{"slug": "qemu-kvm-installation-for-arch-linux", "title": "QEMU-KVM Installation for Arch Linux", "summary": "This article provides a step-by-step guide for installing and configuring QEMU-KVM virtualization on Arch Linux. It details the installation of necessary packages, enabling systemd services, and validating the setup with `virt-host-validate`. The guide also covers enabling nested virtualization, configuring IOMMU and AMD SEV support, and optimizing performance using the TuneD service with the `virtual-host` profile.", "body_md": "lscpu | grep -i Virtualization\nVT-x\nfor IntelAMD-Vi\nfor AMD\nzgrep CONFIG_KVM /proc/config.gz\ny\n= Yes (always installed)m\n= Loadable module\nsudo pacman -S qemu-full qemu-img libvirt virt-install virt-manager virt-viewer \\\nedk2-ovmf dnsmasq swtpm guestfs-tools libosinfo tuned\nqemu-full\n- user-space KVM emulator, manages communication between hosts and VMsqemu-img\n- provides create, convert, modify, and snapshot, offline disk imageslibvirt\n- an open-source API, daemon, and tool for managing platform virtualizationvirt-install\n- CLI tool to create guest VMsvirt-manager\n- GUI tool to create and manage guest VMsvirt-viewer\n- GUI console to connect to running VMsedk2-ovmf\n- enables UEFI support for VMsdnsmasq\n- lightweight DNS forwarder and DHCP serverswtpm\n- TPM (Trusted Platform Module) emulator for VMsguestfs-tools\n- provides a set of extended CLI tools for managing VMslibosinfo\n- a library for managing OS information for virtualization.tuned\n- system tuning service for linux allows us to optimise the hypervisor for speed.\nGo to the Fedora People repository and download virtio-win.iso\n.\nSave it anywhere on disk, and attach it to a CD-ROM it when creating Windows VM.\nThe default location on Debian/RedHat based is /usr/share/virtio-win/\n- Here is the documentation detailing the difference between monolithic and modular daemons.\n- Choose between option 1 and 2 and then do a\nreboot\n.\nfor drv in qemu interface network nodedev nwfilter secret storage; do\nsudo systemctl enable virt${drv}d.service;\nsudo systemctl enable virt${drv}d{,-ro,-admin}.socket;\ndone\n- loop through virtualization systemd services necessary for the libvirt modular daemon.\nsudo systemctl enable libvirtd.service\nsudo virt-host-validate qemu\nIf you receive warnings, proceed to their respective sections. Re-run the above command to check your changes.\nIntel:\nsudo modprobe -r kvm_intel\nsudo modprobe kvm_intel nested=1\nAMD:\nsudo modprobe -r kvm_amd\nsudo modprobe kvm_amd nested=1\nIntel:\necho \"options kvm_intel nested=1\" | sudo tee /etc/modprobe.d/kvm-intel.conf\nAMD:\necho \"options kvm_amd nested=1\" | sudo tee /etc/modprobe.d/kvm-amd.conf\nWARN (IOMMU appears to be disabled in the kernel. Add intel_iommu=on to kernel cmdline arguments)\n- Open your GRUB config\nsudo vim /etc/default/grub\n- Add the following kernel module entries\n# /etc/default/grub\nGRUB_CMDLINE_LINUX=\"... intel_iommu=on iommu=pt\"\n- Regenerate your\ngrub.cfg\nfile\nsudo grub-mkconfig -o /boot/grub/grub.cfg\nsudo reboot\nFor AMU CPUs with SEV feature, you might receive this warning:\nWARN (AMD Secure Encrypted Virtualization appears to be disabled in kernel. Add kvm_amd.sev=1 to the kernel cmdline arguments)\nIf you are in Intel you may ignore the warning below, as this only affects AMD CPUs.\nWARN (Unknown if this platform has Secure Guest support).\nYou may refer to this bug report:\nOr this libvirt documentation:\necho \"options kvm_amd sev=1\" | sudo tee /etc/modprobe.d/amd-sev.conf\nsudo reboot\n- Open your GRUB config\nsudo vim /etc/default/grub\n- Add the following kernel module entries\n# /etc/default/grub\nGRUB_CMDLINE_LINUX=\"... mem_encrypt=on kvm_amd.sev=1\"\n- Regenerate your\ngrub.cfg\nfile\nsudo grub-mkconfig -o /boot/grub/grub.cfg\nsudo reboot\n- Enable TuneD daemon\nsudo systemctl enable --now tuned.service\n- Check active TuneD profile\ntuned-adm active\nCurrent active profile: balanced\nbalanced\n- generic profile not specialised for KVM, we will change this.\n- List all TuneD profiles\ntuned-adm list\n- Set profile to\nvirtual-host\nsudo tuned-adm profile virtual-host\n- Verify that TuneD profile\ntuned-adm active\nCurrent active profile: virtual-host\nsudo tuned-adm verify\nVerification succeeded, current system settings match the preset profile. See TuneD log file ('/var/log/tuned/tuned/log') for details.\n- By default all virtual machines will connect to the built-in default NAT network.\n- To make VMs accessible via the LAN you must create a network bridge.\n- Keep in mind that network bridges won't work with hosts running on Wireless NICs.\n- All configuration steps below is done using\nNetworkManager\n. If you use a different program to manage networking use that instead.\nDefault NAT network XML dump:\n\n...\n\n\n\n\n\n\n\n\n\n\n\n\n\nThe rules below is my personal config for my laptop machine. Which works nicely with the autogenerated libvirt network rules.\n#!/usr/bin/nft -f\nflush ruleset;\ndefine qemu_iface = \"virbr0\";\ntable inet filter {\nchain input {\ntype filter hook input priority filter; policy drop;\nct state established,related accept;\niifname \"lo\" accept comment \"allow loopback\";\niifname $qemu_iface accept comment \"allow qemu\";\ntcp dport http accept comment \"allow sending http\";\ntcp dport https accept comment \"allow sending https\";\nudp dport 67 udp sport 68 accept comment \"allow sending dhcp\";\ntcp dport ssh accept comment \"allow ssh\";\ncounter drop;\n}\nchain forward {\ntype filter hook forward priority filter; policy drop;\nct state established,related accept;\niifname $qemu_iface accept comment \"forward qemu input\";\noifname $qemu_iface accept comment \"forward qemu output\";\ncounter drop;\n}\n}\ntable ip nat {\nchain postrouting {\ntype nat hook postrouting priority srcnat; policy accept;\nip saddr 10.1.1.0/24 masquerade;\n}\n}\n- find the interface name of your ethernet connection.\nsudo nmcli device status\n- create a bridge interface using\nnmcli\nsudo nmcli connection add type bridge con-name bridge0 ifname bridge0\n- connect the ethernet interface to the bridge\nsudo nmcli connection add type ethernet slave-type bridge con-name 'Bridge connection 1' \\\nifname enp2s0 master bridge0\n- activate the newly created connection\nsudo nmcli connection up bridge0\n- enable\nconnection.autoconnect-slaves\nparameter.\nsudo nmcli connection modify bridge0 connection.autoconnect-slaves 1\n- reactivate the bridge and verify connection.\nsudo nmcli connection up bridge0\nsudo nmcli device status\n- create an XML file called\nnwbridge.xml\n.\nvim nwbridge.xml\n- post the following XML\n\nnwbridge\n\n\n\n- define the bridge network\nsudo virsh net-define nwbridge.xml\nNetwork nwbridge defined from nwbridge.xml\n- start the bridge network\nsudo virsh net-start nwbridge\n- auto-start bridge network on boot\nsudo virsh net-autostart nwbridge\n- delete\nnwbridge.xml\nfile\nrm nwbridge.xml\n- verify that\nnwbridge\nnetwork exists.\nsudo virsh net-list --all\nIf you want to revert the changes to your network, do the following:\nsudo virsh net-destroy nwbridge\nsudo virsh net-undefine nwbridge\nsudo nmcli connection up 'Wired connection 1'\nsudo nmcli connection del bridge0\nsudo nmcli connection del 'Bridge connection 1'\nLibvirt has two methods for connecting to the KVM Hypervisor, Session and System.\nIn session\nmode, a regular user is connected to a per-user instance. Allowing each user to manage their own pool of virtual machines. This is also the default mode.\nThe advantage of this mode is, permissions are not an issue. As no root access is required.\nThe disadvantage is this mode uses QEMU User Networking (SLIRP). This is a user-space IP stack, which yields overhead resulting in poor networking performance.\nAnd if you want to implement an option that requires root\nprivileges. You will be unable to do so.\nIn the system\nmode you are granted access to all system resources.\n- check current mode\nsudo virsh uri\nqemu:///session\n- add the current user to the\nlibvirt\ngroup\nsudo usermod -aG libvirt $USER\n- set env variable with the default uri and check\necho 'export LIBVIRT_DEFAULT_URI=\"qemu:///system\"' >> ~/.bashrc\nsudo virsh uri\n- check permissions on the images directory\nsudo getfacl /var/lib/libvirt/images\ngetfacl: Removing leading '/' from absolute path names\n# file : var/lib/libvirt/images/\n# owner: root\n# group: root\nuser::rwx\ngroup::--x\nother::--x\n- recursively remove existing ACL permissions\nsudo setfacl -R -b /var/lib/libvirt/images/\n- recursively grant permission to the current user\nsudo setfacl -R -m \"u:${USER}:rwX\" /var/lib/libvirt/images/\n- uppercase\nX\nstates that execution permission only applied to child folders and not child files.\n- enable special permissions default ACL\nsudo setfacl -m \"d:u:${USER}:rwx\" /var/lib/libvirt/images/\n- if this step is omitted, new dirs or files created within the images directory will not have this ACL set.\n- verify your ACL permissions within the images directory.\nsudo getfacl /var/lib/libvirt/images/\ngetfacl: Removing leading '/' from absolute path names\n# file : var/lib/libvirt/images/\n# owner: root\n# group: root\nuser::rwx\nuser:tatum:rwx\ngroup::--x\nmask::rwx\nother::--x\ndefault:user::rwx\ndefault:user:tatum:rwx\ndefault:group::--x\ndefault:mask::rwx\ndefault:other::--x", "url": "https://wpnews.pro/news/qemu-kvm-installation-for-arch-linux", "canonical_source": "https://gist.github.com/tatumroaquin/c6464e1ccaef40fd098a4f31db61ab22", "published_at": "2021-12-03 06:38:21+00:00", "updated_at": "2026-05-23 21:05:21.555360+00:00", "lang": "en", "topics": ["open-source", "developer-tools", "cloud-computing", "enterprise-software", "hardware"], "entities": ["QEMU", "KVM", "Arch Linux", "libvirt", "virt-manager", "Fedora People", "Windows"], "alternates": {"html": "https://wpnews.pro/news/qemu-kvm-installation-for-arch-linux", "markdown": "https://wpnews.pro/news/qemu-kvm-installation-for-arch-linux.md", "text": "https://wpnews.pro/news/qemu-kvm-installation-for-arch-linux.txt", "jsonld": "https://wpnews.pro/news/qemu-kvm-installation-for-arch-linux.jsonld"}}