Akukho manqaku amaninzi malunga noHabré anikezelwe kwinkqubo yokusebenza yeQubes, kwaye ezo ndizibonayo azichazi amava amaninzi okusebenzisa. Ngezantsi kokusikwa, ndiyathemba ukulungisa oku usebenzisa umzekelo wokusebenzisa i-Qubes njengendlela yokukhusela (ngokuchasene) nommandla weWindows kwaye, ngexesha elifanayo, uqikelele inani labasebenzisi abathetha isiRashiya benkqubo.
Kutheni uQubes?
Ibali lokuphela kwenkxaso yobugcisa Windows 7 kunye nokuxhalaba okwandayo kwabasebenzisi kukhokelele kwisidingo sokulungelelanisa umsebenzi wale OS, kuthathelwa ingqalelo ezi mfuno zilandelayo:
- qinisekisa ukusetyenziswa kwe-Windows 7 evulwe ngokupheleleyo ngokukwazi komsebenzisi ukufaka uhlaziyo kunye nezicelo ezahlukeneyo (kubandakanywa ne-Intanethi);
- phumeza ukukhutshwa okupheleleyo okanye okukhethiweyo kokunxibelelana kwenethiwekhi ngokusekelwe kwiimeko (ukusebenza ngokuzimeleyo kunye neendlela zokucoca i-traffic);
- ukunika amandla okukhetha ukudibanisa imidiya esusekayo kunye nezixhobo.
Olu luhlu lwezithintelo lubonisa umsebenzisi olungiselelwe ngokucacileyo, ekubeni ulawulo oluzimeleyo luvunyelwe, kwaye izithintelo azihambelani nokuthintela izenzo zakhe ezinokubakho, kodwa ukukhutshwa kweempazamo ezinokwenzeka okanye imiphumo ye-software eyonakalisayo. Ezo. Akukho moni wangaphakathi kwimodeli.
Kukhangelo lwethu lwesisombululo, sikhawuleze sawushiya umbono wokuphumeza izithintelo kusetyenziswa izixhobo ezakhelwe ngaphakathi okanye ezongezelelweyo zeWindows, kuba kunzima kakhulu ukukhawulela umsebenzisi ngamalungelo omlawuli, umshiye amandla okufaka izicelo.
Isisombululo esilandelayo yayikukuba wedwa usebenzisa i-virtualization. Izixhobo ezaziwayo-kakuhle zedesktop yenyani (umzekelo, njengebhokisi yenyani) azilungelanga kakuhle ukusombulula iingxaki zokhuseleko kwaye izithintelo ezidwelisiweyo ziyakufuneka zenziwe ngumsebenzisi ngokutshintsha rhoqo okanye ukulungisa iipropati zomatshini wenyani weendwendwe (emva koku kubhekiselwa kubo njenge-VM), eyandisa umngcipheko weempazamo.
Kwangaxeshanye, sasinamava sisebenzisa iiQubes njengenkqubo yedesktop yomsebenzisi, kodwa sasinamathandabuzo malunga nozinzo lokusebenza neendwendwe zikaWindows. Kwagqitywa ukuba kuhlolwe inguqu yangoku ye-Qubes, ekubeni imida echaziweyo ihambelana kakuhle kakhulu ne-paradigm yale nkqubo, ngokukodwa ukuphunyezwa kweetemplates zomatshini kunye nokudibanisa okubonakalayo. Emva koko, ndiya kuzama ukuthetha ngokufutshane malunga neengcamango kunye nezixhobo zeQubes, usebenzisa umzekelo wokusombulula ingxaki.
Iintlobo ze-Xen virtualization
I-Qubes isekelwe kwi-Xen hypervisor, eyanciphisa imisebenzi yokulawula izixhobo zeprosesa, imemori kunye noomatshini ababonakalayo. Wonke omnye umsebenzi onezixhobo ugxininiswe kwi-dom0 esekwe kwi-Linux kernel (i-Qubes ye-dom0 isebenzisa ukuhanjiswa kwe-Fedora).
I-Xen ixhasa iindidi ezininzi ze-virtualization (ndiya kunika imizekelo yoyilo lwe-Intel, nangona i-Xen ixhasa abanye):
- i-paravirtualization (PV) - imo ye-virtualization ngaphandle kokusetyenziswa kwenkxaso ye-hardware, ukukhumbuza i-container virtualization, ingasetyenziselwa iinkqubo ezine-kernel ehlengahlengisiweyo (i-dom0 isebenza kule ndlela);
- i-virtualization epheleleyo (HVM) - kule modi, inkxaso ye-hardware isetyenziselwa izibonelelo zeprosesa, kwaye zonke ezinye izixhobo zilandelwa ngokusebenzisa i-QEMU. Le yeyona ndlela yehlabathi jikelele yokuqhuba iinkqubo ezahlukeneyo zokusebenza;
- i-paravirtualization ye-hardware (i-PVH - i-ParaVirtualized Hardware) - imo ye-virtualization isebenzisa inkxaso ye-hardware xa, ukusebenza kunye ne-hardware, i-kernel yenkqubo yeendwendwe isebenzisa abaqhubi abalungelelanisiweyo kwizakhono ze-hypervisor (umzekelo, imemori ekwabelwanayo), ukuphelisa imfuno yokulinganisa i-QEMU. kunye nokwandisa ukusebenza kwe-I/O. I-Linux kernel eqala kwi-4.11 inokusebenza kule modi.
Ukuqala nge-Qubes 4.0, ngenxa yezizathu zokhuseleko, ukusetyenziswa kwemowudi ye-paravirtualization iyekwa (kubandakanywa ngenxa yobuthathaka obaziwayo kuyilo lwe-Intel, oluthotywa ngokuyinxenye ngokusetyenziswa kwe-virtualization epheleleyo); Imo ye-PVH isetyenziswa ngokungagqibekanga.
Xa usebenzisa i-emulation (imodi ye-HVM), i-QEMU iqaliswe kwi-VM eyodwa ebizwa ngokuba yi-stubdomain, ngaloo ndlela inciphisa iingozi zokuxhaphaza iimpazamo ezinokwenzeka ekuphunyezweni (iprojekthi ye-QEMU iqulethe ikhowudi eninzi, kuquka ukuhambelana).
Kwimeko yethu, le modi kufuneka isetyenziswe kwiWindows.
Inkonzo koomatshini benyani
Kwi-architecture yokhuseleko lwe-Qubes, enye yezakhono eziphambili ze-hypervisor kukudluliselwa kwezixhobo ze-PCI kwindawo yeendwendwe. Ukukhutshwa kwe-Hardware kukuvumela ukuba uhlukanise indawo yomkhosi wenkqubo kuhlaselo lwangaphandle. I-Xen ixhasa oku kwiindlela ze-PV kunye ne-HVM, kwimeko yesibini ifuna inkxaso ye-IOMMU (Intel VT-d) - ulawulo lwememori ye-hardware yezixhobo ezibonakalayo.
Oku kudala oomatshini abaninzi benyani benkqubo:
- sys-net, apho izixhobo zenethiwekhi zithunyelwa kwaye zisetyenziswe njengebhuloho kwezinye iiVM, umzekelo, abo baphumeza imisebenzi ye-firewall okanye umxhasi weVPN;
- sys-usb, apho i-USB kunye nabanye abalawuli besixhobo se-peripheral bathunyelwa khona;
- sys-firewall, engasebenzisi izixhobo, kodwa isebenza njengodonga lomlilo kwii-VM eziqhagamshelweyo.
Ukusebenza ngezixhobo ze-USB, iinkonzo zommeli zisetyenziswa, ezibonelela, phakathi kwezinye izinto:
- yeHID (isixhobo sojongano lomntu) udidi lwesixhobo, ukuthumela imiyalelo kwi dom0;
- kwimidiya esusekayo, ukwalathisa kwakhona umthamo wesixhobo kwezinye ii-VM (ngaphandle kwe-dom0);
- ukuqondisa kwakhona ngqo kwisixhobo se-USB (usebenzisa i-USBIP kunye nezixhobo zokudibanisa).
Kulungiselelo olunjalo, ukuhlaselwa okuphumelelayo nge-stack yenethiwekhi okanye izixhobo ezixhunyiwe kunokukhokelela ekuthotyweni kwenkonzo eqhubayo ye-VM kuphela, kwaye kungekhona inkqubo yonke. Kwaye emva kokuqalisa kwakhona inkonzo ye-VM, iya kulayishwa kwimeko yayo yokuqala.
Izixhobo zokuhlanganisa i-VM
Kukho iindlela ezininzi zokunxibelelana nedesktop yomatshini wenyani-ukufaka usetyenziso kwinkqubo yeendwendwe okanye ukulinganisa ividiyo usebenzisa izixhobo zokujonga. Izicelo zeendwendwe zinokuba zizixhobo ezahlukeneyo zokufikelela kwindawo ekude (i-RDP, i-VNC, i-Spice, njl.) okanye iguqulelwe kwi-hypervisor ethile (ezi zixhobo zidla ngokubizwa ngokuba zizixhobo zeendwendwe). Ukhetho oluxubileyo lunokusetyenziswa kwakhona, xa i-hypervisor ixelisa i-I / O yenkqubo yeendwendwe, kwaye ngaphandle inika amandla okusebenzisa iprotocol edibanisa i-I / O, umzekelo, njengeSpice. Ngexesha elifanayo, izixhobo zokufikelela kude zivame ukunyusa umfanekiso, kuba zibandakanya ukusebenza ngenethiwekhi, engenawo umphumo omuhle kumgangatho womfanekiso.
I-Qubes ibonelela ngezixhobo zayo zokudityaniswa kweVM. Okokuqala, le yinkqubo esezantsi yemizobo - iiwindow ezivela kwiiVM ezahlukeneyo ziboniswa kwidesktop enye enesakhelo sombala wazo. Ngokubanzi, izixhobo zokudibanisa zisekelwe kwizakhono ze-hypervisor - imemori ekwabelwana ngayo (itafile yesibonelelo se-Xen), izixhobo zesaziso (isiteshi sesiganeko se-Xen), i-xenstore yokugcina ekwabelwana ngayo kunye ne-vchan yonxibelelwano protocol. Ngoncedo lwabo, amacandelo asisiseko qrexec kunye ne-qubes-rpc, kunye neenkonzo zesicelo ziphunyeziwe - i-audio okanye i-USB redirection, iifayile zokudlulisa okanye iziqulatho zebhodi eqhotyoshwayo, ukwenza imiyalelo kunye nokuqalisa izicelo. Kuyenzeka ukuseta imigaqo-nkqubo ekuvumela ukuba unciphise iinkonzo ezifumanekayo kwi-VM. Lo mfanekiso ungezantsi ungumzekelo wenkqubo yokuqalisa intsebenziswano yee-VM ezimbini.
Ngaloo ndlela, umsebenzi kwi-VM uqhutyelwa ngaphandle kokusebenzisa inethiwekhi, evumela ukusetyenziswa ngokupheleleyo kwee-VM ezizimeleyo ukuphepha ukuvuza kolwazi. Ngokomzekelo, le yindlela ukuhlukana kwemisebenzi ye-cryptographic (PGP / SSH) iphunyezwa, xa izitshixo zangasese zisetyenziselwa kwii-VM ezizimeleyo kwaye zingahambi ngaphaya kwazo.
Iitemplates, usetyenziso kunye neeVM zexesha elinye
Wonke umsebenzi wabasebenzisi kwi-Qubes wenziwa koomatshini benyani. Inkqubo ephambili yokusingatha isetyenziselwa ukulawula kunye nokuzibona. I-OS ifakwe kunye neseti esisiseko yomatshini wenyani osekwe kwitemplate (TemplateVM). Le template yi-Linux VM esekwe kwi-Fedora okanye kwi-Debian yokusasazwa, kunye nezixhobo zokudibanisa ezifakwe kwaye ziqwalaselwe, kunye nenkqubo ezinikeleyo kunye nezahlulo zabasebenzisi. Ufakelo kunye nohlaziyo lwesoftware lwenziwa ngumphathi wepakethe oqhelekileyo (dnf okanye i-apt) ukusuka kwiindawo zokugcina ezicwangcisiweyo kunye nokuqinisekiswa komsayino wedijithali okunyanzelekileyo (GnuPG). Injongo yee-VM ezinjalo kukuqinisekisa ukuthenjwa kwii-VM zezicelo ezisungulwe ngokwesiseko sazo.
Ekuqalisweni, isicelo se-VM (i-AppVM) isebenzisa i-snapshot ye-partition yenkqubo ye-template ye-VM ehambelanayo, kwaye ekugqityweni isusa le snapshot ngaphandle kokugcina utshintsho. Idatha efunwa ngumsebenzisi igcinwa kwisahlulo somsebenzisi esikhethekileyo kwi-VM yesicelo ngasinye, efakwe kulawulo lwasekhaya.
Ukusebenzisa ii-VM ezilahlwayo (disposableVM) kunokuba luncedo ukusuka kwindawo yokhuseleko yokujonga. I-VM enjalo idalwe ngokusekelwe kwitemplate ngexesha lokuqalisa kwaye iqaliswe ngenjongo enye - ukwenza isicelo esinye, ukugqiba umsebenzi emva kokuba ivaliwe. Ii-VM ezilahlwayo zinokusetyenziselwa ukuvula iifayile ezikrokrisayo ezinomxholo wazo unokukhokelela ekusetyenzisweni kobuthathaka besicelo esithile. Ikhono lokusebenzisa i-VM yexesha elinye lidityaniswe kumphathi wefayile (Nautilus) kunye nomxhasi we-imeyile (Thunderbird).
IWindows VM isenokusetyenziswa ukwenza ithempleyithi kunye neVM yexesha elinye ngokuhambisa iprofayile yomsebenzisi kwicandelo elahlukileyo. Kwinguqulelo yethu, itemplate enjalo iya kusetyenziswa ngumsebenzisi kwimisebenzi yolawulo kunye nokufakwa kwesicelo. Ngokusekelwe kwithempleyithi, ii-VM ezininzi zesicelo ziya kwenziwa - ngokufikelela okulinganiselweyo kwinethiwekhi (izakhono eziqhelekileyo ze-sys-firewall) kwaye ngaphandle kokufikelela kwinethiwekhi konke konke (isixhobo sothungelwano esibonakalayo asidalwanga). Zonke iinguqu kunye nezicelo ezifakwe kwi-template ziya kufumaneka ukuze zisebenze kwezi VM, kwaye nokuba iinkqubo zebhukhimakhi ziyaziswa, aziyi kuba nokufikelela kwinethiwekhi ukwenzela ukuthomalalisa.
Ukulwela iiWindows
Iimpawu ezichazwe ngasentla zisisiseko seQubes kwaye zisebenza ngokuzinzileyo; ubunzima buqala ngeWindows. Ukudibanisa iWindows, kufuneka usebenzise isethi yezixhobo zeendwendwe ze-Qubes Windows Tools (QWT), ezibandakanya abaqhubi bokusebenza kunye ne-Xen, umqhubi we-qvideo kunye nesethi yezixhobo zokutshintshiselana ngolwazi (ukudluliselwa kwefayile, ibhodi yokunamathisela). Ufakelo kunye nenkqubo yoqwalaselo ibhalwe ngokweenkcukacha kwiwebhusayithi yeprojekthi, ngoko ke siya kwabelana ngamava ethu esicelo.
Ubunzima obuphambili kukungabikho kwenkxaso yezixhobo eziphuhlisiwe. AbaPhuhlisi abaPhambili (QWT) babonakala bengafumaneki kwaye iprojekthi yodibaniso yeWindows ilindele umphuhlisi okhokelayo. Ngoko ke, okokuqala, kwakuyimfuneko ukuvavanya ukusebenza kwayo kunye nokwenza ukuqonda ukuba kunokwenzeka ukuyixhasa ngokuzimeleyo, ukuba kuyimfuneko. Okona kunzima ukuphuhlisa kunye nokulungiswa kwempazamo ngumqhubi wemizobo, olinganisa iadaptha yevidiyo kunye nokubonisa ukuvelisa umfanekiso kwimemori ekwabelwana ngayo, ikuvumela ukuba ubonise idesktop yonke okanye iwindow yesicelo ngokuthe ngqo kwifestile yendlela yokusingatha. Ngexesha lokuhlalutya ukusebenza komqhubi, silungelelanise ikhowudi yokudibanisa kwindawo yeLinux kwaye sasebenza iskimu sokulungisa ingxaki phakathi kweenkqubo ezimbini zeendwendwe zeWindows. Kwinqanaba le-crossbuild, senze utshintsho oluninzi olusenze lula izinto, ngakumbi malunga nofakelo "oluthuleyo" lwezixhobo eziluncedo, kwaye kwakhona saphelisa ukuthotywa okucaphukisayo kokusebenza xa usebenza kwi-VM ixesha elide. Sabonisa iziphumo zomsebenzi ngokwahlukileyo , ngoko ke akubanga thuba lide Khokela Qubes Developer.
Elona nqanaba libaluleke kakhulu malunga nokuzinza kwenkqubo yeendwendwe kukuqala kweWindows, apha unokubona isikrini esiluhlaza esiqhelekileyo (okanye ungaboni). Kwiimpazamo ezininzi ezichongiweyo, kukho iindlela ezahlukeneyo zokusebenza - ukuphelisa abaqhubi besixhobo sebhlokhi ye-Xen, ukukhubaza ukulinganisa imemori ye-VM, ukulungisa useto lwenethiwekhi, kunye nokunciphisa inani lee-cores. Izixhobo zethu zeendwendwe zakha ukufakwa kwaye zisebenza ngokuhlaziywa ngokupheleleyo Windows 7 kunye Windows 10 (ngaphandle kwe-qvideo).
Xa usuka kwindawo yokwenyani ukuya kweyenyani, kuvela ingxaki ngokuvula iWindows ukuba iinguqulelo zeOEM ezifakwe ngaphambili zisetyenziswa. Ezo nkqubo zisebenzisa ukusebenza ngokusekwe kwiilayisensi ezichazwe kwi-UEFI yesixhobo. Ukucwangcisa ngokuchanekileyo ukusebenza, kuyimfuneko ukuguqulela elinye lamacandelo onke e-ACPI yenkqubo yokusingatha (itafile ye-SLIC) kwinkqubo yeendwendwe kwaye uhlele kancinane abanye, ukubhalisa umenzi. I-Xen ikuvumela ukuba wenze ngokwezifiso umxholo we-ACPI weetafile ezongezelelweyo, kodwa ngaphandle kokuguqula ezona ziphambili. Isiqwenga esisuka kwiprojekthi efanayo ye-OpenXT, elungiselelwe i-Qubes, yanceda ngesisombululo. Ukulungiswa kwabonakala kuluncedo kungekuphela kuthi kwaye kwaguqulelwa kwindawo yokugcina iQubes kunye nethala leencwadi laseLibvirt.
Ukungalungi okucacileyo kwezixhobo zokudityaniswa kweWindows kubandakanya ukungabikho kwenkxaso yomsindo, izixhobo ze-USB, kunye nobunzima bokusebenza kunye nemidiya, kuba akukho nkxaso yehardware yeGPU. Kodwa oku ngasentla akuthinteli ukusetyenziswa kwe-VM yokusebenza kunye namaxwebhu eofisi, kwaye akuthinteli ukuqaliswa kwezicelo ezithile zenkampani.
Imfuneko yokutshintshela kwimodi yokusebenza ngaphandle kwenethiwekhi okanye ngenethiwekhi elinganiselwe emva kokudala itemplate ye-Windows VM yazaliseka ngokudala ulungelelwaniso olufanelekileyo lwe-VMs yesicelo, kunye nethuba lokudibanisa ngokukhethayo imidiya esusekayo nayo yasombululwa ngezixhobo eziqhelekileyo ze-OS - xa zixhunyiwe. , ziyafumaneka kwinkqubo ye-VM sys-usb, ukusuka apho zinokuthunyelwa khona kwi-VM efunekayo. Idesktop yomsebenzisi ijongeka ngolu hlobo.
Inguqu yokugqibela yenkqubo yayilungile (ngokuba isisombululo esibanzi sivumela) samkelwe ngabasebenzisi, kunye nezixhobo eziqhelekileyo zenkqubo zenze ukuba kube lula ukwandisa isicelo kwi-workstation yeselula yomsebenzisi kunye nokufikelela nge-VPN.
Endaweni yesiphelo
I-Virtualization ngokubanzi ikuvumela ukuba unciphise umngcipheko wokusebenzisa iinkqubo zeWindows ezishiywe ngaphandle kwenkxaso - ayinyanzeli ukuhambelana ne-hardware entsha, ikuvumela ukuba ungabandakanyi okanye ulawule ukufikelela kwinkqubo kwinethiwekhi okanye ngezixhobo ezixhunyiwe, kwaye ikuvumela ukuba phumeza indawo yokuqalisa okwexesha elinye.
Ngokusekwe kumbono wokuba wedwa ngokusebenzisa i-virtualization, i-Qubes OS ikunceda ukuba usebenzise ezi kunye nezinye iindlela zokhuseleko. Ukusuka ngaphandle, abantu abaninzi babona iQubes ngokuyintloko njengomnqweno wokungaziwa, kodwa yinkqubo eluncedo zombini iinjineli, ezihlala zijula iiprojekthi, iziseko zophuhliso, kunye neemfihlo zokufikelela kuzo, kunye nabaphandi bokhuseleko. Ukwahlulwa kwezicelo, idatha kunye nokuqulunqwa kokusebenzisana kwabo ngamanyathelo okuqala okuhlalutya isongelo kunye noyilo lwenkqubo yokhuseleko. Olu lwahlulo lunceda ukucwangcisa ulwazi kunye nokunciphisa amathuba okuba neempazamo ngenxa yento yomntu - ukukhawuleza, ukukhathala, njl.
Okwangoku, ugxininiso oluphambili kuphuhliso kukwandisa ukusebenza kweemeko zeLinux. Inguqulo ye-4.1 ilungiselelwa ukukhululwa, eya kusekelwa kwi-Fedora 31 kwaye iquka iinguqulelo zangoku zamacandelo abalulekileyo i-Xen kunye ne-Libvirt. Kuyafaneleka ukuba uqaphele ukuba i-Qubes idalwe ngabasebenzi bokhuseleko lolwazi abahlala bekhupha ngokukhawuleza ukuhlaziywa ukuba kuchongwe izisongelo ezintsha okanye iimpazamo.
Emva kwegama
Esinye sezakhono zokulinga esiziphuhlisayo sivumela ukuba senze ii-VM kunye nenkxaso yokufikelela kwiindwendwe kwi-GPU esekelwe kwi-Intel GVT-g ubuchwepheshe, esivumela ukuba sisebenzise izakhono ze-adapter yegraphics kunye nokwandisa kakhulu ububanzi benkqubo. Ngexesha lokubhala, lo msebenzi usebenza kuvavanyo lolwakhiwo lweQubes 4.1, kwaye luyafumaneka .
umthombo: www.habr.com