lscpu | grep -i VirtualizationVT-xfor IntelAMD-Vifor AMD
zgrep CONFIG_KVM /proc/config.gzy= Yes (always installed)m= Loadable module
sudo pacman -S qemu-full qemu-img libvirt virt-install virt-manager virt-viewer \
edk2-ovmf swtpm guestfs-tools libosinfo
yay -S tunedqemu-full- user-space KVM emulator, manages communication between hosts and VMsqemu-img- provides create, convert, modify, and snapshot, offline disk imageslibvirt- an open-source API, daemon, and tool for managing platform virtualizationvirt-install- CLI tool to create guest VMsvirt-manager- GUI tool to create and manage guest VMsvirt-viewer- GUI console to connect to running VMsedk2-ovmf- enables UEFI support for VMsswtpm- TPM (Trusted Platform Module) emulator for VMsguestfs-tools- provides a set of extended CLI tools for managing VMslibosinfo- a library for managing OS information for virtualization.tuned- system tuning service for linux allows us to optimise the hypervisor for speed.
Go to the Fedora People repository and download virtio-win.iso.
Save it anywhere on disk, and attach it to a CD-ROM it when creating Windows VM.
The default location on Debian/RedHat based is `/usr/share/virtio-win/
- Here is the documentation detailing the difference between monolithic and modular daemons.
- Choose between option 1 and 2 and then do a
reboot.
for drv in qemu interface network nodedev nwfilter secret storage; do
sudo systemctl enable virt${drv}d.service;
sudo systemctl enable virt${drv}d{,-ro,-admin}.socket;
done- loop through virtualization systemd services necessary for the libvirt modular daemon.
sudo systemctl enable libvirtd.servicesudo virt-host-validate qemuIf you receive warnings, proceed to their respective sections. Re-run the above command to check your changes.
WARN (IOMMU appears to be disabled in the kernel. Add intel_iommu=on to kernel cmdline arguments)
- Open your GRUB config
sudo vim /etc/default/grub- Add the following kernel module entries
# /etc/default/grub
GRUB_CMDLINE_LINUX="... intel_iommu=on iommu=pt"
- Regenerate your
grub.cfgfile
sudo grub-mkconfig -o /boot/grub/grub.cfg
sudo rebootFor AMU CPUs with SEV feature, you might receive this warning:
WARN (AMD Secure Encrypted Virtualization appears to be disabled in kernel. Add kvm_amd.sev=1 to the kernel cmdline arguments)
If you are in Intel you may ignore the warning below, as this only affects AMD CPUs.
WARN (Unknown if this platform has Secure Guest support).
You may refer to this bug report:
Or this libvirt documentation:
echo "options kvm_amd sev=1" >> /etc/modprobe.d/amd-sev.conf
sudo reboot- Open your GRUB config and add kernel modules
sudo vim /etc/default/grub# /etc/default/grub
GRUB_CMDLINE_LINUX="... mem_encrypt=on kvm_amd.sev=1"
- Regenerate your
grub.cfgfile
sudo grub-mkconfig -o /boot/grub/grub.cfg
sudo reboot- Enable TuneD daemon
sudo systemctl enable --now tuned.service- Check active TuneD profile
tuned-adm activeCurrent active profile: balanced
balanced- generic profile not specialised for KVM, we will change this.
- List all TuneD profiles
tuned-adm list- Set profile to
virtual-host
sudo tuned-adm profile virtual-host- Verify that TuneD profile
tuned-adm activeCurrent active profile: virtual-host
sudo tuned-adm verifyVerification succeeded, current system settings match the preset profile. See TuneD log file ('/var/log/tuned/tuned/log') for details.
- By default all virtual machines will connect to the built-in default NAT network.
- To make VMs accessible via the LAN you must create a network bridge.
- Keep in mind that network bridges won't work with hosts running on Wireless NICs.
- All configuration steps below is done using
NetworkManager. If you use a different program to manage networking use that instead.
Default NAT network XML dump:
<network>
<uuid>...</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='AB:CD:EF:AB:CD:EF'/>
<ip address='10.1.1.1' netmask='255.255.255.0'>
<dhcp>
<range start="10.1.1.2" end="10.1.1.254"/>
</dhcp>
</ip>
</network>The rules below is my personal config for my laptop machine. Which works nicely with the autogenerated libvirt network rules.
#!/usr/bin/nft -f
flush ruleset;
define qemu_iface = "virbr0";
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept;
iifname "lo" accept comment "allow loopback";
iifname $qemu_iface accept comment "allow qemu";
tcp dport http accept comment "allow sending http";
tcp dport https accept comment "allow sending https";
udp dport 67 udp sport 68 accept comment "allow sending dhcp";
tcp dport ssh accept comment "allow ssh";
counter drop;
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept;
iifname $qemu_iface accept comment "forward qemu input";
oifname $qemu_iface accept comment "forward qemu output";
counter drop;
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.1.1.0/24 masquerade;
}
}
- find the interface name of your ethernet connection.
sudo nmcli device status| DEVICE | TYPE | STATE | CONNECTION |
|---|---|---|---|
| enp2s0 | ethernet | connected | Wired connection 1 |
| lo | loopback | connected (externally) | lo |
| virbr0 | bridge | connected (externally) | virbr0 |
- create a bridge interface using
nmcli
sudo nmcli connection add type bridge con-name bridge0 ifname bridge0- connect the ethernet interface to the bridge
sudo nmcli connection add type ethernet slave-type bridge con-name 'Bridge connection 1' \
ifname enp2s0 master bridge0- active the newly created connection
sudo nmcli connection up bridge 0- enable
connection.autoconnect-slavesparameter.
sudo nmcli connection modify bridge0 connection.autoconnect-slaves 1- reactivate the bridge and verify connection.
sudo nmcli connection up bridge0
sudo nmcli device status| DEVICE | TYPE | STATE | CONNECTION |
|---|---|---|---|
| bridge0 | bridge | connected | bridge0 |
| lo | loopback | connected (externally) | lo |
| virbr0 | bridge | connected (externally) | virbr0 |
| enp2s0 | ethernet | connected | Bridge connection 1 |
- create an XML file called
nwbridge.xml.
vim nwbridge.xml- post the following XML
<network>
<name>nwbridge</name>
<forward mode="bridge" />
<bridge name="bridge0" />
</network>- define the bridge network
sudo virsh net-define nwbridge.xmlNetwork nwbridge defined from nwbridge.xml
- start the bridge network
sudo virsh net-start nwbridge- auto-start bridge network on boot
sudo virsh net-autostart nwbridge- delete
nwbridge.xmlfile
rm nwbridge.xml- verify that
nwbridgenetwork exists.
sudo virsh net-list --all| Name | State | Autostart | Persistent |
|---|---|---|---|
| default | active | yes | yes |
| nwbridge | active | yes | yes |
If you want to revert the changes to your network, do the following:
sudo virsh net-destroy nwbridge
sudo virsh net-undefine nwbridge
sudo nmcli connection up 'Wired connection 1'
sudo nmcli connection del bridge0
sudo nmcli connection del 'Bridge connection 1'libvirt as two methods for connecting to the KVM Hypervisor.
In session mode, a regular user is connected to a per-user instance. Allowing each user to manage their own pool of virtual machines. This is also the default mode.
The advantage of this mode is, permissions are not an issue. As no root access is required.
The disadvantage is this mode uses QEMU User Networking (SLIRP). This is a user-space IP stack, which yields overhead resulting in poor networking performance.
And if you want to implement an option that requires root privileges. You will be unable to do so.
In the system mode you are granted access to all system resources.
- check current mode
sudo virsh uriqemu:///session
- add the current user to the
libvirtgroup
sudo usermod -aG libvirt $USER- set env variable with the default uri and check
echo 'export LIBVIRT_DEFAULT_URI="qemu:///system"' >> ~/.bashrc
sudo virsh uri- check permissions on the images directory
sudo getfacl /var/lib/libvirt/imagesgetfacl: Removing leading '/' from absolute path names
# file : var/lib/libvirt/images/
# owner: root
# group: root
user::rwx
group::--x
other::--x- recursively remove existing ACL permissions
sudo setfacl -R -b /var/lib/libvirt/images/- recursively grant permission to the current user
sudo setfacl -R -m u:${USER}:rwX /var/lib/libvirt/images/- uppercase
Xstates that execution permission only applied to child folders and not child files.
- enable special permissions default ACL
sudo setfacl -m d:u:${USER}:rwx /var/lib/libvirt/images/- if this step is omitted, new dirs or files created within the images directory will not have this ACL set.
- verify your ACL permissions within the images directory.
sudo getfacl /var/lib/libvirt/images/getfacl: Removing leading '/' from absolute path names
# file : var/lib/libvirt/images/
# owner: root
# group: root
user::rwx
user:tatum:rwx
group::--x
mask::rwx
other::--x
default:user::rwx
default:user:tatum:rwx
default:group::--x
default:mask::rwx
default:other::--x
@tatumroaquin I'm getting error
error: target not found: qemu-arch-extra. Looks like that package doesn't exists?