kvm部署

简介
KVM，是Keyboard Video Mouse的缩写，KVM 通过直接连接键盘、视频或鼠标 (KVM)端口，能够访问和控制计算机。KVM技术无需目标服务器修改软件。这就意味着可以在BIOS环境下，随时访问目标计算机。KVM 提供真正的主板级别访问，并支持多平台服务器和串行设备。KVM 技术已经从最初的基础SOHO办公型，发展成为企业 IT 基础机房设施管理系统。可以从kvm 客户端管理软件轻松的直接访问位于多个远程位置的服务器和设备。KVM over IP 解决方案具备完善的多地点故障转移功能、符合新服务器管理标准 (IPMI) 的直接界面，以及将本地存储媒体映射至远程位置的功能。

KVM代表着键盘、鼠标和显示器，即利用一组键盘、显示器或鼠标实现对多台设备的控制，在远程调度监控方面发挥着重要作用。KVM技术可以向远程终端发送调度信息网中的各项数据资料，为下一级调度机构提供方便，这样即便下级调度机构没有建立调度数据网，也能够实现信息的共享。

多计算机切换器KVM）以多主机切换技术为依据，借助一组键盘或鼠标和显示器完成多台服务器之间的切换，进而节省空间，降低成本，使得管理更为简易方便，以提升工作效率。该技术具有很多优点，应用十分广泛。首先，在整个机房管理中，改变了传统的一对一的控制方式，而采用了一对多的管理方式，有利于节省空间、提高工作效率；其次，主机系统的安全性能得到了很大提升，而且具备了长距离的传输能力，在与远程用户相连接时，安全性能得到良好的保证；在服务器较多的情况下，通过数字交换机与其他服务器相连，并能与远程相连，可同时对本地和远程进行控制。在一些大型系统的解决方案中，可使用具有模拟交换机矩阵功能的大型模块系统，能够满足终端用户同时对上百台甚至更多服务器的访问，进而实现从中心点通过KVM系统对各地的服务器进行有效控制。此外，该技术也可以在家庭中用，为普通用户提供了很多方便。

kVM 全称是 Kernel-based Virtual Machine。也就是说 KVM 是基于 Linux 内核实现的。
KVM有一个内核模块叫 kvm.ko，只用于管理虚拟 CPU 和内存。

那 IO 的虚拟化，比如存储和网络设备则是由 Linux 内核与Qemu来实现。

作为一个 Hypervisor，KVM 本身只关注虚拟机调度和内存管理这两个方面。IO 外设的任务交给 Linux 内核和 Qemu。

大家在网上看 KVM 相关文章的时候肯定经常会看到 Libvirt 这个东西。

Libvirt 就是 KVM 的管理工具。

其实，Libvirt 除了能管理 KVM 这种 Hypervisor，还能管理 Xen，VirtualBox 等。

Libvirt 包含 3 个东西：后台 daemon 程序 libvirtd、API 库和命令行工具 virsh

libvirtd是服务程序，接收和处理 API 请求；
API 库使得其他人可以开发基于 Libvirt 的高级工具，比如 virt-manager，这是个图形化的 KVM 管理工具；
virsh 是我们经常要用的 KVM 命令行工具

KVM的种类
按网络环境可分为：基于IP（KVM O IP)和非IP；
按设备环境可分为：机械和电子（手动和自动）；
按安装方式可分为：台式和机架式；
按工作模式可分为：模拟KVM和数字KVM；
按应用范围可分为：高、中、低三类

虚拟化介绍
虚拟化是云计算的基础。简单的说，虚拟化使得在一台物理的服务器上可以跑多台虚拟机，虚拟机共享物理机的 CPU、内存、IO 硬件资源，但逻辑上虚拟机之间是相互隔离的。

物理机我们一般称为宿主机（Host），宿主机上面的虚拟机称为客户机（Guest）。

那么 Host 是如何将自己的硬件资源虚拟化，并提供给 Guest 使用的呢？
这个主要是通过一个叫做 Hypervisor 的程序实现的。

根据 Hypervisor 的实现方式和所处的位置，虚拟化又分为两种：

全虚拟化
半虚拟化

全虚拟化：
Hypervisor 直接安装在物理机上，多个虚拟机在 Hypervisor 上运行。Hypervisor 实现方式一般是一个特殊定制的 Linux 系统。Xen 和 VMWare 的 ESXi 都属于这个类型

半虚拟化：
物理机上首先安装常规的操作系统，比如 Redhat、Ubuntu 和 Windows。Hypervisor 作为 OS 上的一个程序模块运行，并对管理虚拟机进行管理。KVM、VirtualBox 和 VMWare Workstation 都属于这个类型

理论上讲：
全虚拟化一般对硬件虚拟化功能进行了特别优化，性能上比半虚拟化要高；
半虚拟化因为基于普通的操作系统，会比较灵活，比如支持虚拟机嵌套。嵌套意味着可以在KVM虚拟机中再运行KVM

部署
安装KVM
安装之前先确保你的虚拟机开启了虚拟化，这里如果有三个选项就都勾选

首先关闭防火墙和selinux
[root@localhost ~]# systemctl disable --now firewalld
[root@localhost ~]# tail -6 /etc/selinux/config 
SELINUX=disabled  //将enabled改为disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

配置网络仓库
[root@localhost ~]# curl -o /etc/yum.repos.d/CentOS-base.repo https://mirrors.aliyun.com/repo/Centos-7.repo

安装依赖包及相关命令
[root@localhost ~]# yum -y install epel-release vim wget net-tools unzip zip gcc gcc-c++

验证CPU是否支持KVM，如果出现vmx（Intel）或svm（AMD）的字样说明可以
[root@localhost ~]# egrep -o 'vmx|svm' /proc/cpuinfo
svm
svm
svm
svm

安装KVM
[root@localhost ~]# yum -y install qemu-kvm qemu-kvm-tools qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils libguestfs-tools

因为我们要和公司的其他服务器是同一个网段，所以要把kvm的服务器的网卡配置成桥接模式。这样的话KVM的虚拟机就可以通过该桥接网卡和公司内部的其他服务器保持在同一个网段

[root@localhost network-scripts]# cp ifcfg-ens160 ifcfg-br0
[root@localhost network-scripts]# pwd
/etc/sysconfig/network-scripts

[root@localhost network-scripts]# cat ifcfg-ens33 
TYPE=Ethernet
BOOTPROTO="static"
DEFROUTE="yes"
NAME="ens33"
DEVICE="ens33"
onBOOT="yes"
BRIDGE=br0

[root@localhost network-scripts]# cat ifcfg-br0 
TYPE=Bridge
BOOTPROTO="static"
DEFROUTE="yes"
NAME=br0
DEVICE=br0
onBOOT="yes"
IPADDR=192.168.182.131
PREFIX=24
GATEWAY=192.168.182.2
DNS1=192.168.182.2

重启网卡并查看
[root@localhost network-scripts]# systemctl restart network
[root@localhost network-scripts]# ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33:  mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether 00:0c:29:51:74:74 brd ff:ff:ff:ff:ff:ff
3: virbr0:  mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:c2:d0:f1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
4: virbr0-nic:  mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:c2:d0:f1 brd ff:ff:ff:ff:ff:ff
5: br0:  mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:29:51:74:74 brd ff:ff:ff:ff:ff:ff
    inet 192.168.182.131/24 brd 192.168.182.255 scope global noprefixroute br0
       valid_lft forever preferred_lft forever
    inet6 fe80::b85e:1fff:fea1:87e4/64 scope link 
       valid_lft forever preferred_lft forever

启动服务并设置开机自启

[root@localhost ~]# systemctl enable --now libvirtd

验证安装结果


[root@localhost ~]# lsmod | grep kvm
kvm_amd              2176426  0 
kvm                   578518  1 kvm_amd
irqbypass              13503  1 kvm

测试并验证安装结果


[root@localhost ~]# virsh -c qemu:///system list
 Id   名称   状态
-------------------

[root@localhost ~]# virsh --version
4.5.0
[root@localhost ~]# virt-install --version
1.5.0

[root@localhost ~]# ln -s /usr/libexec/qemu-kvm /usr/bin/qemu-kvm
[root@localhost ~]# ll /usr/bin/qemu-kvm 
lrwxrwxrwx 1 root root 21 10月 20 20:38 /usr/bin/qemu-kvm -> /usr/libexec/qemu-kvm

查看网桥信息


[root@localhost ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.000c29517474       no              ens33
virbr0          8000.525400c2d0f1       yes             virbr0-nic

kvm web管理界面安装

安装依赖包
[root@localhost ~]# yum -y install git python-pip libvirt-python libxml2-python python-websockify supervisor nginx python-devel

从GitHub上下载webvirtmgr
[root@localhost src]# pwd
/usr/local/src
[root@localhost src]# git clone git://github.com/retspen/webvirtmgr.git
正克隆到 'webvirtmgr'...
remote: Enumerating objects: 5614, done.
remote: Total 5614 (delta 0), reused 0 (delta 0), pack-reused 5614
接收对象中: 100% (5614/5614), 2.97 MiB | 621.00 KiB/s, done.
处理 delta 中: 100% (3606/3606), done.

升级pip
[root@localhost webvirtmgr]# pip install --upgrade pip
安装webvirtmgr
[root@localhost webvirtmgr]# pwd
/usr/local/src/webvirtmgr
[root@localhost webvirtmgr]# pip install -r requirements.txt


检查sqlite3是否安装
[root@localhost webvirtmgr]# python
Python 2.7.5 (default, Nov 16 2020, 22:23:17) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import sqlite3
>>> exit()

初始化账号信息
[root@localhost webvirtmgr]# python manage.py syncdb
WARNING:root:No local_settings file found.
Creating tables ...
Creating table auth_permission
Creating table auth_group_permissions
Creating table auth_group
Creating table auth_user_groups
Creating table auth_user_user_permissions
Creating table auth_user
Creating table django_content_type
Creating table django_session
Creating table django_site
Creating table servers_compute
Creating table instance_instance
Creating table create_flavor

You just installed Django's auth system, which means you don't have any superusers defined.
Would you like to create one now? (yes/no): yes  //询问是否创建超级管理员
Username (leave blank to use 'root'):   //指定超级管理员帐号用户名，默认留空为root
Email address: 1@2.com  //设置超级管理员邮箱，在生产环境中填真实的邮箱
Password:   //设置超级管理员的密码
Password (again):   //再次输入密码
Superuser created successfully.
Installing custom SQL ...
Installing indexes ...
Installed 6 object(s) from 1 fixture(s)

拷贝web网页至指定目录

[root@localhost src]# pwd
/usr/local/src
[root@localhost webvirtmgr]# mkdir /var/www
[root@localhost webvirtmgr]# cp -r /usr/local/src/webvirtmgr /var/www/

[root@localhost webvirtmgr]# chown -R nginx.nginx /var/www/webvirtmgr/
生成密钥


[root@localhost webvirtmgr]# ssh-keygen -t rsa 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:SKFqmwFsKaY/5t7Wi1W6Hw5O5fJKy8aahtLmw/TuF88 root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
|      .          |
|. .  . .         |
|o=  . .          |
|=. . . .         |
|. +   . S        |
| o.+  .=         |
| +*o oB+o        |
|.o*o+O=BE.       |
| =+*B+B++        |
+----[SHA256]-----+

由于webvirtmgr和kvm服务器部署在同一台机器，所以这里本地信任。如果kvm部署在其他他机器，那么这个是它的IP
[root@localhost webvirtmgr]# ssh-copy-id 192.168.182.131
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.182.131 (192.168.182.131)' can't be established.
ECDSA key fingerprint is SHA256:ySNiHWvgyBVXhGzIaWZjmgiNpd+6/FCeTygVqo0xLYw.
ECDSA key fingerprint is MD5:a8:fe:d4:cb:a6:a7:e8:90:3e:a4:ce:55:ce:5a:99:36.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.182.131's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '192.168.182.131'"
and check to make sure that only the key(s) you wanted were added.

配置端口转发

[root@localhost webvirtmgr]# ssh 192.168.182.131 -L localhost:8000:localhost:8000 -L localhost:6080:localhost:60
Last login: Wed Oct 20 20:14:34 2021 from 192.168.182.1

[root@localhost ~]# ss -anlt
State       Recv-Q Send-Q Local Address:Port               Peer Address:Port              
LISTEN      0      128    127.0.0.1:6080                  *:*                  
LISTEN      0      128    127.0.0.1:8000                  *:*                  
LISTEN      0      128       *:111                   *:*                  
LISTEN      0      5      192.168.122.1:53                    *:*                  
LISTEN      0      128       *:22                    *:*                  
LISTEN      0      100    127.0.0.1:25                    *:*                  
LISTEN      0      128     ::1:6080                 :::*                  
LISTEN      0      128     ::1:8000                 :::*                  
LISTEN      0      128      :::111                  :::*                  
LISTEN      0      128      :::22                   :::*                  
LISTEN      0      100     ::1:25                   :::*
配置nginx


[root@localhost nginx]# pwd
/etc/nginx

先备份
[root@localhost nginx]# cp nginx.conf{,-bak}
再重新编写配置
[root@localhost nginx]# > nginx.conf

[root@localhost nginx]# vim nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80;
        server_name  localhost;

        include /etc/nginx/default.d/*.conf;

        location / {
            root html;
            index index.html index.htm;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
}

[root@localhost ~]# vim /etc/nginx/conf.d/webvirtmgr.conf
server {
    listen 80 default_server;

    server_name $hostname;
    #access_log /var/log/nginx/webvirtmgr_access_log;

    location /static/ {
        root /var/www/webvirtmgr/webvirtmgr;
        expires max;
    }

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
        proxy_set_header Host $host:$server_port;
        proxy_set_header X-Forwarded-Proto $remote_addr;
        proxy_connect_timeout 600;
        proxy_read_timeout 600;
        proxy_send_timeout 600;
        client_max_body_size 1024M;
    }
}

确保bind绑定的是本机的8080端口

[root@localhost ~]# vim /var/www/webvirtmgr/conf/gunicorn.conf.py
bind = '0.0.0.0:8000'  //确保此处绑定的是本机的8000端口，这个在nginx配置中定义了，被代理的端口
backlog = 2048
重启nginx并设置开机自启

[root@localhost ~]# systemctl restart nginx.service 
[root@localhost ~]# systemctl enable --now nginx.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.

[root@localhost ~]# ps -ef | grep nginx
root     124251      1  0 21:58 ?        00:00:00 nginx: master process /usr/sbin/nginx
nginx    124252 124251  0 21:58 ?        00:00:00 nginx: worker process
nginx    124253 124251  0 21:58 ?        00:00:00 nginx: worker process
root     126363  95533  0 21:58 pts/4    00:00:00 grep --color=auto nginx
设置supervisor


在此文件的最后添加一下内容
[root@localhost ~]# vim /etc/supervisord.conf
[program:webvirtmgr]
command=/usr/bin/python2 /var/www/webvirtmgr/manage.py run_gunicorn -c /var/www/webvirtmgr/conf/gunicorn.conf.py
directory=/var/www/webvirtmgr
autostart=true
autorestart=true
logfile=/var/log/supervisor/webvirtmgr.log
log_stderr=true
user=nginx

[program:webvirtmgr-console]
command=/usr/bin/python2 /var/www/webvirtmgr/console/webvirtmgr-console
directory=/var/www/webvirtmgr
autostart=true
autorestart=true
stdout_logfile=/var/log/supervisor/webvirtmgr-console.log
redirect_stderr=true
user=nginx

启动supervisor并设置开机自启


[root@localhost ~]# systemctl enable --now supervisord.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/supervisord.service to /usr/lib/systemd/system/supervisord.service.

[root@localhost ~]# ss -anlt
State       Recv-Q Send-Q Local Address:Port               Peer Address:Port              
LISTEN      0      128    127.0.0.1:6080                  *:*                  
LISTEN      0      128    127.0.0.1:8000                  *:*                  
LISTEN      0      128       *:111                   *:*                  
LISTEN      0      128       *:80                    *:*                  
LISTEN      0      5      192.168.122.1:53                    *:*                  
LISTEN      0      128       *:22                    *:*                  
LISTEN      0      100    127.0.0.1:25                    *:*                  
LISTEN      0      128     ::1:6080                 :::*                  
LISTEN      0      128     ::1:8000                 :::*                  
LISTEN      0      128      :::111                  :::*                  
LISTEN      0      128      :::22                   :::*                  
LISTEN      0      100     ::1:25                   :::*

配置nginx用户

[root@localhost ~]# su - nginx -s /bin/bash 
-bash-4.2$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/nginx/.ssh/id_rsa): 
Created directory '/var/lib/nginx/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /var/lib/nginx/.ssh/id_rsa.
Your public key has been saved in /var/lib/nginx/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:IByl1v++59cdCXgDChk0TrjDUfdGBfesawAdBegTwG4 nginx@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
|    ..*B+..==+   |
|   . *o+oo+.o o  |
|    * *.o.o+o  o |
|   . = E +o. +.  |
|      o S ....o .|
|         .  . .o |
|          .  o .o|
|         .  o . o|
|          o+..   |
+----[SHA256]-----+

-bash-4.2$ touch ~/.ssh/config && echo -e "StrictHostKeyChecking=nonUserKnownHostsFile=/dev/null" >> ~/.ssh/config
-bash-4.2$ chmod 0600 ~/.ssh/config

-bash-4.2$ ssh-copy-id root@192.168.182.131
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/var/lib/nginx/.ssh/id_rsa.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Warning: Permanently added '192.168.182.131' (ECDSA) to the list of known hosts.
root@192.168.182.131's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.182.131'"
and check to make sure that only the key(s) you wanted were added.

-bash-4.2$ exit

[root@localhost ~]# vim /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
[Remote libvirt SSH access]
Identity=unix-user:root
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

[root@localhost ~]# chown -R root.root /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
[root@localhost ~]# systemctl restart libvirtd
[root@localhost ~]# systemctl restart nginx.service
第一次通过web访问kvm时可能会一直访问不了，一直转圈，而命令行界面一直报错(too many open files)
此时需要对nginx进行配置

[root@localhost ~]# vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
worker_rlimit_nofile 655350;  //添加此行配置
[root@localhost ~]# systemctl restart nginx.service
然后再对系统参数进行设置


在最后添加下面两行
[root@localhost ~]# vim /etc/security/limits.conf
* soft nofile 655350
* hard nofile 655350