Journey to the West where there is such a return, true and false Monkey King, virtual machines, and this thing almost, virtualization software installed on a physical machine, will simulate the main CPU, memory, network, hard disk, making the virtual machine feel in the use of a separate device, but the use of real time, of course, the use of physical devices. VM is a liar, half-truths, silly you could not tell.
Virtual machine, and the emergence of cloud computing technology on this basis.
What is Zen virtual network technology to achieve?
1, the virtual machine must have a network card. For qemu-kvm, this is achieved by a method TUN on Linux / TAP technology.
2, the virtual machine is a software ran on the physical machine. This software can be like other applications open files, open a called TUN / TAP's Char Dev (character device file). After opening this character device file on the physical machine will be able to see a virtual TAP card.
3, a virtual machine inside a virtual network card, so that the virtual machine inside the application think they really have a network card. Thus, all network packets are sent to here.
4, of course, network virtualization software package will go to here. It will be converted into a network packet file stream, write a character device, like writing a file the same. Kernel TUN / TAP device driver will receive this character file write stream to the virtual network adapter TUN / TAP driver. The driver file will again turn into a stream of network packets, to the TCP / IP protocol stack, eventually sent from the virtual TAP card, to become the standard network packets.
Bridging and NAT (shared with interoperability problems)
Before some time, followed by a video lesson Mu home network using a virtual machine, the basic functions are achieved, but for the understanding of the network, is not in place, so this is determined to write the topic of computer networks write in earnest, convenient to you and me.
Their own virtual machine communication theory can later create virtual bridge, created out of the virtual NICs two virtual machines, are connected to the virtual bridge brctl addifbr0 tap0, so the two virtual machines configured with the same subnet segment, two virtual machines will be able to communicate with each other up.
brctl addbr br0
The so-called bridge, the principle is to bridge the virtual and physical machines on a LAN segment to communicate. This is like the old Beijing courtyard, there uncle, aunt, uncle, they all belong to a family hierarchy, are in the same courtyard. Bridge generally applicable to small-scale network.
The so-called NAT, like the Devon club comic actor, too Guo Degang apprentice, so divided Yunhe Miracle, Dragon universal eight subjects, each subject belonging to a network segment, and Zhang Helun Section different Yue Yunpeng, a bit like NAT network structure.
Use NAT mode, you log on to a virtual machine inside view the IP address, you will find the virtual machine network is a virtual machine, physical machine network is a physical machine, two are not the same. To access the virtual machine when the physical machine, you need to be the address of the physical address of the NAT machine.
It also built a DHCP server in your notebook computer, assign an IP address to a virtual machine on a laptop dynamics. Because the network self-contained virtual machine, the need for IP management. Before I built a virtual machine, willy-nilly, in short, is a variety of settings, NAT IP is also always changing, with a very unhappy, then we do not know Zezheng, we do not dare to ask.
isolation
There is a command vconfig, you can create a virtual network card eth0 with VLAN-based physical network cards, all away from this virtual network adapter package, all with the VLAN, if so, interoperability across physical machines and isolation can be achieved by this card.
Because different users bridge barrier, can not communicate with each other, once the bridge, since the VLAN different, nor forwards the packets to another bridge. Further, out of the physical machine, but also with the VLANID. Whenever physical switch also supports VLAN and reach another physical machine, VLAN ID still, it only forwards the packets to the network adapter and bridges same VLAN, so machine across physical, different VLAN do not communicate with each other .
VLAN ID only 4096, there is still much room for improvement.
ACL and Security Group Policy
World War II, US imperialism Why the Pacific to fight the Japanese seem to cope, by means of enrichment sea and air superiority, the Japanese firm to keep the land, the US military fighter frustration of the Japanese soldiers are very hard hit was routed.
So how cloud network to ensure safety?
Only need to open ports, while others will not and will shut down the port. This time, as long as you pass a good guardian of the security measures only entrance to it. Methods used often by ACL (Access Control List, Access Control List) to control IP and port.
Set up these rules, only the specified IP segment can access the specified open interfaces, even if there is a flawed process in the background there, they will be shielded by hackers to enter. On the cloud platform, a collection of these rules often referred to as security groups.
Here is the key: when a network packet enters a machine that they will do anything?
First win the MAC header to see, is not mine. If so, then scored IP head. After obtaining the target IP, to begin routing decision. Before routing decision, the node we called PREROUTING. If you find my IP, package it should be me, it is sent to the top of the transport layer, this node is called INPUT. If you find that IP is not mine, it is necessary forwards, this node is called FORWARD. If after my upper processed is completed, will generally return a processing result, this process results will be sent out, this node is called OUTPUT, either FORWARD or OUTPUT, have
occurred after the routing decision, the last node is POSTROUTING .
Network cloud traffic lights
Smooth traffic city traffic, the traffic light is mainly to protect people and vehicles, network QoS (Quality of Service), in order to protect the majority of the quality of service users in the cloud.
- Classless queuing discipline, which is a not the network packet classification technology.
Will create a lot of FIFO queue, TCP Session calculates the hash value assigned to a queue by hash value. At the other end of the queue, the network packet will be taken from the respective transmission queues by polling policy. This will not have a Session occupy all traffic.
Of course, if the hash Session two is the same, will share a queue, it may also affect each other. hash function will change often, so that session will not always affect each other.
- Token bucket rule, all network packets queued for transmission, but not to the head of the team will be able to send, but need to get a token to send.
At the end of writing, reviewing for several days, but this part of the virtual machine is not so easy to understand, and some have the opportunity to update the content sequel to it, you are welcome to come, with a dream is a juvenile.
