kvm虚拟化
1.虚拟化介绍
虚拟化是一种将计算资源(如服务器、存储设备、网络等)进行抽象和隔离的技术。它可以将物理资源划分为多个逻辑上独立的虚拟资源,使多个应用程序或用户可以共享和利用这些虚拟资源。
在虚拟化中,有两个主要的角色:
- Hypervisor:它是虚拟化的核心组件,负责管理和控制物理资源,并为虚拟机提供运行环境。虚拟化可以将物理资源划分为多个虚拟机,并为每个虚拟机提供独立的运行空间。
- 虚拟机(VM):它是虚拟化创建的一个独立的虚拟环境,包含了虚拟的计算资源(如CPU、内存、磁盘、网络等)。每个虚拟机可以运行一个完整的操作系统和应用程序,就像是一个独立的物理计算机一样。
虚拟化的优势包括:
- 资源利用率提高:虚拟化可以将物理资源划分为多个虚拟机,使多个应用程序或用户可以共享和利用这些资源。这样可以提高资源的利用率,减少硬件成本。
- 灵活性和可扩展性:通过虚拟化,可以很容易地创建、删除和调整虚拟机。这样可以提供更灵活的资源分配和管理,满足不同应用程序的需求。
- 隔离和安全性:虚拟化可以将不同的应用程序或用户隔离在独立的虚拟环境中,减少彼此之间的干扰和风险。这样可以提高系统的安全性和稳定性。
- 故障隔离和容错:虚拟化可以将虚拟机迁移到其他物理服务器上,以实现故障隔离和容错。当一个物理服务器发生故障时,虚拟机可以很快地恢复到其他可用的服务器上,保证应用程序的可用性。
根据 Hypervisor 的实现方式和所处的位置,虚拟化又分为两种:
- 全虚拟化
- 半虚拟化
全虚拟化
全虚拟化(Full Virtualization):在全虚拟化中,虚拟机(VM)运行的操作系统和应用程序不需要进行任何修改,可以直接在虚拟机上运行。全虚拟化通过Hypervisor来模拟硬件环境,为虚拟机提供一个完整的虚拟化环境。虚拟机可以访问虚拟的硬件资源,如CPU、内存、磁盘和网络等,而不需要了解物理硬件的细节。全虚拟化可以实现对各种操作系统的支持,但由于需要模拟硬件环境,因此性能相对较低。
半虚拟化
半虚拟化(Para-virtualization):在半虚拟化中,虚拟机运行的操作系统需要进行修改,以便与虚拟化层进行通信。虚拟机通过调用特殊的API来访问虚拟化层提供的资源,而不是直接访问虚拟的硬件资源。半虚拟化可以提供更高的性能,因为虚拟机不需要模拟硬件环境,但它要求操作系统进行修改,因此只能支持特定的操作系统。
理论上讲:
全虚拟化一般对硬件虚拟化功能进行了特别优化,性能上比半虚拟化要高;
半虚拟化因为基于普通的操作系统,会比较灵活,比如支持虚拟机嵌套。嵌套意味着可以在KVM虚拟机中再运行KVM。
2.KVM介绍
KVM(Kernel-based Virtual Machine)是一种开源的虚拟化技术,它是基于Linux内核实现的全虚拟化解决方案。KVM允许在同一台物理服务器上运行多个虚拟机,每个虚拟机都可以运行独立的操作系统和应用程序。
KVM的主要特点包括:
- 全虚拟化支持:KVM支持全虚拟化,可以模拟虚拟硬件,为虚拟机提供一个完整的虚拟化环境。
- 硬件支持:KVM利用Linux内核的硬件支持,可以利用现代处理器的虚拟化扩展,提供更好的性能和可靠性。
- 安全性:KVM可以为每个虚拟机提供独立的安全环境,可以实现隔离和安全性。
- 管理工具:KVM提供了一套完整的管理工具,可以方便地创建、删除和管理虚拟机。
- 开源:KVM是开源软件,可以免费使用和修改,也可以与其他开源软件集成使用。
KVM的应用场景包括:
- 服务器虚拟化:KVM可以在一台物理服务器上运行多个虚拟机,提高服务器的资源利用率和灵活性。
- 云计算:KVM可以作为云计算平台的基础设施,提供虚拟化资源给云计算用户。
- 开发和测试:KVM可以提供一个独立的开发和测试环境,可以在同一台物理机上运行多个虚拟机,从而提高开发和测试效率。
3.KVM部署
环境说明
系统类型 | IP | 主机名 |
---|---|---|
RHEL7 | 192.168.37.140 | kvm |
RHEL7 | 192.168.37.150 | c7 |
在kvm主机进行操作
//关闭防火墙和selinux
[root@kvm ~]# systemctl stop firewalld
[root@kvm ~]# systemctl disable firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@kvm ~]# setenforce 0
[root@kvm ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config
//安装基础软件包,(待会要用,并不是软件必须依赖包)
[root@kvm ~]# yum -y install epel-release vim wget net-tools unzip zip gcc gcc-c++
//验证CPU是否支持KVM;如果结果中有vmx(Intel)或svm(AMD)字样,就说明CPU的支持的
[root@kvm ~]# egrep -o 'vmx|svm' /proc/cpuinfo
svm
svm
svm
svm
svm
svm
svm
svm
//kvm安装
[root@kvm ~]# yum -y install qemu-kvm qemu-kvm-common qemu-img virt-manager libvirt python3-libvirt libvirt-client virt-install virt-viewer bridge-utils libguestfs-tools
//因为虚拟机中网络,我们一般都是和公司的其他服务器是同一个网段,所以我们需要把 \
KVM服务器的网卡配置成桥接模式。这样的话KVM的虚拟机就可以通过该桥接网卡和公司内部 \
其他服务器处于同一网段
[root@kvm ~]# cd /etc/sysconfig/network-scripts/
[root@kvm network-scripts]# ls
ifcfg-br0 ifcfg-ens160
[root@kvm network-scripts]# cat ifcfg-br0
TYPE=Bridge
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=eui64
NAME=br0
UUID=8e23c9e1-8371-4c51-bb1d-ae42a769f4e6
DEVICE=br0
ONBOOT=yes
IPADDR=192.168.37.140
PREFIX=24
GATEWAY=192.168.37.2
DNS1=8.8.8.8
[root@localhost network-scripts]# cat ifcfg-ens160
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=eui64
NAME=ens160
DEVICE=ens160
ONBOOT=yes
BRIDGE=br0
//重启网络,或者重启电脑
//验证安装结果
[root@kvm ~]# lsmod|grep kvm
kvm_amd 147456 0
ccp 110592 1 kvm_amd
kvm 962560 1 kvm_amd
irqbypass 16384 1 kvm
[root@kvm ~]# virsh --version
6.0.0
[root@kvm ~]# virt-install --version
2.2.1
//做软链接
[root@kvm ~]# ln -s /usr/libexec/qemu-kvm /usr/bin/qemu-kvm
[root@kvm ~]# which qemu-kvm
/usr/bin/qemu-kvm
[root@kvm ~]# ll /usr/bin/qemu-kvm
lrwxrwxrwx. 1 root root 21 Oct 11 16:02 /usr/bin/qemu-kvm -> /usr/libexec/qemu-kvm
//查看网桥信息
[root@kvm ~]# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000c29486121 no ens160
4.kvm web管理界面安装
kvm 的 web 管理界面是由 webvirtmgr 程序提供的。
在centos7上运行
//安装依赖包
[root@localhost ~]# yum -y install git python-pip libvirt-python libxml2-python python-websockify supervisor nginx python-devel
//从github上下载webvirtmgr代码
[root@localhost src]# git clone git://github.com/retspen/webvirtmgr.git
[root@localhost src]# ls
webvirtmgr-master
//安装webvirtmgr
[root@localhost webvirtmgr]# pip install -r requirements.txt
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install --user` instead.
Collecting django==1.5.5 (from -r requirements.txt (line 1))
....
//检查sqlite3是否安装
[root@localhost webvirtmgr]# python3
Python 3.6.8 (default, Jun 20 2023, 11:53:23)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import sqlite3
>>> exit()
//初始化帐号信息
[root@localhost webvirtmgr]# python manage.py syncdb
WARNING:root:No local_settings file found.
Creating tables ...
Creating table auth_permission
Creating table auth_group_permissions
Creating table auth_group
Creating table auth_user_groups
Creating table auth_user_user_permissions
Creating table auth_user
Creating table django_content_type
Creating table django_session
Creating table django_site
Creating table servers_compute
Creating table instance_instance
Creating table create_flavor
You just installed Django's auth system, which means you don't have any superusers defined.
Would you like to create one now? (yes/no): yes
Username (leave blank to use 'root'): root
Email address: 2453139969@qq.com
Password:
Password (again):
Superuser created successfully.
Installing custom SQL ...
Installing indexes ...
Installed 6 object(s) from 1 fixture(s)
//拷贝指定网页至指定目录
[root@localhost webvirtmgr]# mkdir /var/www
[root@localhost webvirtmgr]# cp -r /usr/local/src/webvirtmgr /var/www
[root@localhost webvirtmgr]# cd
[root@localhost ~]# chown -R nginx.nginx /usr/local/src/webvirtmgr
//生成密钥
[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:jfFwUTHdVZb7BHrJL0+CZYT+nH8fTBP55khFdLhZB50 root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
| ..++.*%|
| ...=EB|
| o .. + O+|
| B o Oo+|
| S o B.*+|
| ..O+=|
| .O.|
| =|
| +|
+----[SHA256]-----+
[root@localhost ~]# ssh-copy-id 192.168.37.140
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.37.140 (192.168.37.140)' can't be established.
ECDSA key fingerprint is SHA256:yb7KxGiUjTlqeKtT6q2HX9AAqxG+otziJlWWj1VYLJ0.
ECDSA key fingerprint is MD5:06:82:c6:21:58:d6:0f:fb:4d:0d:bf:97:67:e2:79:87.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
1/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.37.140's password:
Permission denied, please try again.
root@192.168.37.140's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.37.140'"
and check to make sure that only the key(s) you wanted were added.
//配置端口转发
[root@localhost ~]# ssh 192.168.37.140 -L localhost:8000:localhost:8000 -L localhost:6080:localhost:60
Last login: Wed Oct 11 16:46:47 2023 from 192.168.37.150
[root@kvm ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 127.0.0.1:6080 0.0.0.0:*
LISTEN 0 128 127.0.0.1:8000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::1]:6080 [::]:*
LISTEN 0 128 [::1]:8000 [::]:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:22 [::]:*
//配置nginx
[root@localhost ~]# vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name localhost;
include /etc/nginx/default.d/*.conf;
location / {
root html;
index index.html index.htm;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
[root@localhost ~]# vim /etc/nginx/conf.d/webvirtmgr.conf
server {
listen 80 default_server;
server_name $hostname;
#access_log /var/log/nginx/webvirtmgr_access_log;
location /static/ {
root /var/www/webvirtmgr/webvirtmgr;
expires max;
}
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto $remote_addr;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
client_max_body_size 1024M;
}
}
//确保bind绑定的是本机的8000端口
[root@localhost ~]# vim /var/www/webvirtmgr/conf/gunicorn.conf.py
.....此处省略N行
bind = '0.0.0.0:8000' //确保此处绑定的是本机的8000端口,这个在nginx配置中定义了,被代理的端口
backlog = 2048
.....此处省略N行
//设置supervisor
[root@localhost ~]# vim /etc/supervisord.conf
.....此处省略上面的内容,在文件最后加上以下内容
[program:webvirtmgr]
command=/usr/bin/python2 /var/www/webvirtmgr/manage.py run_gunicorn -c /var/www/webvirtmgr/conf/gunicorn.conf.py
directory=/var/www/webvirtmgr
autostart=true
autorestart=true
logfile=/var/log/supervisor/webvirtmgr.log
log_stderr=true
user=nginx
[program:webvirtmgr-console]
command=/usr/bin/python2 /var/www/webvirtmgr/console/webvirtmgr-console
directory=/var/www/webvirtmgr
autostart=true
autorestart=true
stdout_logfile=/var/log/supervisor/webvirtmgr-console.log
redirect_stderr=true
user=nginx
//配置nginx用户
[root@localhost ~]# su - nginx -s /bin/bash
-bash-4.2$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/nginx/.ssh/id_rsa):
Created directory '/var/lib/nginx/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /var/lib/nginx/.ssh/id_rsa.
Your public key has been saved in /var/lib/nginx/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:/U9Zq0COVI7QZpGQP440GrklloFlNHB9+v9wro1YA7U nginx@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
| .=*..o.. |
| .o..o.o. |
| +.++ o |
| * =++= . |
| . B S+oE .|
| o ..o=. o.|
| ..*..o. |
| o.Oo. |
| . oo=. |
+----[SHA256]-----+
-bash-4.2$ touch ~/.ssh/config && echo -e "StrictHostKeyChecking=no\nUserKnownHostsFile=/dev/null" >> ~/.ssh/config
-bash-4.2$ chmod 0600 ~/.ssh/config
-bash-4.2$ ssh-copy-id root@192.168.37.140
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/var/lib/nginx/.ssh/id_rsa.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Warning: Permanently added '192.168.37.140' (ECDSA) to the list of known hosts.
root@192.168.37.140's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.37.140'"
and check to make sure that only the key(s) you wanted were added.
-bash-4.2$ exit
logout
[root@localhost ~]# vim /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
[Remote libvirt SSH access]
Identity=unix-user:root
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
[root@localhost ~]# chown -R root.root /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
[root@localhost ~]# systemctl restart nginx
//这个命令在kvm主机运行
[root@kvm ~]# systemctl restart libvirtd
5.kvm web界面管理
此处输入python manage syncdb时设置的管理员密码
这里选和kvm主机一样的ip
点这里
将镜像上传至指定目录
刷新
安装linux
可以连接外网
尝试ssh连接
连接成功