server;

server_name $hostname;
#access_log /var/log/nginx/webvirtmgr_access_log;

location /static/ {
    root /var/www/webvirtmgr/webvirtmgr;
    expires max;
   }

location / {
     proxy_pass http://127.0.0.1:8000;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
     proxy_set_header Host $host:$server_port;
     proxy_set_header X-Forwarded-Proto $remote_addr;
     proxy_connect_timeout 600;
     proxy_read_timeout 600;
     proxy_send_timeout 600;
     client_max_body_size 1024M;
   }
}

确保bind绑定的是本机的8000端口

[root@ c7-41 ~]# vim /var/www/webvirtmgr/conf/gunicorn.conf.py
bind = '127.0.0.1:8000'
backlog = 2048

启动nginx

[root@ c7-41 ~]# systemctl start nginx

设置supervisor

[root@ c7-41 ~]# vim /etc/supervisord.conf
##在末尾添加
[program:webvirtmgr]
command=/usr/bin/python2 /var/www/webvirtmgr/manage.py run_gunicorn -c /var/www/webvirtmgr/conf/gunicorn.conf.py
directory=/var/www/webvirtmgr
autostart=true
autorestart=true
logfile=/var/log/supervisor/webvirtmgr.log
log_stderr=true
user=nginx

[program:webvirtmgr-console]
command=/usr/bin/python2 /var/www/webvirtmgr/console/webvirtmgr-console
directory=/var/www/webvirtmgr
autostart=true
autorestart=true
stdout_logfile=/var/log/supervisor/webvirtmgr-console.log
redirect_stderr=true
user=nginx

启动supervisor并设置开机自动启动

[root@ c7-41 ~]# systemctl start supervisord
[root@ c7-41 ~]# systemctl enable supervisord
[root@ c7-41 ~]# systemctl status supervisord

配置nginx用户
未创建nginx用户，所以用su命令赋予它交互式登录的权限

[root@ c7-41 ~]# su - nginx -s /bin/bash
[nginx@ c7-41 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/nginx/.ssh/id_rsa):
Created directory '/var/lib/nginx/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /var/lib/nginx/.ssh/id_rsa.
Your public key has been saved in /var/lib/nginx/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:yx8WDwCmUpIpg+jPDa5/6qPbxr58GIyVBb6sd40tC4A nginx@c7-41
The key's randomart image is:
+---[RSA 2048]----+
|o .+o o          |
|= +o + .         |
|.o..+   .        |
|...=.    .       |
|E.Boo   S o      |
| .o* .+. . +     |
| .ooo+ oo o .    |
| .+=ooo  o .     |
| oBO*.    .      |
+----[SHA256]-----+

[nginx@ c7-41 ~]$ touch ~/.ssh/config && echo -e "StrictHostKeyChecking=no\nUserKnownHostsFile=/dev/null" >>~/.ssh/config
[nginx@ c7-41 ~]$ chmod 0600 ~/.ssh/config
[nginx@ c7-41 ~]$ ssh-copy-id root@10.0.0.41
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/var/lib/nginx/.ssh/id_rsa.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Warning: Permanently added '10.0.0.41' (ECDSA) to the list of known hosts.
root@10.0.0.41's password:123456

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@10.0.0.41'"
and check to make sure that only the key(s) you wanted were added.


[nginx@ c7-41 ~]$ exit
logout

[root@ c7-41 ~]# vim /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
[Remote libvirt SSH access]
Identity=unix-user:root
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
[root@ c7-41 ~]# chown -R root.root /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
[root@ c7-41 ~]# systemctl restart supervisord
[root@ c7-41 ~]#  systemctl restart libvirtd

kvm web界面管理
浏览器访问：http://10.0.0.41
通过远程连接软件上传ISO镜像文件至存储目录/var/lib/libvirt/images/

[root@ c7-41 ~]# cd /var/lib/libvirt/images
[root@ c7-41 images]# ll
total 4554752
-rw-r--r-- 1 root root 4664066048 May  8 15:03 CentOS-7-x86_64-DVD-1908.iso

在web界面查看ISO镜像文件是否存在
实例管理
实例（虚拟机的创建）
设置在web上访问虚拟机的密码
虚拟机安装
正常的虚拟机安装过程