$ <in>sudo apt-get install qemu-kvm libvirt-bin</in> ... $ <in>adduser shtrom libvirt</in> ...
A TAP interface will be used for the VM, and bridged with the normal ethernet interface. The new br0
interface is the one which then get, configured, rather than eth0
.
... iface eth0 inet manual auto br0 iface br0 inet dhcp pre-up ip tuntap add dev tap0 mode tap user pumpio pre-up ip link set tap0 up bridge_ports all tap0 bridge_stp off bridge_maxwait 0 bridge_fd 0 post-down ip link set tap0 down post-down ip tuntap del dev tap0 mode tap
With a reasonnably configured firewall (DROP policy, and whitelist), this will not work directly. The guest will not be able to get its packets across through the bridge. This is due to the DROP policy of the FORWARD chain. To allow traffic from the guest to the rest of the network, a rule has to be added. For simplicity, everything coming from the guest, on tap0, will be allowed. This should probably be refined later.
$ <in>sudo iptables -p icmp -j ACCEPT</in> $ <in>sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT</in> $ <in>sudo iptables -A FORWARD -m physdev --physdev-in tap0 -j ACCEPT</in> $ <in>sudo iptables -A FORWARD -p udp --sport 67:68 --dport 67:68 -j ACCEPT</in>
Very similarly to normal firewalling, we allow
A similary setup is probably needed for IPv6.
We let iptables-persistent
take care of restoring these rules automatically
in the future
$ <in>sudo service iptables-persistent save</in>
$ <in>sudo qemu-img create -f qcow2 vdisk.img 10G</in> $ <in>sudo qemu-system-x86_64 -hda vdisk.img -cdrom debian-6.0.7-amd64-netinst.iso -boot d -m 512 -net nic -net tap,ifname=tap0,script=no,downscript=no --enable-kvm --vnc :0</in>
We can now connect to the instance with VNC, in order to proceed with a rather classic Debian install.
GRUB comes with a PXE-enabled boot image. Note the difference in the qemu parameters: -tftp / -bootp /usr/lib/grub/i386-pc/pxeboot.img
.
$ <in>qemu-img create -f qcow2 openbsd53.img 2G</in> Formatting 'openbsd53.img', fmt=qcow2 size=2147483648 encryption=off cluster_size=65536 $ <in>sudo qemu-system-x86_64 -hda openbsd53.img -tftp / -bootp /usr/lib/grub/i386-pc/pxeboot.img -boot n -m 512 -net nic -net tap,ifname=tap0,script=no,downscript=no --enable-kvm --vnc :0</in>
s/kvm/quemu/
).