Outils pour utilisateurs
Panneau latéral
projets:debiankvm
Table des matières
KVMs on Debian
Prerequisites
$ <in>sudo apt-get install qemu-kvm libvirt-bin</in> ... $ <in>adduser shtrom libvirt</in> ...
Networking
A TAP interface will be used for the VM, and bridged with the normal ethernet interface. The new br0 interface is the one which then get, configured, rather than eth0.
- /etc/network/interfaces
... iface eth0 inet manual auto br0 iface br0 inet dhcp pre-up ip tuntap add dev tap0 mode tap user pumpio pre-up ip link set tap0 up bridge_ports all tap0 bridge_stp off bridge_maxwait 0 bridge_fd 0 post-down ip link set tap0 down post-down ip tuntap del dev tap0 mode tap
With a reasonnably configured firewall (DROP policy, and whitelist), this will not work directly. The guest will not be able to get its packets across through the bridge. This is due to the DROP policy of the FORWARD chain. To allow traffic from the guest to the rest of the network, a rule has to be added. For simplicity, everything coming from the guest, on tap0, will be allowed. This should probably be refined later.
$ <in>sudo iptables -p icmp -j ACCEPT</in> $ <in>sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT</in> $ <in>sudo iptables -A FORWARD -m physdev --physdev-in tap0 -j ACCEPT</in> $ <in>sudo iptables -A FORWARD -p udp --sport 67:68 --dport 67:68 -j ACCEPT</in>
Very similarly to normal firewalling, we allow
- cimp traffic,
- established connections,
- new connections from the guest,
- DHCP traffic.
A similary setup is probably needed for IPv6.
We let iptables-persistent take care of restoring these rules automatically
in the future
$ <in>sudo service iptables-persistent save</in>
Image Creation and Installation
$ <in>sudo qemu-img create -f qcow2 vdisk.img 10G</in> $ <in>sudo qemu-system-x86_64 -hda vdisk.img -cdrom debian-6.0.7-amd64-netinst.iso -boot d -m 512 -net nic -net tap,ifname=tap0,script=no,downscript=no --enable-kvm --vnc :0</in>
We can now connect to the instance with VNC, in order to proceed with a rather classic Debian install.
PXE Booting a VM
GRUB comes with a PXE-enabled boot image. Note the difference in the qemu parameters: -tftp / -bootp /usr/lib/grub/i386-pc/pxeboot.img.
$ <in>qemu-img create -f qcow2 openbsd53.img 2G</in> Formatting 'openbsd53.img', fmt=qcow2 size=2147483648 encryption=off cluster_size=65536 $ <in>sudo qemu-system-x86_64 -hda openbsd53.img -tftp / -bootp /usr/lib/grub/i386-pc/pxeboot.img -boot n -m 512 -net nic -net tap,ifname=tap0,script=no,downscript=no --enable-kvm --vnc :0</in>
References
- KVM. Debian Wiki.
- QEMU. Debian Wiki.
- Johnson D . Bundling Debian image for OpenStack. CSS Corp Open Source Services. 28 Nov. 2011. (
s/kvm/quemu/) - OpenStack on Debian GNU/Linux Wheezy. Debian Wiki. 08 May 2013.
- QEmu, PXE Boot. TUDOS-Wiki. 15 July 2011.
.
projets/debiankvm.txt · Dernière modification: 2013-11-15 05:06 (modification externe)
Outils de la page
Sauf mention contraire, le contenu de ce wiki est placé sous les termes de la licence suivante : CC Attribution-Noncommercial-Share Alike 4.0 International
