Azikho izindatshana eziningi ezikhuluma nge-Habré ezinikezelwe ohlelweni lokusebenza lwe-Qubes, futhi lezo engizibonile azichazi okuningi kokuhlangenwe nakho kokuyisebenzisa. Ngaphansi kokusikwa, ngithemba ukulungisa lokhu usebenzisa isibonelo sokusebenzisa i-Qubes njengendlela yokuvikela (ngokumelene) nemvelo ye-Windows futhi, ngesikhathi esifanayo, ukulinganisa inani labasebenzisi abakhuluma isiRashiya bohlelo.
Kungani Qubes?
Indaba yokuphela kokusekelwa kwezobuchwepheshe Windows 7 kanye nokukhathazeka okwandayo kwabasebenzisi kuholele esidingweni sokuhlela umsebenzi wale OS, kucatshangelwa lezi zidingo ezilandelayo:
- qinisekisa ukusetshenziswa kwe-Windows 7 evuliwe ngokugcwele enekhono lomsebenzisi lokufaka izibuyekezo nezinhlelo zokusebenza ezihlukahlukene (kuhlanganise ne-inthanethi);
- sebenzisa ukukhishwa okuphelele noma okukhethiwe kokusebenzelana kwenethiwekhi okusekelwe ezimweni (ukusebenza ngokuzenzakalelayo nezindlela zokuhlunga ithrafikhi);
- ukunikeza ikhono lokuxhuma ngokukhetha imidiya ekhiphekayo namadivayisi.
Le sethi yemikhawulo iphakamisa umsebenzisi olungiselelwe ngokucacile, njengoba ukuphathwa okuzimele kuvunyelwe, futhi imingcele ayihlobene nokuvimbela izenzo zakhe ezingase zibe khona, kodwa ngaphandle kwamaphutha angenzeka noma imiphumela yesofthiwe elimazayo. Labo. Asikho isigebengu sangaphakathi kumodeli.
Ekufuneni kwethu isixazululo, sisheshe sawushiya umqondo wokusebenzisa imikhawulo sisebenzisa amathuluzi e-Windows akhelwe ngaphakathi noma engeziwe, njengoba kunzima ukukhawulela ngempumelelo umsebenzisi onamalungelo omlawuli, okumshiyela ikhono lokufaka izinhlelo zokusebenza.
Isixazululo esilandelayo kwaba ukuzihlukanisa kusetshenziswa i-virtualization. Amathuluzi aziwayo okwenziwa kwezinto ezibonakalayo kwideskithophu (isibonelo, njengebhokisi le-virtual) awafaneleki kahle ukuxazulula izinkinga zokuphepha futhi imikhawulo esohlwini kuyodingeka yenziwe umsebenzisi ngokushintsha njalo noma ukulungisa izakhiwo zomshini obonakalayo wesivakashi (okuzochazwa lapha kamuva. njenge-VM), okwandisa ingozi yamaphutha.
Ngesikhathi esifanayo, saba nolwazi lokusebenzisa i-Qubes njengohlelo lwedeskithophu yomsebenzisi, kodwa sasinokungabaza ngokuzinza kokusebenza ne-Windows yesivakashi. Kunqunywe ukuhlola inguqulo yamanje ye-Qubes, njengoba imikhawulo eshiwo ihambisana kahle kakhulu ne-paradigm yalesi simiso, ikakhulukazi ukuqaliswa kwezifanekiso zemishini ebonakalayo kanye nokuhlanganiswa okubonakalayo. Okulandelayo, ngizozama ukukhuluma kafushane ngemibono namathuluzi e-Qubes, ngisebenzisa isibonelo sokuxazulula inkinga.
Izinhlobo ze-Xen virtualization
I-Qubes isuselwe ku-Xen hypervisor, enciphisa imisebenzi yokuphatha izinsiza zokucubungula, inkumbulo nemishini ebonakalayo. Wonke omunye umsebenzi onamadivayisi ugxile ku-dom0 ngokusekelwe ku-Linux kernel (I-Qubes ye-dom0 isebenzisa ukusatshalaliswa kwe-Fedora).
I-Xen isekela izinhlobo ezimbalwa ze-virtualization (ngizonikeza izibonelo ze-Intel architecture, nakuba i-Xen isekela ezinye):
- i-paravirtualization (PV) - imodi ye-virtualization ngaphandle kokusetshenziswa kwe-hardware yokusekelwa, okukhumbuza i-containerization virtualization, ingasetshenziselwa izinhlelo ezine-kernel eguquliwe (i-dom0 isebenza kule modi);
- i-virtualization egcwele (HVM) - kule modi, ukusekelwa kwehadiwe kusetshenziselwa izinsiza zokucubungula, futhi zonke ezinye izinto zokusebenza zilingiswa kusetshenziswa i-QEMU. Lena indlela ejwayelekile kunazo zonke yokusebenzisa amasistimu wokusebenza ahlukahlukene;
- paravirtualization of hardware (PVH - ParaVirtualized Hardware) - imodi virtualization usebenzisa hardware ukwesekwa lapho, ukusebenza nge hardware, isivakashi isistimu kernel isebenzisa abashayeli aguqulelwe kumakhono hypervisor (ngokwesibonelo, inkumbulo okwabelwana), ukususa isidingo sokulingisa QEMU. nokwandisa ukusebenza kwe-I/O. I-Linux kernel eqala ku-4.11 ingasebenza kule modi.
Ukuqala nge-Qubes 4.0, ngenxa yezizathu zokuphepha, ukusetshenziswa kwemodi ye-paravirtualization kuyekwa (okuhlanganisa ngenxa yobuthakathaka obaziwayo ekwakhiweni kwe-Intel, okuncishiswa kancane ngokusetshenziswa kokubonwa okugcwele); Imodi ye-PVH isetshenziswa ngokuzenzakalelayo.
Uma usebenzisa i-emulation (imodi ye-HVM), i-QEMU yethulwa nge-VM engayodwa ebizwa ngokuthi i-stubdomain, ngaleyo ndlela inciphisa izingozi zokusebenzisa amaphutha angaba khona ekusetshenzisweni (iphrojekthi ye-QEMU iqukethe ikhodi eminingi, okuhlanganisa nokuhambisana).
Esimweni sethu, le modi kufanele isetshenziselwe iWindows.
Isevisi yemishini ebonakalayo
Ezakhiweni zokuvikela ze-Qubes, elinye lamakhono abalulekile we-hypervisor ukudluliselwa kwamadivayisi e-PCI endaweni yesivakashi. Ukukhishwa kwezingxenyekazi zekhompuyutha kukuvumela ukuthi uhlukanise ingxenye yomsingathi yesistimu ekuhlaselweni kwangaphandle. I-Xen isekela lokhu ezindleleni ze-PV ne-HVM, esimweni sesibili idinga ukusekelwa kwe-IOMMU (Intel VT-d) - ukuphathwa kwememori yehadiwe kumadivayisi asetshenziswayo.
Lokhu kudala imishini eminingana yesistimu:
- sys-net, lapho amadivaysi enethiwekhi adluliselwa futhi asetshenziswa njengebhuloho kwamanye ama-VM, isibonelo, lawo asebenzisa imisebenzi yocingo lokuvikela noma iklayenti le-VPN;
- sys-usb, lapho i-USB nezinye izilawuli zedivayisi ye-peripheral zidluliselwa khona;
- sys-firewall, engasebenzisi amadivaysi, kodwa isebenza njenge-firewall yama-VM axhunyiwe.
Ukuze usebenze ngemishini ye-USB, kusetshenziswa izinsiza zommeleli, ezihlinzeka, phakathi kwezinye izinto:
- yesigaba sedivayisi ye-HID (idivayisi yokusebenzelana komuntu), ukuthumela imiyalo ku-dom0;
- kumidiya ekhiphekayo, ukuqondisa kabusha kwamavolumu edivayisi kwamanye ama-VM (ngaphandle kwe-dom0);
- ukuqondisa kabusha ngqo kudivayisi ye-USB (usebenzisa i-USBIP namathuluzi okuhlanganisa).
Ekucushweni okunjalo, ukuhlasela okuphumelelayo ngokusebenzisa isitaki senethiwekhi noma amadivayisi axhunyiwe kungaholela ekulimazeni kwesevisi esebenzayo ye-VM kuphela, hhayi uhlelo lonke lulonke. Futhi ngemva kokuqalisa kabusha isevisi ye-VM, izolayishwa esimweni sayo sangempela.
Amathuluzi okuhlanganiswa kwe-VM
Kunezindlela ezimbalwa zokusebenzelana nedeskithophu yomshini we-virtual - ukufaka izinhlelo zokusebenza kusistimu yesivakashi noma ukulingisa ividiyo usebenzisa amathuluzi okwenza izinto ezibonakalayo. Izinhlelo zokusebenza zesivakashi zingaba amathuluzi ahlukahlukene okufinyelela okukude (i-RDP, i-VNC, i-Spice, njll.) noma aguqulelwe ku-hypervisor ethile (amathuluzi anjalo ngokuvamile abizwa ngokuthi izinsiza zesivakashi). Inketho exubile ingasetshenziswa futhi, lapho i-hypervisor ilingisa i-I/O yesistimu yesivakashi, futhi ngaphandle inikeza ikhono lokusebenzisa iphrothokholi ehlanganisa i-I/O, isibonelo, njenge-Spice. Ngesikhathi esifanayo, amathuluzi okufinyelela kude ngokuvamile athuthukisa isithombe, njengoba ahlanganisa ukusebenza ngenethiwekhi, engenawo umphumela omuhle kwikhwalithi yesithombe.
I-Qubes inikeza amathuluzi ayo okuhlanganiswa kwe-VM. Okokuqala, lolu uhlelo olungaphansi lwezithombe - amafasitela avela kuma-VM ahlukene aboniswa kudeskithophu eyodwa enozimele wawo wombala. Ngokuvamile, amathuluzi okuhlanganiswa asekelwe emandleni e-hypervisor - inkumbulo eyabiwe (ithebula le-Xen grant), amathuluzi esaziso (isiteshi somcimbi we-Xen), i-xenstore yesitoreji esabiwe kanye nephrothokholi yokuxhumana ye-vchan. Ngosizo lwazo, izingxenye eziyisisekelo ze-qrexec ne-qubes-rpc, nezinsizakalo zohlelo ziyasetshenziswa - ukuqondisa kabusha okulalelwayo noma nge-USB, ukudlulisa amafayela noma okuqukethwe kwebhodi lokunamathisela, ukwenza imiyalo kanye nokuqalisa izinhlelo zokusebenza. Kungenzeka ukusetha izinqubomgomo ezikuvumela ukuthi ukhawulele izinsizakalo ezitholakala ku-VM. Isibalo esingezansi siyisibonelo senqubo yokuqalisa ukusebenzisana kwama-VM amabili.
Ngakho-ke, umsebenzi ku-VM wenziwa ngaphandle kokusebenzisa inethiwekhi, okuvumela ukusetshenziswa okugcwele kwama-VM azimele ukugwema ukuvuza kolwazi. Isibonelo, lena yindlela ukuhlukaniswa kwemisebenzi yokubethela (i-PGP/SSH) okwenziwa ngayo, lapho okhiye abayimfihlo besetshenziswa kuma-VM angawodwa futhi bangeqi ngale kwawo.
Izifanekiso, uhlelo lokusebenza kanye nama-VM esikhathi esisodwa
Wonke umsebenzi wabasebenzisi ku-Qubes wenziwa emishinini ebonakalayo. Isistimu yokusingatha eyinhloko isetshenziselwa ukuwalawula nokuwabona ngeso lengqondo. I-OS ifakiwe kanye nesethi eyisisekelo yemishini ebonakalayo esekwe kusifanekiso (TemplateVM). Lesi sifanekiso siyi-Linux VM esekelwe ekusabalaliseni i-Fedora noma i-Debian, enamathuluzi okuhlanganisa afakiwe futhi amisiwe, kanye nesistimu ezinikele kanye nokuhlukaniswa kwabasebenzisi. Ukufakwa nokuvuselelwa kwesofthiwe kwenziwa ngumphathi wephakheji ojwayelekile (i-dnf noma i-apt) kusuka kumakhosombe amisiwe anokuqinisekiswa kwesignesha yedijithali okuphoqelekile (GnuPG). Inhloso yalawo ma-VM wukuqinisekisa ukwethenjwa kwezicelo ze-VM ezethulwe ngokwesisekelo sazo.
Ekuqaleni, uhlelo lokusebenza lwe-VM (AppVM) lisebenzisa isifinyezo sokuhlukaniswa kwesistimu yesifanekiso esihambisanayo se-VM, futhi lapho kuqedwa sisusa lesi sifinyezo ngaphandle kokulondoloza izinguquko. Idatha edingwa umsebenzisi igcinwa endaweni ehlukile yomsebenzisi yohlelo ngalunye lwe-VM, efakwe kuhla lwemibhalo lwasekhaya.
Ukusebenzisa ama-VM alahlwayo (i-disposableVM) kungaba usizo ngokombono wezokuphepha. I-VM enjalo idalwe ngokusekelwe kusifanekiso ngesikhathi sokuqalisa futhi yethulwa ngenjongo eyodwa - ukwenza isicelo esisodwa, ukuqedela umsebenzi ngemva kokuvalwa. Ama-VM alahlwayo angasetshenziswa ukuvula amafayela asolisayo okuqukethwe kwawo okungaholela ekuxhashazweni kobungozi bohlelo oluthile. Amandla okusebenzisa i-VM yesikhathi esisodwa ahlanganiswe kumphathi wefayela (Nautilus) kanye neklayenti le-imeyili (Thunderbird).
I-Windows VM ingasetshenziswa futhi ukwakha isifanekiso kanye ne-VM yesikhathi esisodwa ngokuhambisa iphrofayela yomsebenzisi esigabeni esihlukile. Enguqulweni yethu, isifanekiso esinjalo sizosetshenziswa umsebenzisi emisebenzini yokuphatha kanye nokufakwa kohlelo lokusebenza. Ngokusekelwe kusifanekiso, kuzokwakhiwa ama-VM ambalwa ohlelo lokusebenza - anokufinyelela okulinganiselwe kunethiwekhi (amakhono ajwayelekile we-sys-firewall) futhi ngaphandle kokufinyelela kunethiwekhi nhlobo (idivayisi yenethiwekhi ebonakalayo ayidalwa). Zonke izinguquko nezinhlelo zokusebenza ezifakwe kusifanekiso zizotholakala ukuze zisebenze kulawa ma-VM, futhi ngisho noma izinhlelo zebhukhimakhi zethulwa, ngeke zibe nokufinyelela kwenethiwekhi ukuze zifake engozini.
Lwela iWindows
Izici ezichazwe ngenhla ziyisisekelo se-Qubes futhi zisebenza ngokuzinza; ubunzima buqala ngeWindows. Ukuze uhlanganise iWindows, kufanele usebenzise isethi yamathuluzi ezivakashi I-Qubes Windows Tools (QWT), ehlanganisa abashayeli bokusebenza ne-Xen, umshayeli we-qvideo kanye nesethi yezinsiza zokushintshisana ngolwazi (ukudlulisa ifayela, ibhodi lokunamathisela). Inqubo yokufaka nokumisa ibhalwe ngokuningiliziwe kuwebhusayithi yephrojekthi, ngakho-ke sizokwabelana ngolwazi lwethu lokufaka isicelo.
Ubunzima obukhulu ukuntula ukwesekwa kwamathuluzi athuthukile. I-Key Developers (QWT) ibonakala ingatholakali futhi iphrojekthi yokuhlanganisa i-Windows ilinde unjiniyela oholayo. Ngakho-ke, okokuqala, kwakudingeka ukuhlola ukusebenza kwayo futhi kwakha ukuqonda ukuthi kungenzeka yini ukuyisekela ngokuzimela, uma kunesidingo. Okunzima kakhulu ukukusungula nokulungisa iphutha umshayeli wezithombe, elingisa i-adaptha yevidiyo nesibonisi ukuze ukhiqize isithombe kumemori eyabiwe, okukuvumela ukuthi ubonise yonke ideskithophu noma iwindi lohlelo lokusebenza ngqo ewindini lohlelo lomsingathi. Phakathi nokuhlaziywa kokusebenza komshayeli, siguqule ikhodi ukuze ihlanganiswe endaweni ye-Linux futhi senza uhlelo lokususa iphutha phakathi kwezinhlelo ezimbili zezihambeli ze-Windows. Esigabeni se-crossbuild, senze izinguquko ezimbalwa ezenze izinto zaba lula kithi, ikakhulukazi mayelana nokufakwa "buthule" kwezinsiza, futhi sasusa ukuwohloka kokusebenza okucasulayo lapho usebenza ku-VM isikhathi eside. Sethule imiphumela yomsebenzi ngokwehlukana , kanjalo hhayi isikhathi eside I-Lead Qubes Developer.
Isigaba esibucayi kakhulu mayelana nokuzinza kwesistimu yezivakashi ukuqala kweWindows, lapha ungabona isikrini esiluhlaza esijwayelekile (noma ungasiboni naso). Emaphutha amaningi akhonjiwe, bekukhona ama-workaround ahlukahlukene - ukuqeda abashayeli bedivayisi ye-Xen block, ukukhubaza ukulinganisa kwememori ye-VM, ukulungisa izilungiselelo zenethiwekhi, nokunciphisa inani lama-cores. Amathuluzi ethu esivakashi akha ukufakwa futhi asebenza ngokubuyekezwa ngokugcwele Windows 7 kanye ne-Windows 10 (ngaphandle kwe-qvideo).
Lapho usuka endaweni yangempela uye kweyangempela, kuphakama inkinga ngokuvula iWindows uma kusetshenziswa izinguqulo ze-OEM ezifakwe ngaphambili. Amasistimu anjalo asebenzisa ukwenza kusebenze ngokusekelwe kumalayisensi acaciswe ku-UEFI yedivayisi. Ukuze kucutshungulwe kahle ukwenza kusebenze, kuyadingeka ukuthi uhumushe esinye sazo zonke izingxenye ze-ACPI zesistimu yokusingatha (ithebula le-SLIC) kusistimu yesivakashi futhi uhlele kancane ezinye, ubhalisa umenzi. I-Xen ikuvumela ukuthi wenze ngokwezifiso okuqukethwe kwe-ACPI kwamathebula engeziwe, kodwa ngaphandle kokulungisa abalulekile. Isiqeshana esivela kuphrojekthi efanayo ye-OpenXT, eguqulelwe i-Qubes, sisize ngesixazululo. Ukulungiswa kwabonakala kuwusizo hhayi kithi kuphela futhi kwahunyushwa endaweni yokugcina ye-Qubes kanye nomtapo wezincwadi we-Libvirt.
Ububi obusobala bamathuluzi okuhlanganiswa kwe-Windows buhlanganisa ukuntuleka kokusekelwa komsindo, amadivaysi e-USB, kanye nobunzima bokusebenza nemidiya, njengoba kungekho ukusekelwa kwehadiwe ye-GPU. Kodwa lokhu okungenhla akuvimbeli ukusetshenziswa kwe-VM ekusebenzeni nemibhalo yasehhovisi, futhi akuvimbeli ukwethulwa kwezicelo ezithile zebhizinisi.
Imfuneko yokushintshela kumodi yokusebenza ngaphandle kwenethiwekhi noma ngenethiwekhi elinganiselwe ngemva kokudala ithempulethi ye-Windows VM yagcwaliseka ngokudala ukucushwa okufanele kwezinhlelo zokusebenza ze-VM, kanye nethuba lokuxhuma ngokukhetha imidiya ekhiphekayo nayo yaxazululwa ngamathuluzi ajwayelekile e-OS - lapho ixhunyiwe. , ayatholakala ohlelweni lwe-VM sys-usb, ukusuka lapho "angadluliselwa" ku-VM edingekayo. Ideskithophu yomsebenzisi ibukeka kanje.
Inguqulo yokugcina yesistimu yayinhle (ngokuze kufike lapho isisombululo esibanzi sivumela) yamukelwe abasebenzisi, futhi amathuluzi ajwayelekile wesistimu enza kube nokwenzeka ukunweba uhlelo lokusebenza endaweni yokusebenza yomsebenzisi ngokufinyelela nge-VPN.
Esikhundleni isiphetho
I-Virtualization ngokuvamile ikuvumela ukuthi unciphise ubungozi bokusebenzisa amasistimu e-Windows ashiywe ngaphandle kokusekelwa - ayikuphoqeleli ukuhambisana nehadiwe entsha, ikuvumela ukuthi ukhiphe noma ulawule ukufinyelela ohlelweni ngenethiwekhi noma ngamadivayisi axhunyiwe, futhi ikuvumela ukuthi sebenzisa indawo yokuqalisa ngesikhathi esisodwa.
Ngokusekelwe emcabangweni wokuzihlukanisa ngokusebenzisa i-virtualization, i-Qubes OS ikusiza ukuthi usebenzise lezi nezinye izindlela zokuphepha. Ngaphandle, abantu abaningi babona i-Qubes ngokuyinhloko njengesifiso sokungaziwa, kodwa iwuhlelo oluwusizo kokubili konjiniyela, abavame ukuhlanganisa amaphrojekthi, izingqalasizinda, nezimfihlo ukuze bafinyelele kuzo, kanye nabacwaningi bezokuphepha. Ukuhlukaniswa kwezinhlelo zokusebenza, idatha kanye nokwenza kube semthethweni ukusebenzisana kwazo kuyizinyathelo zokuqala zokuhlaziya usongo kanye nokwakhiwa kwesistimu yokuphepha. Lokhu kuhlukaniswa kusiza ukuhlela ulwazi nokunciphisa amathuba okuba namaphutha ngenxa yesici somuntu - ukushesha, ukukhathala, njll.
Njengamanje, okugcizelelwa kakhulu ekuthuthukisweni kusekwenyuseni ukusebenza kwezindawo zeLinux. Inguqulo engu-4.1 ilungiselelwa ukukhululwa, ezosekelwe ku-Fedora 31 futhi ifake izinguqulo zamanje zezingxenye ezibalulekile i-Xen ne-Libvirt. Kuyaphawuleka ukuthi i-Qubes idalwe ochwepheshe bezokuphepha kolwazi abahlale bekhipha izibuyekezo uma kutholakala izinsongo ezintsha noma amaphutha.
I-Afterword
Elinye lamakhono okuhlola esiwakhayo lisivumela ukuthi sidale ama-VM anosekelo lokufinyelela kwesivakashi ku-GPU ngokusekelwe kubuchwepheshe be-Intel GVT-g, esivumela ukuthi sisebenzise amakhono e-adaptha yezithombe futhi sandise ngokuphawulekayo ububanzi besistimu. Ngesikhathi sokubhala, lokhu kusebenza kusebenzela ukwakhiwa kokuhlolwa kwe-Qubes 4.1, futhi kuyatholakala ku- .
Source: www.habr.com