KVM (for Kernel-based Virtual Machine) is a full virtualization solution for Linux on x86 hardware containing virtualization extensions (Intel VT or AMD-V). It consists of a loadable kernel module, kvm.ko, that provides the core virtualization infrastructure and a processor specific module, kvm-intel.ko or kvm-amd.ko. KVM also requires a modified QEMU although work is underway to get the required changes upstream.
Using KVM, one can run multiple virtual machines running unmodified Linux or Windows images. Each virtual machine has private virtualized hardware: a network card, disk, graphics adapter, etc.
The kernel component of KVM is included in mainline Linux, as of 2.6.20.
KVM is open source software.
Install
To install and run KVM on Debian, follow these steps:
# If you change this file, run 'update-grub' afterwards to update# /boot/grub/grub.cfg.GRUB_DEFAULT=0GRUB_TIMEOUT=5GRUB_DISTRIBUTOR=`lsb_release-i-s2>/dev/null||echoDebian`GRUB_CMDLINE_LINUX_DEFAULT="quiet elevator=deadline"GRUB_CMDLINE_LINUX=""# Uncomment to enable BadRAM filtering, modify to suit your needs# This works with Linux (no patch required) and with any kernel that obtains# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"# Uncomment to disable graphical terminal (grub-pc only)#GRUB_TERMINAL=console# The resolution used on graphical terminal# note that you can use only modes which your graphic card supports via VBE# you can see them in real GRUB with the command `vbeinfo'#GRUB_GFXMODE=640x480# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux#GRUB_DISABLE_LINUX_UUID=true# Uncomment to disable generation of recovery mode menu entries#GRUB_DISABLE_LINUX_RECOVERY="true"# Uncomment to get a beep at grub start#GRUB_INIT_TUNE="480 440 1"
Then, we will enable KSM. Kernel Samepage Merging (KSM) is a feature of the Linux kernel introduced in the 2.6.32 kernel. KSM allows for an application to register with the kernel to have its pages merged with other processes that also register to have their pages merged. For KVM, the KSM mechanism allows for guest virtual machines to share pages with each other. In an environment where many of the guest operating systems are similar, this can result in significant memory savings.
#!/bin/sh -e## rc.local## This script is executed at the end of each multiuser runlevel.# Make sure that the script will "exit 0" on success or any other# value on error.## In order to enable or disable this script just change the execution# bits.## By default this script does nothing.# KSMecho1>/sys/kernel/mm/ksm/run
exit0
The installation of kvm created a new system group named kvm in /etc/group. You need to add the user accounts that will run kvm to this group (replace username with the user account name to add):
Need LVM acknoledges but is faster and simpler to backup (LVM Snapshot)
Create Disks image
Create a virtual disk image (10 gigabytes in the example, but it is a sparse file and will only take as much space as is actually used, which is 0 at first, as can be seen with the du command: du vdisk.qcow, while ls -l vdisk.qcow shows the sparse file size):
# This file describes the network interfaces available on your system# and how to activate them. For more information, see interfaces(5).# The loopback network interfaceautolobr0br1
ifaceloinetloopback
# DMZifacebr0inetstatic
address192.168.10.1
netmask255.255.255.0
gateway192.168.10.254
network192.168.10.0
broadcast192.168.10.255
bridge_portseth0
bridge_fd9bridge_hello2bridge_maxage12bridge_stpoff
# Internalifacebr1inetstatic
address192.168.0.1
netmask255.255.255.0
gateway192.168.0.254
network192.168.0.0
broadcast192.168.0.255
bridge_portseth1
bridge_fd9bridge_hello2bridge_maxage12bridge_stpoff
# This file describes the network interfaces available on your system# and how to activate them. For more information, see interfaces(5).# The loopback network interfaceautolo
ifaceloinetloopback
# The primary network interfaceallow-hotplugeth0
autoeth0
ifaceeth0inetmanual
autoeth0.110
ifaceeth0.110inetmanual
vlan_raw_deviceeth0
# The bridged interfaceautovmbr0
ifacevmbr0inetstatic
address192.168.100.1
netmask255.255.255.0
network192.168.100.0
broadcast192.168.100.255
gateway192.168.100.254
# dns-* options are implemented by the resolvconf package, if installeddns-nameservers192.168.100.254
dns-searchdeimos.fr
bridge_portseth0
bridge_fd9bridge_hello2bridge_maxage12bridge_stpoff
autovmbr0.110
ifacevmbr0.110inetstatic
address192.168.110.1
netmask255.255.255.0
bridge_portseth0.190
bridge_stpoff
bridge_maxwait0bridge_fd0
Nat configuration
Nat is the default configuration. But you may need to do some adjustements. Add the forwarding to sysctl:
You may need to configure iptables for example if you're on a dedicated box where the provider doesn't allow bridge configuration. Here is a working iptables configuration to permit incoming connexions to Nated guests:
#!/bin/bash# Made by Pierre Mavro / Deimosfr# This script will Nat you KVM/containers hosts# and help you to get access from outside#-------------------------------------------------------------------------# Essentials#-------------------------------------------------------------------------IPTABLES='/sbin/iptables'modprobenf_conntrack_ftp
#-------------------------------------------------------------------------# Physical and virtual interfaces definitions#-------------------------------------------------------------------------# Interfaceswan1_if="eth0"wan2_if="eth0:0"kvm_if="virbr0"#-------------------------------------------------------------------------# Networks definitions#-------------------------------------------------------------------------# Networkswan1_ip="x.x.x.x"wan2_ip="x.x.x.x"vms_net="192.168.122.0/24"# Dedibox internals IPsweb_ip="192.168.122.10"mail_ip="192.168.122.20"#-------------------------------------------------------------------------# Global Rules input / output / forward#-------------------------------------------------------------------------# Flushing tables$IPTABLES-F
$IPTABLES-X
$IPTABLES-tnat-F
# Define default policy$IPTABLES-PINPUTDROP
$IPTABLES-POUTPUTACCEPT
$IPTABLES-PFORWARDACCEPT
## Loopback accepte${IPTABLES}-AFORWARD-ilo-olo-jACCEPT
${IPTABLES}-AINPUT-ilo-jACCEPT
${IPTABLES}-AOUTPUT-olo-jACCEPT
# Allow KVM DHCP/dnsmasq${IPTABLES}-AINPUT-i$kvm_if-pudp--dport67-jACCEPT
${IPTABLES}-AINPUT-i$kvm_if-pudp--dport69-jACCEPT
$IPTABLES-AINPUT-jACCEPT-d$vms_net$IPTABLES-AINPUT-jACCEPT-mstate--stateESTABLISHED,RELATED
#-------------------------------------------------------------------------# Allow masquerading for KVM VMs#-------------------------------------------------------------------------# Activating masquerade to get Internet from KVM VMs$IPTABLES-tnat-APOSTROUTING-o$wan1_if-s$vms_net-jMASQUERADE
#-------------------------------------------------------------------------# Allow ports on KVM host#-------------------------------------------------------------------------# Allow ICMP$IPTABLES-AINPUT-jACCEPT-picmp
# SSH access$IPTABLES-AINPUT-jACCEPT-ptcp--dport22# HTTPS access$IPTABLES-AINPUT-jACCEPT-ptcp--dport443#-------------------------------------------------------------------------# Redirections for incoming connections (wan1)#-------------------------------------------------------------------------# HTTP access$IPTABLES-tnat-APREROUTING-ptcp--dport80-d$wan1_ip-jDNAT--to-destination$web_ip:80
# HTTP access$IPTABLES-tnat-APREROUTING-ptcp--dport443-d$wan1_ip-jDNAT--to-destination$web_ip:443
# Mail for mailsrv$IPTABLES-tnat-APREROUTING-ptcp--dport25-d$wan1_ip-jDNAT--to-destination$mail_ip:25
#-------------------------------------------------------------------------# Reload fail2ban#-------------------------------------------------------------------------/etc/init.d/fail2banreload
Create a VM
New method (with libvirt)
If you want to create a VM with disk image and bridged configuration:
To make a clean installation of a Guest KVM, you can create a script for each VM you want to create. here is a script exemple to launch a KVM using VNC for display instead of X11 display:
#!/bin/shclear
# Var Definition# Name of your KVMHOSTNAME="Client 1"# Path to your virtual hard drive imageHDD="-hda /mnt/vms/lenny/disk0.qcow2"# Path to your CD-Rom# note: you can use an isoCDROM="-cdrom /dev/cdrom"# Boot Sequence# note: "c": HDD, "d": CD-Rom, "a": FloppyBOOT="-boot c"# TAP Device Creation# note: don't forget to change "ifname" if you are using mutliples KVM's!# This is for "bridged mode". if you wan't to use the "user mode", remove the "TAP" variableTAP="-net tap,vlan=0,ifname=tap0,script=/etc/kvm/kvm-ifup"# Virtual Network Card parameters# note: default model is a "ne2k_pci" (rtl8029) and works on Windows XP and Vista# "rtl8139" has better performances and is detected as a 100Mb Adapter# "pcnet" or "ai82551" are better for BSD'sNIC="-net nic,model=rtl8139,vlan=0"# Amount of memory (in Megabyte)MEM="-m 384"# Miscelaneous options# note: "-k fr": if using VNC, it corrects the keyboard problem# "-usbdevice" tablet: correct the problem of mouse desynchronisation# "-no-acpi": if you are installing a Windows based guest or a BSDMISC="-k fr -localtime -no-acpi -usbdevice tablet"# VNC Mode# note: "-vnc <ip>:<display>": allows clients to connect to specified display only ON (not "from") the specified IP AddressVNC="-vnc 192.168.0.80:1"# Starting the KVM# Cheapy Design by Hostin!! ;-pecho-e"\n\n################################"echo"##### Starting KVM with... #####"echo"################################"echo-e"\n Hard Disk: \"$HDD\" "echo" CD-Rom: \"$CDROM\" "echo" Boot Sequence: \"$BOOT\" "echo" TAP Device: \"$TAP\" "echo" Virtual Network Card: \"$NIC\" "echo" Memory size: \"$MEM\" "echo" Miscelaneous: \"$MISC\" "echo" VNC Mode: \"$VNC\" "echo-e"\n################################"echo-e"\n\n######################################################################"echo"Kernel-based Virtual Machine: $HOSTNAME - Running"echo"######################################################################"echo-e"\n\nLoading kvm-intel kernel module..."modprobekvm-intel
execkvm$HDD$CDROM$BOOT$TAP$NIC$MEM$MISC$VNC
: the name of the snapshot (not as a file, but as it will be displayed on virsh)
: a description of that snapshot
vda: select the name of the VM device to backup
: set the full path of the snapshot file (where it should be stored)
Once that command launched, the base VM disk (not the snapshot) becomes read only and the snapshot is read/write. You could copy the base for the backup if you want.
When finished (look at iotop status), you can remove the base image and keep the snapshot.
blockcommit
The blockcommit, is my favorite way to create backups. The actual problem is on Debian 7, this is not present as virsh require a version upper or equal to 0.10.2 and it's only available on Debian unstable for the moment. Anyway, if you've got this version, here is how to do it.
You can see there are 7 cores (called processor). In fact there are 4 cores with 2 thread each on this CPU. That's why there are 4 cores id and 8 detected cores.
So here is the list of the cores with their attached core:
core id 0: processors 0 and 4
core id 1: processors 1 and 5
core id 2: processors 2 and 6
core id 3: processors 3 and 7
Now, if I want on a VM a dedicated CPU with it's additional thread, I would prefer do 2 virtual CPU (vpcu) and bind the good core on it. So first, look at the current configuration:
You can see there is only 1 vcpu. And all the cores of the CPU are used (count the number of 'y' in CPU Affinity, here 8). If we want the best performances, we need to add as many vcpu as we want of cores on a VM, you will see the advantage later... So let's add some cores:
So here for example, we set 4 vcpus. That mean the VM will see 4 cores! Now, we're going to bind processor 0 and 4 on both vcpu! Why? Because if an application doesn't know how to multithread, it will use all the cores! And if applications knows how to use multi cores, they will use it like that. So in any case, you will have good performances :-).
So now I added 4 virtuals CPU (0 and 1) and added 2 cores (2 and 3) with their associated thread (6 and 7).
In Debian 6 version, it will be done on the fly, but won't be set definitely in the configuration. That's why you'll need to add those parameters (cpuset) in the XML of your VM:
You may have a couple of VM based on disk image like qcow2 and my want to convert them into LVM partition. Fortunatly, there is a solution! First convert into your qcow into raw format:
If you need to transfer from one server to another a VM based on LVM, there is an easy way solution. You need to first stop the Virtual Machine to have consistency datas, then you can transfer them:
Do not forget to transfer xml file configuration of the VM and adapt LVM disks name if needed. Then "virsh define" the new xml file.
Graphically access to VMs without Virt Manager
If you want to access thought your VMs without installing any manager, you can. First you have to be sure when you created your VM, you entered the --vnc option or when you launch it, you use this option.
If if it's not hte case and you're using libvirt, please add it to your wished VM:
Now this is done, you need to change the default listening address of VNC on libvirt. By default, it's listening on 127.0.0.1. This is the most secure choice. However, you may have a secured LAN and wished to open it to anybody. Open so the qemu.conf and modify it to bind on you secure server IP address:
If you need as well to activate secure VNC connections, please activate TLS in the same config file.
Then restart or reload libvirt-bin.
Suspend guests VMs on host shutdown
If your desktop hosts several VMs, it could be interesting to auto suspend them when you restart your computer for example. There is a service for that to make it easy. Simply edit libvirt-guests file configuration:
# URIs to check for running guests# example: URIS='default xen:/// vbox+tcp://host/system lxc:///'URIS=qemu:///system
# action taken on host boot# - start all guests which were running on shutdown are started on boot# regardless on their autostart settings# - ignore libvirt-guests init script won't start any guest on boot, however,# guests marked as autostart will still be automatically started by# libvirtdON_BOOT=ignore
# Number of seconds to wait between each guest start. Set to 0 to allow# parallel startup.START_DELAY=0# action taken on host shutdown# - suspend all running guests are suspended using virsh managedsave# - shutdown all running guests are asked to shutdown. Please be careful with# this settings since there is no way to distinguish between a# guest which is stuck or ignores shutdown requests and a guest# which just needs a long time to shutdown. When setting# ON_SHUTDOWN=shutdown, you must also set SHUTDOWN_TIMEOUT to a# value suitable for your guests.ON_SHUTDOWN=suspend# If set to non-zero, shutdown will suspend guests concurrently. Number of# guests on shutdown at any time will not exceed number set in this variable.PARALLEL_SHUTDOWN=3# Number of seconds we're willing to wait for a guest to shut down. If parallel# shutdown is enabled, this timeout applies as a timeout for shutting down all# guests on a single URI defined in the variable URIS. If this is 0, then there# is no time out (use with caution, as guests might not respond to a shutdown# request). The default value is 300 seconds (5 minutes).SHUTDOWN_TIMEOUT=600# If non-zero, try to bypass the file system cache when saving and# restoring guests, even though this may give slower operation for# some file systems.#BYPASS_CACHE=0
warning: could not open /dev/net/tun: no virtual network emulation
This happen when you want to charge the tun device and you don't have permissions. Simply run your kvm command with sudo.
Solaris reboot all the time on grub menu
Run through the installer as usual
On completion and reboot, the VM will perpetually reboot. "Stop" the VM.
Start it up again, and immediately open a vnc console and select the Safe Boot from the options screen
When prompted if you want to try and recover the boot block, say yes
You should now have a Bourne terminal with your existing filesystem mounted on /a
Run /a/usr/bin/bash (my preferred shell)
export TERM=xterm
vi /a/boot/grub/menu.1st (editing the bootloader on your mounted filesystem), to add "kernel/unix" to the kernel options for the non-safe-mode boot. Ex:
