KVM虚拟化

1. 虚拟化介绍

虚拟化是云计算的基础。简单的说，虚拟化使得在一台物理的服务器上可以跑多台虚拟机，虚拟机共享物理机的 CPU、内存、IO 硬件资源，但逻辑上虚拟机之间是相互隔离的。

物理机我们一般称为宿主机（Host），宿主机上面的虚拟机称为客户机（Guest）。

根据 Hypervisor 的实现方式和所处的位置，虚拟化又分为两种：

• 全虚拟化
• 半虚拟化

全虚拟化：
Hypervisor 直接安装在物理机上，多个虚拟机在 Hypervisor 上运行。Hypervisor 实现方式一般是一个特殊定制的 Linux 系统。Xen 和 VMWare 的 ESXi 都属于这个类型

半虚拟化：

理论上讲：

2. kvm介绍

那 IO 的虚拟化，比如存储和网络设备则是由 Linux 内核与Qemu来实现。

作为一个 Hypervisor，KVM 本身只关注虚拟机调度和内存管理这两个方面。IO 外设的任务交给 Linux 内核和 Qemu。

大家在网上看 KVM 相关文章的时候肯定经常会看到 Libvirt 这个东西。

Libvirt 就是 KVM 的管理工具。

其实，Libvirt 除了能管理 KVM 这种 Hypervisor，还能管理 Xen，VirtualBox 等。

Libvirt 包含 3 个东西：后台 daemon 程序 libvirtd、API 库和命令行工具 virsh

• libvirtd是服务程序，接收和处理 API 请求；
• API 库使得其他人可以开发基于 Libvirt 的高级工具，比如 virt-manager，这是个图形化的 KVM 管理工具；
• virsh 是我们经常要用的 KVM 命令行工具

3. kvm部署

环境说明：

IP：192.168.157.99

3.1 kvm安装

部署前请确保你的CPU虚拟化功能已开启。分为两种情况：

• 虚拟机要关机设置CPU虚拟化
• 物理机要在BIOS里开启CPU虚拟化

//关闭防火墙与selinux

 [root@mp ~]# systemctl stop firewalld [root@mp ~]# systemctl disable firewalld Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@mp ~]# setenforce 0 [root@mp ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config //这一步十分重要！！！ 

//配置网络源

 [root@mp yum.repos.d]# curl -o /etc/yum.repos.d/CentOS7-Base-163.repo http://mirrors.163.com/.help/CentOS7-Base-163.repo [root@mp ~]# sed -i 's/\$releasever/7/g' /etc/yum.repos.d/CentOS7-Base-163.repo [root@mp ~]# sed -i 's/^enabled=.*/enabled=1/g' /etc/yum.repos.d/CentOS7-Base-163.repo [root@mp ~]# yum -y install epel-release vim wget net-tools unzip zip gcc gcc-c++ 安装过程略..... 

//验证CPU是否支持KVM；如果结果中有vmx（Intel）或svm(AMD)字样，就说明CPU的支持的

 [root@mp ~]# egrep -o 'vmx|svm' /proc/cpuinfo vmx vmx vmx vmx 

//kvm安装

 [root@mp ~]# yum -y install qemu-kvm qemu-kvm-tools qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils libguestfs-tools //安装过程省略...... 

//因为虚拟机中网络，我们一般都是和公司的其他服务器是同一个网段，所以我们需要把 KVM服务器的网卡配置成桥接模式。这样的话KVM的虚拟机就可以通过该桥接网卡和公司内部 其他服务器处于同一网段

//此处我的网卡是ens32，所以用br0来桥接ens32网卡

 //对应修改或者添加以下内容即可 [root@mp ~]# vim /etc/sysconfig/network-scripts/ifcfg-br0 TYPE=Bridge DEVICE=br0 NM_CONTROLLED=no BOOTPROTO=static NAME=br0 ONBOOT=yes IPADDR=192.168.157.99 NETMASK=255.255.255.0 GATEWAY=192.168.157.2 DNS1=8.8.8.8 //保留以下内容即可 [root@mp ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32 TYPE=Ethernet BOOTPROTO=static NAME=ens33 DEVICE=ens33 ONBOOT=yes BRIDGE=br0 NM_CONTROLLED=no [root@mp ~]# systemctl restart network [root@mp ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000 link/ether 00:0c:29:93:a6:6c brd ff:ff:ff:ff:ff:ff inet6 fe80::20c:29ff:fe93:a66c/64 scope link valid_lft forever preferred_lft forever 3: ens35: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:93:a6:76 brd ff:ff:ff:ff:ff:ff 4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000 link/ether 00:0c:29:93:a6:6c brd ff:ff:ff:ff:ff:ff inet 192.168.157.99/24 brd 192.168.157.255 scope global br0 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe93:a66c/64 scope link valid_lft forever preferred_lft forever 

//启动服务

 [root@mp ~]# systemctl start libvirtd [root@mp ~]# systemctl enable libvirtd 

//验证安装结果

 [root@mp ~]# lsmod|grep kvm kvm_intel  0 kvm  1 kvm_intel irqbypass 13503 1 kvm 

//测试并验证安装结果

 [root@mp ~]# virsh -c qemu:///system list Id 名称 状态 ---------------------------------------------------- [root@mp ~]# virsh --version 4.5.0 [root@mp ~]# virt-install --version 1.5.0 [root@mp ~]# ln -s /usr/libexec/qemu-kvm /usr/bin/qemu-kvm [root@mp ~]# ll /usr/bin/qemu-kvm lrwxrwxrwx. 1 root root 21 3月 14 14:17 /usr/bin/qemu-kvm -> /usr/libexec/qemu-kvm [root@mp ~]# lsmod |grep kvm kvm_intel  0 kvm  1 kvm_intel irqbypass 13503 1 kvm 

//查看网桥信息

 [root@mp ~]# brctl show bridge name bridge id STP enabled interfaces br0 8000.000c2993a66c no ens32 virbr0 8000.df26a yes virbr0-nic 

3.2 kvm web管理界面安装

kvm 的 web 管理界面是由 webvirtmgr 程序提供的。

//安装依赖包

 [root@mp ~]# yum -y install git python-pip libvirt-python libxml2-python python-websockify supervisor nginx python-devel 

//升级pip

 [root@mp ~]# pip install --upgrade pip //过程省略...... 

//从github上下载webvirtmgr代码

 [root@mp ~]# cd /usr/local/src/ [root@mp src]# git clone git://github.com/retspen/webvirtmgr.git 正克隆到 'webvirtmgr'... remote: Enumerating objects: 5614, done. remote: Total 5614 (delta 0), reused 0 (delta 0), pack-reused 561 接收对象中: 100% (5614/5614), 2.98 MiB | 1011.00 KiB/s, done. 处理 delta 中: 100% (3602/3602), done. 

//安装webvirtmgr

 [root@mp src]# cd webvirtmgr/ [root@mp webvirtmgr]# pip install -r requirements.txt DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7. //安装过程省略...... 

//检查sqlite3是否安装

 [root@mp webvirtmgr]# python Python 2.7.5 (default, Oct 30 2018, 23:45:53) [GCC 4.8.5  (Red Hat 4.8.5-36)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import sqlite3 >>> exit() 

//初始化帐号信息

 [root@kvm webvirtmgr]# python manage.py syncdb WARNING:root:No local_settings file found. Creating tables ... Creating table auth_permission Creating table auth_group_permissions Creating table auth_group Creating table auth_user_groups Creating table auth_user_user_permissions Creating table auth_user Creating table django_content_type Creating table django_session Creating table django_site Creating table servers_compute Creating table instance_instance Creating table create_flavor You just installed Django's auth system, which means you don't have any superusers defined. Would you like to create one now? (yes/no): yes //问你是否创建超级管理员帐号 Username (leave blank to use 'root'): //指定超级管理员帐号用户名，默认留空为root Email address: bebejo@126.com //设置超级管理员邮箱 Password:1 //设置超级管理员密码 Password (again):1 //再次输入超级管理员密码 Superuser created successfully. Installing custom SQL ... Installing indexes ... Installed 6 object(s) from 1 fixture(s) 

//拷贝web网页至指定目录

 [root@mp webvirtmgr]# mkdir /var/www [root@mp webvirtmgr]# cp -r /usr/local/src/webvirtmgr/ /var/www/ [root@mp webvirtmgr]# chown -R nginx.nginx /var/www/webvirtmgr/ 

//生成密钥

 //全部保持默认，回车即可 [root@mp ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:3/LDSmdcrWbrJxAXtt9HJD13UKlz4lTbYrCqzUNVkWQ root@mp The key's randomart image is: +---[RSA 2048]----+ | .E*o| | ..*+=| | =o=*| | +==+o| | S oo+=+o| | .oo.o .+| | =+.=.+ .| | ..+=oo...| | .o.ooo | +----[SHA256]-----+ 

//由于这里webvirtmgr和kvm服务部署在同一台机器，所以这里本地信任。如果kvm部署在其他机器，那么这个是它的ip

 [root@mp ~]# ssh-copy-id 192.168.157.99 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host '192.168.157.99 (192.168.157.99)' can't be established. ECDSA key fingerprint is SHA256:I20VCudXLSb+D75FPy0SjjexuAhmPkhN8hO4DZFjaT8. ECDSA key fingerprint is MD5:f2:04:78:0f:b3:30:ae:12:66:05:85:97:e6:ab:80:15. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.157.99's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '192.168.157.99'" and check to make sure that only the key(s) you wanted were added. 

//端口转发

 [root@mp ~]# ssh 192.168.157.99 -L localhost:8000:localhost:8000 -L localhost:6080:localhost:60 Last login: Fri Mar 15 02:23:10 2019 from 192.168.157.1 [root@mp ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:111 *:* LISTEN 0 5 192.168.122.1:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 127.0.0.1:6080 *:* LISTEN 0 128 127.0.0.1:8000 *:* LISTEN 0 128 :::111 :::* LISTEN 0 128 :::22 :::* LISTEN 0 100 ::1:25 :::* LISTEN 0 128 ::1:6080 :::* LISTEN 0 128 ::1:8000 :::* 

//配置nginx

 [root@mp ~]# vim /etc/nginx/nginx.conf [root@kvm ~]# vim /etc/nginx/nginx.conf user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; include /etc/nginx/conf.d/*.conf; server { listen 80; server_name localhost; include /etc/nginx/default.d/*.conf; location / { root html; index index.html index.htm; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } } 

 [root@mp ~]# vim /etc/nginx/conf.d/webvirtmgr.conf server { 
    listen 80 default_server; server_name $hostname; #access_log /var/log/nginx/webvirtmgr_access_log; location /static/ { 
    root /var/www/webvirtmgr/webvirtmgr; expires max; } location / { 
    proxy_pass http://127.0.0.1:8000; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for; proxy_set_header Host $host:$server_port; proxy_set_header X-Forwarded-Proto $remote_addr; proxy_connect_timeout 600; proxy_read_timeout 600; proxy_send_timeout 600; client_max_body_size 1024M; } } 

//确保bind绑定的是本机的8000端口

 [root@mp ~]# vim /var/www/webvirtmgr/conf/gunicorn.conf.py .....此处省略N行 bind = '0.0.0.0:8000' //确保此处绑定的是本机的8000端口，这个在nginx配置中定义了，被代理的端口 backlog = 2048 .....此处省略N行 

//重启nginx

 [root@mp ~]# systemctl start nginx [root@mp ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:111 *:* LISTEN 0 128 *:80 *:* LISTEN 0 5 192.168.122.1:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 127.0.0.1:6080 *:* LISTEN 0 128 127.0.0.1:8000 *:* LISTEN 0 128 :::111 :::* LISTEN 0 128 :::22 :::* LISTEN 0 100 ::1:25 :::* LISTEN 0 128 ::1:6080 :::* LISTEN 0 128 ::1:8000 :::* 

//设置supervisor

 [root@mp ~]# vim /etc/supervisord.conf //.....此处省略上面的内容，在文件最后加上以下内容 [program:webvirtmgr] command=/usr/bin/python2 /var/www/webvirtmgr/manage.py run_gunicorn -c /var/www/webvirtmgr/conf/gunicorn.conf.py directory=/var/www/webvirtmgr autostart=true autorestart=true logfile=/var/log/supervisor/webvirtmgr.log log_stderr=true user=nginx [program:webvirtmgr-console] command=/usr/bin/python2 /var/www/webvirtmgr/console/webvirtmgr-console directory=/var/www/webvirtmgr autostart=true autorestart=true stdout_logfile=/var/log/supervisor/webvirtmgr-console.log redirect_stderr=true user=nginx 

//启动supervisor并设置开机自动启动

 [root@mp ~]# systemctl start supervisord [root@mp ~]# systemctl enable supervisord Created symlink from /etc/systemd/system/multi-user.target.wants/supervisord.service to /usr/lib/systemd/system/supervisord.service. [root@mp ~]# systemctl status supervisord ● supervisord.service - Process Monitoring and Control Daemon Loaded: loaded (/usr/lib/systemd/system/supervisord.service; enabled; vendor preset: disabled) Active: active (running) since 五 2019-03-15 03:06:19 CST; 20s ago Main PID: 3326 (supervisord) CGroup: /system.slice/supervisord.service └─3326 /usr/bin/python /usr/bin/supervisord -c /etc/supervisor... 3月 15 03:06:18 mp systemd[1]: Starting Process Monitoring and Control..... 3月 15 03:06:19 mp systemd[1]: Started Process Monitoring and Control ...n. Hint: Some lines were ellipsized, use -l to show in full. [root@mp ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:111 *:* LISTEN 0 128 *:80 *:* LISTEN 0 5 192.168.122.1:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 127.0.0.1:6080 *:* LISTEN 0 128 127.0.0.1:8000 *:* LISTEN 0 128 :::111 :::* LISTEN 0 128 :::22 :::* LISTEN 0 100 ::1:25 :::* LISTEN 0 128 ::1:6080 :::* LISTEN 0 128 ::1:8000 :::* 

//配置nginx用户

 //未创建nginx用户，所以用su命令赋予它交互式登录的权限 [root@mp ~]# su - nginx -s /bin/bash -bash-4.2$ ssh-keygen -t rsa //全部保持默认，回车即可，密码除外。 Generating public/private rsa key pair. Enter file in which to save the key (/var/lib/nginx/.ssh/id_rsa): Created directory '/var/lib/nginx/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /var/lib/nginx/.ssh/id_rsa. Your public key has been saved in /var/lib/nginx/.ssh/id_rsa.pub. The key fingerprint is: SHA256:86tvVfX2z7hqCHz/rqVUKMQPReWO26hNWlpZaZOTOgg nginx@mp The key's randomart image is: +---[RSA 2048]----+ | .o.. | | . . . .| | + ...| | . o +.+o| | .E . +.@..| | o+.o.X o.| | oo+@ oo.| | o@o+. o| | .+*.==+. | +----[SHA256]-----+ -bash-4.2$ touch ~/.ssh/config && echo -e "StrictHostKeyChecking=no\nUserKnownHostsFile=/dev/null" >> ~/.ssh/config -bash-4.2$ chmod 0600 ~/.ssh/config -bash-4.2$ ssh-copy-id root@192.168.157.99 /bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/var/lib/nginx/.ssh/id_rsa.pub" /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys Warning: Permanently added '192.168.157.99' (ECDSA) to the list of known hosts. root@192.168.157.99's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@192.168.157.99'" and check to make sure that only the key(s) you wanted were added. -bash-4.2$ exit 登出 [root@mp ~]# vim /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla [Remote libvirt SSH access] Identity=unix-user:root Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes [root@mp ~]# chown -R root.root /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla [root@mp ~]# systemctl restart nginx [root@mp ~]# systemctl restart libvirtd 

3.3 kvm web界面管理

通过ip地址在浏览器上访问kvm，例如我这里就是：http://192.168.157.99

此处的用户为：root
密码为：执行python manage syncdb时设置的超级管理员密码

此处的Label要与下面的FQDN / IP一致！

点击上方的IP地址，不是点击Host：192.168.157.99

3.3.2 kvm存储管理

//创建存储

点击New Storage

进入存储
点击default

池路径 /var/lib/libvirt/images：磁盘镜像ISO文件存储的位置

//通过远程连接软件上传ISO镜像文件至存储目录/var/lib/libvirt/images/

[root@mp ~]# cd /var/lib/libvirt/images/ [root@mp images]# ll 总用量  -rw-r--r-- 1 root root  3月 15 03:50 rhel-server-7.4-x86_64-dvd.iso 

//在web界面查看ISO镜像文件是否存在

//创建系统安装镜像

//添加成功如下图

3.3.3 kvm网络管理

点击New Network

3.3.4 实例管理

实例（虚拟机的创建）

//虚拟机插入光盘

//设置在web上访问虚拟机的密码

//启动虚拟机

//虚拟机安装

此步骤为虚拟机的安装步骤，不再阐述

4. 所遇问题

4.1 故障一

第一次通过web访问kvm时可能会一直访问不了，一直转圈，而命令行界面一直报错(too many open files)

 永久生效方法： 修改/etc/security/limits.conf，在文件底部添加： * soft nofile  * hard nofile  星号代表全局， soft为软件，hard为硬件，nofile为这里指可打开文件数。 另外，要使limits.conf文件配置生效，必须要确保 pam_limits.so 文件被加入到启动文件中。 查看 /etc/pam.d/login 文件中有： session required /lib/security/pam_limits.so 

4.2 故障二

 [root@mp ~]# ll /etc/rc.local lrwxrwxrwx. 1 root root 13 Aug 6 2018 /etc/rc.local -> rc.d/rc.local [root@mp ~]# ll /etc/rc.d/rc.local -rw-r--r-- 1 root root 513 Mar 11 22:35 /etc/rc.d/rc.local [root@mp ~]# chmod +x /etc/rc.d/rc.local [root@mp ~]# ll /etc/rc.d/rc.local -rwxr-xr-x 1 root root 513 Mar 11 22:35 /etc/rc.d/rc.local [root@mp ~]# vim /etc/rc.d/rc.local ......此处省略N行 # that this script will be executed during boot. touch /var/lock/subsys/local nohup novnc_server 172.16.12.128:5920 & [root@mp ~]# . /etc/rc.d/rc.local