HOWTO:Using Kernel-based Virtual Machine
From EnGardeWiki
Contents |
Introduction
EnGarde Secure Linux provides kernel support for KVM (Kernel Virtual Machine), a tie-in with QEMU which allows virtual machines to be run with increased performance due to better hardware utilization. The purpose of this document is to provide you, the user, with instructions in setting up an environment that takes advantage of KVM's features.
Prerequisites
You will need:
- A machine to do your development on. This machine should be somewhat powerful as you will probably be running multiple images of whichever OS you wish to emulate, all utilizing the system's CPU and memory. Be sure the machine is either an Intel or AMD specific processor.
- EnGarde Secure Community 3.0.16 or above
Once you have all the above you may log in as root, transition over to sysadm_r, and disable SELinux:
[root@engarde ~]# newrole -r sysadm_r Authenticating root. Password:
[root@engarde ~]# setenforce 0
KVM can only run in Permissive Mode.
Installation
Next you must install the following packages:
[root@engarde ~]# apt-get update Get:1 gdsn://updates.guardiandigital.com rapier release [478B] Fetched 478B in 0s (6587B/s) Get:1 gdsn://updates.guardiandigital.com rapier/core pkglist [162kB] Get:2 gdsn://updates.guardiandigital.com rapier/core release [158B] Fetched 163kB in 0s (477kB/s) Reading Package Lists... Done Building Dependency Tree... Done
[root@engarde ~]# apt-get install kvm Reading Package Lists... Done Building Dependency Tree... Done The following extra packages will be installed: alsa-lib The following NEW packages will be installed: alsa-lib kvm 0 upgraded, 2 newly installed, 0 removed and 2 not upgraded. Need to get 2029kB of archives. After unpacking 5835kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 gdsn://updates.guardiandigital.com rapier/core alsa-lib 1.0.14a-1 [934kB] Get:2 gdsn://updates.guardiandigital.com rapier/core kvm 33-4 [1095kB] Fetched 2029kB in 1s (1672kB/s) Committing changes... Preparing... ########################################### [100%] 1:alsa-lib ########################################### [ 50%] 2:kvm ########################################### [100%] Done.
You can also retrieve the kvm package via the GDSN by logging into the WebTool and downloading the package.
Then run:
# modprobe kvm
If you received an error stating that the module was not found, please be sure that virtualization is enabled in your system BIOS.
Use your favorite text editor and add the kvm-intel or kvm-amd module to your /etc/modprobe.conf by adding this line:
alias char-major-10-232 kvm-intel
You can run lsmod | grep kvm to check that the kvm module was loaded. The kvm-intel/amd module will load once you start up a new image.
To ensure that kvm is running properly let's set something up. Type the following commands from your root's home directory:
[root@engarde ~]# mkdir images [root@engarde ~]# cd images [root@engarde images]# /usr/bin/qemu-img create -f qcow demo.img 4G Formating 'demo.img', fmt=qcow, size=4194304 kB
[root@engarde images]# ls -la total 40 drwxr-xr-x 2 root root 4096 Aug 2 13:20 . drwxr-x--- 3 root root 4096 Aug 2 13:20 .. -rw-r--r-- 1 root root 16432 Aug 2 13:20 demo.img
You can now run an image! Type the following command to startup an image - remember to use the full path to the .iso you wish to run. In this example, our .iso is the EnGarde Secure Community 3.0.16 iso.
# /usr/bin/qemu-system -hda /root/images/demo.img -boot -d -cdrom \ # /root/iso-images/engarde-community-3.0.16.i686.iso -m 384 \ # / -std-vga -vnc 192.168.1.57:0 &
[1] 1916
Press 'enter' again after entering the command to put the process in the background, and note the process id number that comes up (in this case we have 1916).
With your EnGarde image running in the background, how would we see what's going on? If you noticed above, there's a -vnc 192.168.1.57:0 & option. This tells QEMU to open up a VNC server on that particular IP address and offset port.
Notice that we enter the IP address and an offset number. All VNC connections here start off with the base of 5900. Whatever offset you supply in the -vnc [IP address]:[offset] adds to that port. Since our offset was '0', then the port number would be '5900'. If we had entered '1' as the offset, then the port number we would have to connect to would be '5901', and so forth.
These port numbers (5900, 5901, etc.) are what the VNC client would connect to in order to interact with the image.
Linux users may wish to use vncviewer for their client.
Windows users who wish to install a VNC client can download from RealVNC client. This also supports both *nix and MacOS flavors.
From a client desktop, you can connect to the VNC server via your newly installed vncviewer:
desktop@desktop:~/kvm-research$ vncviewer 192.168.1.57:5900 & [1] 20392 desktop@desktop:~/kvm-research$ VNC viewer version 3.3.7 - built Mar 8 2007 21:56:52 Copyright (C) 2002-2003 RealVNC Ltd. Copyright (C) 1994-2000 AT&T Laboratories Cambridge. ...
Notice the 192.168.1.57:5900. From the client, we supply the IP address (192.168.1.57) and the port number we wish to connect to. The port number will vary depending on the offset on the server side, mentioned previously.
After entering the command you should notice a vncviewer shell popup on your desktop, displaying the EnGarde Secure Linux bootup screen.
Congratulations! You've just started up your very first QEMU image!
Networking in KVM
We will now give the demo image networking capabilities. This will be done via bridging, so we will need to install the bridge-utils package:
[root@engarde ~]# apt-get install bridge-utils
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
bridge-utils
0 upgraded, 1 newly installed, 0 removed and 2 not upgraded.
Need to get 30.2kB of archives.
After unpacking 61.3kB of additional disk space will be used.
Get:1 gdsn://updates.guardiandigital.com rapier release bridge-utils 1.1-1 [30.2kB]
Fetched 30.2kB in 0s (413kB/s)
Committing changes...
Preparing... ########################################### [100%]
1:bridge-utils ########################################### [100%]
Done.
This can also be installed through the GDSN by accessing the WebTool.
Create a qemu-ifup script (/etc/qemu-ifup):
#!/bin/sh echo "Executing /etc/qemu-ifup" echo "Bringing up $1 for bridged mode..." /sbin/ifconfig $1 0.0.0.0 promisc up echo "Adding $1 to br0..." sudo /usr/sbin/brctl addif br0 $1 sleep 2
...and make sure it can be executed:
[root@engarde ~]# chmod +x /etc/qemu-ifup
Make the following changes to /etc/network/interfaces.
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8) # The loopback interface iface lo inet loopback up route add -net 127.0.0.0 netmask 255.0.0.0 dev lo
# e1000 this entry was created during the initial # configuration (network, broadcast and gateway are optional)
# Configuration for Intel Corporation 80003ES2LAN Gigabit Ethernet Controller (Copper) using module e1000 iface eth0 inet static address 0.0.0.0 #<--- zero out your server's IP interface netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 up route add default gw 192.168.1.1
# Configuration for Intel Corporation 80003ES2LAN Gigabit Ethernet Controller (Copper) using module e1000 iface eth1 inet static address 192.168.10.101 netmask 255.255.255.0 broadcast 192.168.10.255
auto br0 iface br0 inet static address 192.168.1.57 # <--- formerly eth0's address netmask 255.255.255.0 gateway 192.168.1.1 bridge_ports eth0 # <--- the interfaces you wish to bridge bridge_fd 1 bridge_hello 1 bridge_stp off
The key things to remember is that we zero out your eth0 connection (or whatever interface you've assigned as the server's address) and use its address for br0.
Modify the /etc/init.d/network file so the script will build the bridge upon boot and anytime we do a /etc/init.d/network restart:
case "$1" in
start)
echo -n " Configuring network interfaces"
init_term "STARTING"
/usr/sbin/brctl addbr br0 #<--- add this line
/usr/sbin/brctl addif br0 eth0 #<--- add this line
/sbin/ifup -a > /dev/null 2>&1
...
stop)
# leave nfs/smb support here for now, even tho we don't support it
if sed -n 's/^[^ ]* \([^ ]*\) \([^ ]*\) .*$/\1 \2/p' /proc/mounts |
grep -q "^/ nfs$"
then
echo "NOT deconfiguring network interfaces: / is an NFS mount"
elif sed -n 's/^[^ ]* \([^ ]*\) \([^ ]*\) .*$/\1 \2/p' /proc/mounts |
grep -q "^/ smb$"
then
echo "NOT deconfiguring network interfaces: / is an SMB mount"
elif sed -n 's/^[^ ]* \([^ ]*\) \([^ ]*\) .*$/\2/p' /proc/mounts |
grep -E '^(nfs|smb)$'
then
echo "NOT deconfiguring network interfaces: NFS/SMB shares still mounted."
else
echo -n " Deconfiguring network interfaces"
init_term "STARTING"
/sbin/ifdown -a > /dev/null 2>&1
/usr/sbin/brctl delif br0 eth0 #<--- add this
/usr/sbin/brctl delbr br0 #<--- add this
...
Restart networking (WARNING: You will lose your remote connection upon the restart. Just reconnect to the same address at this point.):
# /etc/init.d/network restart
If you have any firewalls running, you may need to configure them to allow the br0 interface to send / receive traffic.
Your bridge is now all set up for networking:
[root@engarde images]# ifconfig
br0 Link encap:Ethernet HWaddr 00:30:48:79:29:40
inet addr:192.168.1.57 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9378 errors:0 dropped:0 overruns:0 frame:0
TX packets:8885 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:619207 (604.6 Kb) TX bytes:7610474 (7.2 Mb)
...
- You can now run an image using networking by supplying the following command:
# /usr/bin/qemu-system -hda /root/images/engarde-3.0-i686.img \ -boot d -cdrom /root/iso-images/engarde-3.0.16-i686.iso -m 384 -std-vga \ -net nic,vlan=0,macaddr=00:00:00:00:00:00 \ -net tap,ifname=tap0,script=/etc/qemu-ifup -vnc 192.168.1.57:1 &
Notice several of the switches, specifically the -net ones.
- -net nic,vlan=0,macaddr=00:00:00:00:00:00 : Keep vlan0 the same for all your images. Make sure you change the MAC address for every image you create so they won't be sharing the same NIC!
- -net tap,ifname=tap0 : Change the tap0 to tap1, tap2, etc. for any future instances. If you keep this the same, all those images will be attempting to use the same IP address!
Downloading and Using an EnGarde Secure Community Image
You can download QEMU images of EnGarde Secure Community 3.0.16 from the following sites:
- i686
- x86_64 bit
These files are in .bz2 formats, so you will need to bunzip2 them in order to get to the image.
Also, be sure to check the md5sums after you download the files in order to verify their integrity.
After moving these images to your server and getting your network bridges up, you can demo these images by running the following command:
# /usr/bin/qemu-system -hda [absolute path to the .img file] \ -m 384 -std-vga -boot c \ -net nic,vlan=0,macaddr=[mac address here] \ -net tap,ifname=tap0,script=/etc/qemu-ifup -vnc [server IP]:[offset] &
Congratulations, you have a running EnGarde Secure Linux image! To connect, follow the directions for connecting via a VNC client to [server IP]:[port number] and you'll be all set.
You can then configure the EnGarde Secure Linux image to your needs (setting its IP address, etc.) and then log into the WebTool via a browser, set up SSH, etc. Whenever the image needs to be shutdown or rebooted, simply kill the process on the server, then start it up again! Enjoy!
Conclusion
KVM / QEMU provides you, the user, with the ability to experiment with various operating systems in a controlled environment. Due to its kernel support, every image you start will be shown as a process on your system, giving you the ability to kill, nice, etc. the process just like you would any other one. You can literally create an image today and copy it to all your friends tomorrow. In fact, we encourage you to try out any new releases of EnGarde Secure Linux by downloading an image today!
