07 2014 档案
摘要:最底层是通信层corosync/openais 负责cluster中node之间的通信 上一层是Resource Allocation Layer,包含下面的组件: CRM Cluster Resouce Manager 是总管,对于resource做的任何操作都是通过它。每个机器上都有一个CRM。 CIB Cluster Information Base CIB由CRM管理,是在内存中的XM...
阅读全文
摘要:How to do SSH Tunneling (Port Forwarding)In this post we will see how ssh works?, what is SSH tunneling? what is important of ssh tunnels and how to s...
阅读全文
摘要:SSH Tunneling ExplainedRecently I wanted to set up a remote desktop sharing session from home pc to my laptop. While going through the set up guide I ...
阅读全文
摘要:三台KVM虚拟机 首先我们得有一个pacemaker的环境,需要三台机器,如果没有那么多物理机器,可以用kvm虚拟机 创建一个bridge ovs-vsctl add-br ubuntu_br ifconfig ubuntu_br 192.168.100.1/24 在Host上设置NAT,并且enable ip forwarding # sysctl -pnet.ipv4.ip_forward =...
阅读全文
摘要:http://blog.163.com/pcj_2008/blog/static/9824487201231113825369/假设有这样一个需求,需要从家中访问公司内网机器,可以用ssh遂道技术来作转发,遂道分正向遂道和反向遂道两种,如果数据流向与ssh的顺序(从 ssh client -> ss...
阅读全文
摘要:我们来分析从外网访问内网的服务的具体过程: 首先我们看DNS和Load Balancer是怎么工作的。 客户端要访问我们的系统,发送了一个https请求,https://nova.mycompany.com 客户端的local resolver查看本地的缓存,是否能找到域名nova.mycompany.com 如果不能找到,则发送一个递归查询到本地的DNS服务器 本地的DNS服务器查看它的缓存,...
阅读全文
摘要:基础架构 拓扑图 Switching Path L3 routing at aggregation layer L2 switching at access layer L3 switch融合了三种功能: RP, router processor, 处理路由协议 SP, switch processor, 处理L2协议 ASIC, Application-specific integrated...
阅读全文
摘要:Load Balancer的类型 DNS Round-Robin 这是一种很常见的分流的方式,具体配置如下: name server有一个zone文件,对于同一个domain,有多个IP www.example.com IN A 192.0.2.80 www.example.com IN A 192.0.2.50 当有客户端请求www.example.com的时候,返回所有的IP,但是顺序则需...
阅读全文
摘要:有个安全性有下面几种概念: Threat:威胁 Vulnerability: 安全隐患 Attack: 攻击 有关Threat 常见的威胁有下面几种 DoS(Denial of Service拒绝服务攻击) Breach of confidential information 破解机密信息 Data theft or alteration 数据盗用和篡改 Unauthorized use of ...
阅读全文
摘要:如图是数据中心的一个基本架构 最上层是Internet Edge,也叫Edge Router,也叫Border Router,它提供数据中心与Internet的连接。 连接多个网络供应商来提供冗余可靠的连接 对外通过BGP提供路由服务,使得外部可以访问内部的IP 对内通过iBGP提供路由服务,使得内部可以访问外部IP 提供边界安全控制,使得外部不能随意访问内部 控制内部对外部的访问 ...
阅读全文
摘要:LVM Logical Volume Manager Volume management creates a layer of abstraction over physical storage, allowing you to create logical storage volumes. Logical volumes provide the following advantages ove...
阅读全文
摘要:由于KVM的架构为 Libvirt –> qemu –> KVM 所以对于live migration有两种方式,一种是qemu + KVM自己的方式,一种是libvirt的方式,当然libvirt也是基于qemu+kvm的方式 qemu + KVM自己的方式为使用monitor KVM Migration KVM currently supports savevm/loadvm and offl...
阅读全文
摘要:当搭建完openstack之后,在创建instance之前,第一件事情就是创建network,一个经典的流程如下: TENANT_NAME="openstack"TENANT_NETWORK_NAME="openstack-net"TENANT_SUBNET_NAME="${TENANT_NETWORK_NAME}-subnet"TENANT_ROUTER_NAME="openstack-rout...
阅读全文
摘要:When managing a VM Guest on the VM Host Server itself, it is possible to access the complete file system of the VM Host Server in order to attach or create virtual hard disks or to attach existing ima...
阅读全文
摘要:https://www.berrange.com/posts/2010/05/05/provisioning-kvm-virtual-machines-on-iscsi-the-hard-way-part-1-of-2/The previous articles showed how to prov...
阅读全文
摘要:VirtioSo-called "full virtualization" is a nice feature because it allows you to run any operating system virtualized. However, it's slow because the ...
阅读全文
摘要:Setting up libvirt for TLS (Encryption & Authentication)Setting up your virtualisation infrastructure for Transport Layer Security (TLS) isn't very di...
阅读全文
摘要:Running your own dnsmasq with libvirtdOn linux host servers, libvirtd uses dnsmasq to service the virtual networks, such as the default network. A new...
阅读全文
摘要:[libvirt] FYI: a short guide to libvirt & network filtering iptables/ebtables use Firewall / network filtering in libvirt ===============...
阅读全文
摘要:How the virtual networks used by guests workNetworking using libvirt is generally fairly simple, and in this section you'll learn the concepts you nee...
阅读全文
摘要:Many of the management problems in virtualization are caused by the annoyingly popular & desirable host migration feature! I previously talked about P...
阅读全文
摘要:Virtual Machine LifecycleThis page describes the basics of the virtual machine lifecycle. Its aim is to provide fundamental information to create, run...
阅读全文
摘要:libvirt is a library that provides a common API for managing popular virtualization solutions, among them KVM and Xen. 使用virt-install创建image qemu-img create -f qcow2 /tmp/centos5.8.img 10G virt-insta...
阅读全文
摘要:http://rhythm-zju.blog.163.com/blog/static/310042008015115718637/建立 CA建立 CA 目录结构按照 OpenSSL 的默认配置建立 CA ,需要在文件系统中建立相应的目录结构。相关的配置内容一般位于 /usr/ssl/openssl....
阅读全文
摘要:How To Setup a CAOriginal Version by Ian AldermanUpdated by Zach MillerIntroductionYou can set up a Certificate Authority (CA) in multiple different w...
阅读全文
摘要:先假设自己是一个CA,而且是一个root CA,Cliu8CA 生成一个CA的private key openssl genrsa -out caprivate.key 1024 当然可以跟密码 openssl genrsa -out caprivatepass.key 1024 -des3 -passout hello:world 1024 CA有一个certificate,里面放着CA的pub...
阅读全文
摘要:Overcommits KVM allows for both memory and disk space overcommit. However, hard errors resulting from exceeding available resources will result in guest failures. CPU overcommit is also supported bu...
阅读全文
摘要:虚拟网卡由-net nic定义 # qemu-system-x86_64 -enable-kvm -name ubuntutest -m 2048 -hda ubuntutest.img -vnc :19 -net nic 如果我们在monitor中查看info network 可以看到下面的 有时候,我们看到的是VLAN 0,这里的VLAN和802.1.q一点关系都没有,就是virtual ...
阅读全文
摘要:KVM本身并不提供半虚拟化功能,是通过virtio来实现的 The benefits of virtio drivers are of lower overhead and higher performance. Memory Ballooning (virtio_balloon) memory ballooning可以动态调整guest的内存的大小 如果有-m参数,则向更大的内存调整时无效的,...
阅读全文
摘要:在openstack中,如果我们启动一个虚拟机,我们会看到非常复杂的参数 qemu-system-x86_64 -enable-kvm -name instance-00000024 -S -machine pc-i440fx-trusty,accel=kvm,usb=off -cpu SandyBridge,+erms,+smep,+fsgsbase,+pdpe1gb,+rdrand,+f16c...
阅读全文
摘要:Processors have evolved to improve performance for virtualized environments, but what about I/O aspects? Discover one such I/O performance enhancement...
阅读全文
摘要:The libvirt library is a Linux API over the virtualization capabilities of Linux that supports a variety of hypervisors, including Xen and KVM, as wel...
阅读全文
摘要:The Linux kernel supports a variety of virtualization schemes, and that's likely to grow as virtualization advances and new schemes are discovered (fo...
阅读全文
摘要:The 2.6.33 Linux® kernel has introduced a useful new service called the Distributed Replicated Block Device (DRBD). This service mirrors an entire blo...
阅读全文
摘要:Linux is the Swiss Army knife of file systems, and it also offers a wide variety of storage technologies for both desktops and servers. Beyond the fil...
阅读全文
摘要:本文结合具体代码对 Linux 内核中的 device mapper 映射机制进行了介绍。Device mapper 是 Linux 2.6 内核中提供的一种从逻辑设备到物理设备的映射框架机制,在该机制下,用户可以很方便的根据自己的需要制定实现存储资源的管理策略,当前比较流行的 Linux 下的逻辑...
阅读全文
摘要:一般搭建成功了opentack后,都会按照文档的这样创建网络 Scenario 1: one tenant, two networks, one router Scenario 2: two tenants, two networks, two routers 然而neutron号称软件定义网络,可否创建更复杂的拓扑图 我创建了上面的三个网络,每个网络都运行一个主机,网络1和网络2,并...
阅读全文
摘要:file injection代码file injection原理来讲是比较简单的,在nova boot命令中,有参数--file,是将文件inject到image中nova boot --flavor 2 --image d96b0e41-8264-41de-8dbb-6b31ce9bfbfc --...
阅读全文
摘要:guestmount root# guestmount -a ubuntutest1.img -m /dev/sda1 ubuntutestp1 root# cd ubuntutestp1/root:/home/cliu8/images/ubuntutestp1# lsa b c d hello lost+found worldroot:/home/cliu8/images/ubuntutest...
阅读全文
摘要:添加一个drive:guestfs_add_drive_optsadd-drive filename [readonly:true|false] [format:..] [iface:..] [name:..] [label:..] [protocol:..] [server:..]This function adds a disk image called filename to the han...
阅读全文
摘要:要编辑一个image,则运行下面的命令 guestfish -a ubuntutest.img > 会弹出一个命令行工具 运行run > run 我们来ps一下进程 root# ps aux | grep guestroot 11697 0.0 0.0 96216 4604 pts/0 S+ 02:14 0:00 guestfish -a ubuntutest.imgroot 11832 7.0 ...
阅读全文
摘要:方法一:mount成为一个loop device 参考http://smilejay.com/2012/08/mount-an-image-file/ 方法一:找出分区开始的开始位置,使用mount命令的offset参数偏移掉前面不需要的,即可得到真正的分区。其具体步骤如下:1. 用“fdisk -lu my.img”查询image信息;2. 计算image内分区开始的地方(计算offset),用...
阅读全文
摘要:网络块设备是通过NBD Server将虚拟块设备通过TCP/IP export出来,可以远程访问。 NBD Server通常是qemu-nbd 可以提供unix socket qemu-nbd -t -k /home/cliu8/images/ubuntutest-nbd ubuntutest.img 打开另一个窗口,可以连接这个unix socket qemu-system-x86_64 -e...
阅读全文
摘要:External Snapshot managementSymptomAs of at least libvirt 1.1.1, external snapshot support is incomplete. For example, with 1.0.5 or later, an externa...
阅读全文
摘要:首先要创建一个bootable volumecurl -i http://16.158.166.197:8776/v1/c24c59846a7f44538d958e7548cc74a3/volumes -X POST -H "X-Auth-Project-Id: openstack" -H "Use...
阅读全文
摘要:http://tropicaldevel.wordpress.com/2013/07/15/quality-of-service-in-openstack/ In this post I will be exploring the current state of quality of service (QoS) in OpenStack. I will be looking at both wh...
阅读全文
摘要:http://rwmj.wordpress.com/2010/07/17/virtio-balloon/After someone asked me a question about “balloons” (in the virtualization sense) today, I noticed ...
阅读全文
摘要:前面讲了QEMU的qcow2格式的internal snapshot和external snapshot,这都是虚拟机文件格式的功能。 这是文件级别的。 还可以是文件系统级别的,比如很多文件系统支持snapshot,如OCFS2 还可以是block级别的,比如LVM支持snapshot 我们这节来分析openstack中各种snapshot的实现。 在Openstack中,Instance的启动大...
阅读全文
摘要:我们首先启动一台机器,启动的时候attach一个volume 创建一个空的cinder volume root:~# cinder create --display-name emptyvolume11g 11+---------------------+--------------------------------------+| Property | Value |+------------...
阅读全文
摘要:Linux target framework (tgt) aims to simplify various SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation and maintenance. The key goals are ...
阅读全文
摘要:Configure Storage Server with iSCSI. A storage on a network is called iSCSI Target, a Client which connects to iSCSI Target is called iSCSI Initiator....
阅读全文
摘要:This guide explains how you can set up an iSCSI target and an iSCSI initiator (client), both running Ubuntu 10.04. The iSCSI protocol is a storage are...
阅读全文
摘要:I was trying to understand what kind of image nova image-create creates. It’s not entirely obvious from its help output, which says — Creates a new image by taking a snapshot of a running server. But ...
阅读全文
摘要:AppArmor https://help.ubuntu.com/14.04/serverguide/apparmor.html AppArmor 是一个实施了基于名称强制存取控制的Linux安全模组。AppArmor 界定了单个程序进入一组文件列表的权限并遵循posix 1003.1e 草稿的能力。 默认情况下AppArmor已安装并载入。它使用每个程序的profiles来确定这个程序需要什么文...
阅读全文
摘要:Introduction to AppArmor http://ubuntuforums.org/showthread.php?t=1008906 Contents Post 1 Introduction (This is it). Post 2 AppArmor on Ubuntu. Post 3 Anatomy of a Profile. Post 4 Generating Profi...
阅读全文
摘要:RAW raw是默认的格式,格式简单,容易转换为其他的格式。需要文件系统的支持才能支持sparse file 创建image # qemu-img create -f raw flat.img 10GFormatting 'flat.img', fmt=raw size=10737418240 如果我们ls则看到 ls -lh flat.img -rw-r--r-- 1 root root 1...
阅读全文
摘要:KVM/QEMU hypervisor driverProject LinksDeployment pre-requisitesConnections to QEMU driverDriver security architectureDriver instancesPOSIX users/grou...
阅读全文
