WebVirtMgr + NGINX 环境在 CentOS 7 上的部署

Author: Xu FC

WebVirMgr 用作 KVM 的 Web 管理工具

KVM 部署见: KVM + Openvswitch 环境 在 CentOS 7 上的安装

安装工具

---

• 执行 yum install epel-release
• 安装以下工具

yum -y install git python-pip libvirt-python libxml2-python python-websockify supervisor nginx
yum -y install gcc python-devel
pip install numpy

安装 WebVirtMgr

---

• 在 /var/www/ 目录下 安装 WebVirtMgr

git clone git://github.com/retspen/webvirtmgr.git
cd webvirtmgr
pip install -r requirements.txt

• 配置 Django 环境

./manage.py syncdb
./manage.py collectstatic
./manage.py createsuperuser

配置 Nginx

---

• 在 /etc/nginx/conf.d 目录下添加 webvirtmgr.conf

server {
    listen 80 default_server;

    server_name $hostname;
    #access_log /var/log/nginx/webvirtmgr_access_log; 

    location /static/ {
        root /var/www/webvirtmgr/webvirtmgr; # or /srv instead of /var
        expires max;
    }

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
        proxy_set_header Host $host:$server_port;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_connect_timeout 600;
        proxy_read_timeout 600;
        proxy_send_timeout 600;
        client_max_body_size 1024M; # Set higher depending on your needs 
    }
}

• 修改默认配置 /etc/nginx/nginx.conf

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user root; # 如果不是公有云，将 user 改为 root，否则需要花费大量时间解决权限问题。
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

# 注释掉该文件中的所有 server 配置，注意不要误将最后一个 } 注释掉了
#    server {
#        listen       80 default_server;
#        listen       [::]:80 default_server;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        location / {
#        }
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }

# Settings for a TLS enabled server.
#
#    server {
#        listen       443 ssl http2 default_server;
#        listen       [::]:443 ssl http2 default_server;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        ssl_certificate "/etc/pki/nginx/server.crt";
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers HIGH:!aNULL:!MD5;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        location / {
#        }
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }

}

• 重启 Nginx 并设置开启启动: systemctl restart nginx && systemctl enable nginx

• 修改 SElinux policy: /usr/sbin/setsebool httpd_can_network_connect true

配置 Supervisor

---

• 将 /var/www/webvirtmgr 拥有者指定为 root: chown -R root:root /var/www/webvirtmgr

[root@localhost www]# ls -l
total 4
drwxr-xr-x 21 root root 4096 Jul 18 07:01 webvirtmgr

将 user 指为 root 是为了方便权限设置，否则需要花费大量时间调试权限带来的问题，公有云不要讲 user 指为 root，否则会带来安全风险。

• 添加文件 /etc/supervisord.d/webvirtmgr.ini

[program:webvirtmgr]
command=/usr/bin/python /var/www/webvirtmgr/manage.py run_gunicorn -c /var/www/webvirtmgr/conf/gunicorn.conf.py
directory=/var/www/webvirtmgr
autostart=true
autorestart=true
logfile=/var/log/supervisor/webvirtmgr.log
log_stderr=true
user=root

[program:webvirtmgr-console]
command=/usr/bin/python /var/www/webvirtmgr/console/webvirtmgr-console
directory=/var/www/webvirtmgr
autostart=true
autorestart=true
stdout_logfile=/var/log/supervisor/webvirtmgr-console.log
redirect_stderr=true
user=root

• 在防火墙上开启 80（Web 访问端口） 和 6080（控制台 vnc 端口）

firewall-cmd --zone=public --add-port=80/tcp --permanent 
firewall-cmd --zone=public --add-port=6080/tcp --permanent 
firewall-cmd --reload

[root@localhost www]# firewall-cmd --zone=public --list-ports
80/tcp 6080/tcp

• 重启 supervisor 并设置开机启动: systemctl restart supervisord && systemctl enbale supervisord

配置 SSH Authorization

---

• 登录 root 账号: su root

• 生成 SSL key: ssh-keygen

• 修改 SSH 配置文件

touch ~/.ssh/config && echo -e "StrictHostKeyChecking=no\nUserKnownHostsFile=/dev/null" >> ~/.ssh/config
chmod 0600 ~/.ssh/config

• 从 WebVirtMgr 服务器上复制 public key 到 KVM 服务器上，如果装在同一台设备上，就写设备自己的 IP 地址: ssh-copy-id -P 22 root@kvm-host

• 添加文件 /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla

[Remote libvirt SSH access]
Identity=unix-user:root
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

• 重启 libvirtd: systemctl restart libvirtd

Web 访问

---

• 访问: http://your-webvirtmgr-host
  

  

  访问: http://your-webvirtmgr-host

• 添加 KVM host 连接

  
  
  

  添加 KVM host 连接（1）

添加 KVM host 连接（2）

添加 KVM host 连接成功

• 激活连接

  
  
  

  点击连接激活

点击基础架构查看激活状态

---

创建虚拟机见: WebVirtMgr + KVM 环境中的虚拟机部署