QEMU-KVM Installation for Arch Linux

This article provides a step-by-step guide for installing and configuring QEMU-KVM virtualization on Arch Linux. It details the installation of necessary packages, enabling systemd services, and validating the setup with `virt-host-validate`. The guide also covers enabling nested virtualization, configuring IOMMU and AMD SEV support, and optimizing performance using the TuneD service with the `virtual-host` profile.

lscpu | grep -i Virtualization VT-x for IntelAMD-Vi for AMD zgrep CONFIG KVM /proc/config.gz y = Yes always installed m = Loadable module sudo pacman -S qemu-full qemu-img libvirt virt-install virt-manager virt-viewer \ edk2-ovmf dnsmasq swtpm guestfs-tools libosinfo tuned qemu-full - user-space KVM emulator, manages communication between hosts and VMsqemu-img - provides create, convert, modify, and snapshot, offline disk imageslibvirt - an open-source API, daemon, and tool for managing platform virtualizationvirt-install - CLI tool to create guest VMsvirt-manager - GUI tool to create and manage guest VMsvirt-viewer - GUI console to connect to running VMsedk2-ovmf - enables UEFI support for VMsdnsmasq - lightweight DNS forwarder and DHCP serverswtpm - TPM Trusted Platform Module emulator for VMsguestfs-tools - provides a set of extended CLI tools for managing VMslibosinfo - a library for managing OS information for virtualization.tuned - system tuning service for linux allows us to optimise the hypervisor for speed. Go to the Fedora People repository and download virtio-win.iso . Save it anywhere on disk, and attach it to a CD-ROM it when creating Windows VM. The default location on Debian/RedHat based is /usr/share/virtio-win/ - Here is the documentation detailing the difference between monolithic and modular daemons. - Choose between option 1 and 2 and then do a reboot . for drv in qemu interface network nodedev nwfilter secret storage; do sudo systemctl enable virt${drv}d.service; sudo systemctl enable virt${drv}d{,-ro,-admin}.socket; done - loop through virtualization systemd services necessary for the libvirt modular daemon. sudo systemctl enable libvirtd.service sudo virt-host-validate qemu If you receive warnings, proceed to their respective sections. Re-run the above command to check your changes. Intel: sudo modprobe -r kvm intel sudo modprobe kvm intel nested=1 AMD: sudo modprobe -r kvm amd sudo modprobe kvm amd nested=1 Intel: echo "options kvm intel nested=1" | sudo tee /etc/modprobe.d/kvm-intel.conf AMD: echo "options kvm amd nested=1" | sudo tee /etc/modprobe.d/kvm-amd.conf WARN IOMMU appears to be disabled in the kernel. Add intel iommu=on to kernel cmdline arguments - Open your GRUB config sudo vim /etc/default/grub - Add the following kernel module entries /etc/default/grub GRUB CMDLINE LINUX="... intel iommu=on iommu=pt" - Regenerate your grub.cfg file sudo grub-mkconfig -o /boot/grub/grub.cfg sudo reboot For AMU CPUs with SEV feature, you might receive this warning: WARN AMD Secure Encrypted Virtualization appears to be disabled in kernel. Add kvm amd.sev=1 to the kernel cmdline arguments If you are in Intel you may ignore the warning below, as this only affects AMD CPUs. WARN Unknown if this platform has Secure Guest support . You may refer to this bug report: Or this libvirt documentation: echo "options kvm amd sev=1" | sudo tee /etc/modprobe.d/amd-sev.conf sudo reboot - Open your GRUB config sudo vim /etc/default/grub - Add the following kernel module entries /etc/default/grub GRUB CMDLINE LINUX="... mem encrypt=on kvm amd.sev=1" - Regenerate your grub.cfg file sudo grub-mkconfig -o /boot/grub/grub.cfg sudo reboot - Enable TuneD daemon sudo systemctl enable --now tuned.service - Check active TuneD profile tuned-adm active Current active profile: balanced balanced - generic profile not specialised for KVM, we will change this. - List all TuneD profiles tuned-adm list - Set profile to virtual-host sudo tuned-adm profile virtual-host - Verify that TuneD profile tuned-adm active Current active profile: virtual-host sudo tuned-adm verify Verification succeeded, current system settings match the preset profile. See TuneD log file '/var/log/tuned/tuned/log' for details. - By default all virtual machines will connect to the built-in default NAT network. - To make VMs accessible via the LAN you must create a network bridge. - Keep in mind that network bridges won't work with hosts running on Wireless NICs. - All configuration steps below is done using NetworkManager . If you use a different program to manage networking use that instead. Default NAT network XML dump: <network <uuid ...</uuid <forward mode='nat' <nat <port start='1024' end='65535'/ </nat </forward <bridge name='virbr0' stp='on' delay='0'/ <mac address='AB:CD:EF:AB:CD:EF'/ <ip address='10.1.1.1' netmask='255.255.255.0' <dhcp <range start="10.1.1.2" end="10.1.1.254"/ </dhcp </ip </network The rules below is my personal config for my laptop machine. Which works nicely with the autogenerated libvirt network rules. /usr/bin/nft -f flush ruleset; define qemu iface = "virbr0"; table inet filter { chain input { type filter hook input priority filter; policy drop; ct state established,related accept; iifname "lo" accept comment "allow loopback"; iifname $qemu iface accept comment "allow qemu"; tcp dport http accept comment "allow sending http"; tcp dport https accept comment "allow sending https"; udp dport 67 udp sport 68 accept comment "allow sending dhcp"; tcp dport ssh accept comment "allow ssh"; counter drop; } chain forward { type filter hook forward priority filter; policy drop; ct state established,related accept; iifname $qemu iface accept comment "forward qemu input"; oifname $qemu iface accept comment "forward qemu output"; counter drop; } } table ip nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; ip saddr 10.1.1.0/24 masquerade; } } - find the interface name of your ethernet connection. sudo nmcli device status - create a bridge interface using nmcli sudo nmcli connection add type bridge con-name bridge0 ifname bridge0 - connect the ethernet interface to the bridge sudo nmcli connection add type ethernet slave-type bridge con-name 'Bridge connection 1' \ ifname enp2s0 master bridge0 - activate the newly created connection sudo nmcli connection up bridge0 - enable connection.autoconnect-slaves parameter. sudo nmcli connection modify bridge0 connection.autoconnect-slaves 1 - reactivate the bridge and verify connection. sudo nmcli connection up bridge0 sudo nmcli device status - create an XML file called nwbridge.xml . vim nwbridge.xml - post the following XML <network <name nwbridge</name <forward mode="bridge" / <bridge name="bridge0" / </network - define the bridge network sudo virsh net-define nwbridge.xml Network nwbridge defined from nwbridge.xml - start the bridge network sudo virsh net-start nwbridge - auto-start bridge network on boot sudo virsh net-autostart nwbridge - delete nwbridge.xml file rm nwbridge.xml - verify that nwbridge network exists. sudo virsh net-list --all If you want to revert the changes to your network, do the following: sudo virsh net-destroy nwbridge sudo virsh net-undefine nwbridge sudo nmcli connection up 'Wired connection 1' sudo nmcli connection del bridge0 sudo nmcli connection del 'Bridge connection 1' Libvirt has two methods for connecting to the KVM Hypervisor, Session and System. In session mode, a regular user is connected to a per-user instance. Allowing each user to manage their own pool of virtual machines. This is also the default mode. The advantage of this mode is, permissions are not an issue. As no root access is required. The disadvantage is this mode uses QEMU User Networking SLIRP . This is a user-space IP stack, which yields overhead resulting in poor networking performance. And if you want to implement an option that requires root privileges. You will be unable to do so. In the system mode you are granted access to all system resources. - check current mode sudo virsh uri qemu:///session - add the current user to the libvirt group sudo usermod -aG libvirt $USER - set env variable with the default uri and check echo 'export LIBVIRT DEFAULT URI="qemu:///system"' ~/.bashrc sudo virsh uri - check permissions on the images directory sudo getfacl /var/lib/libvirt/images getfacl: Removing leading '/' from absolute path names file : var/lib/libvirt/images/ owner: root group: root user::rwx group::--x other::--x - recursively remove existing ACL permissions sudo setfacl -R -b /var/lib/libvirt/images/ - recursively grant permission to the current user sudo setfacl -R -m "u:${USER}:rwX" /var/lib/libvirt/images/ - uppercase X states that execution permission only applied to child folders and not child files. - enable special permissions default ACL sudo setfacl -m "d:u:${USER}:rwx" /var/lib/libvirt/images/ - if this step is omitted, new dirs or files created within the images directory will not have this ACL set. - verify your ACL permissions within the images directory. sudo getfacl /var/lib/libvirt/images/ getfacl: Removing leading '/' from absolute path names file : var/lib/libvirt/images/ owner: root group: root user::rwx user:tatum:rwx group::--x mask::rwx other::--x default:user::rwx default:user:tatum:rwx default:group::--x default:mask::rwx default:other::--x