HQ VM - NonaSuomy/PuRe GitHub Wiki

Virtual Machine Infrastructure for HQ

Host

Hardware

Processor: Intel Core i5-3340M CPU @ 2.70GHz x 4 - VT-X & VT-D
Memory: 8GB DDR3
Graphics: Intel Ivybridge Mobile (Intel Corporation 3rd Gen Core processor Graphics Controller (rev 09) (prog-if 00 [VGA controller]))
Storage: Samsung SSD SM84 256GB

-PCI Devices-
RAID bus controller: Intel Corporation 82801 Mobile SATA Controller [RAID mode] (rev 04)
Ethernet controller: Intel Corporation 82579LM Gigabit Network Connection (rev 04)
Network controller: Intel Corporation Centrino Advanced-N 6205 [Taylor Peak] (rev 34)

Software

OS: Arch Linux Kernel 4+
Architecture: 64-bit
Hypervisor: QEMU-KVM

/etc/pacman.conf

#
# /etc/pacman.conf
#
# See the pacman.conf(5) manpage for option and repository directives

#
# GENERAL OPTIONS
#
[options]
# The following paths are commented out with their default values listed.
# If you wish to use different paths, uncomment and update the paths.
#RootDir     = /
#DBPath      = /var/lib/pacman/
#CacheDir    = /var/cache/pacman/pkg/
#LogFile     = /var/log/pacman.log
#GPGDir      = /etc/pacman.d/gnupg/
HoldPkg     = pacman glibc
#XferCommand = /usr/bin/curl -C - -f %u > %o
#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
#CleanMethod = KeepInstalled
#UseDelta    = 0.7
Architecture = auto

# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
#IgnorePkg   =
#IgnoreGroup =

#NoUpgrade   =
#NoExtract   =

# Misc options
#UseSyslog

TotalDownload
CheckSpace
#VerbosePkgLists

Color
ILoveCandy


# By default, pacman accepts packages signed by keys that its local keyring
# trusts (see pacman-key and its man page), as well as unsigned packages.
SigLevel    = Required DatabaseOptional
LocalFileSigLevel = Optional
#RemoteFileSigLevel = Required

# NOTE: You must run `pacman-key --init` before first using pacman; the local
# keyring can then be populated with the keys of all official Arch Linux
# packagers with `pacman-key --populate archlinux`.

#
# REPOSITORIES
#   - can be defined here or included from another file
#   - pacman will search repositories in the order defined here
#   - local/custom mirrors can be added here or in separate files
#   - repositories listed first will take precedence when packages
#     have identical names, regardless of version number
#   - URLs will have $repo replaced by the name of the current repo
#   - URLs will have $arch replaced by the name of the architecture
#
# Repository entries are of the format:
#       [repo-name]
#       Server = ServerName
#       Include = IncludePath
#
# The header [repo-name] is crucial - it must be present and
# uncommented to enable the repo.
#

# The testing repositories are disabled by default. To enable, uncomment the
# repo name header and Include lines. You can add preferred servers immediately
# after the header, and they will be used before the default mirrors.

#[testing]
#Include = /etc/pacman.d/mirrorlist

[core]
Include = /etc/pacman.d/mirrorlist

[extra]
Include = /etc/pacman.d/mirrorlist

#[community-testing]
#Include = /etc/pacman.d/mirrorlist

[community]
Include = /etc/pacman.d/mirrorlist

[archlinuxfr]
SigLevel = Never
Server = http://repo.archlinux.fr/$arch

# If you want to run 32 bit applications on your x86_64 system,
# enable the multilib repositories as required here.

#[multilib-testing]
#Include = /etc/pacman.d/mirrorlist

#[multilib]
#Include = /etc/pacman.d/mirrorlist

# An example of a custom package repository.  See the pacman manpage for
# tips on creating your own repositories.
#[custom]
#SigLevel = Optional TrustAll
#Server = file:///home/custompkgs

pacman -Syyu

pacman -S sudo EDITOR=nano visudo useradd -m -G wheel -s /bin/bash someusername `gpasswd -a someusername kvm

pacman -S openssh

# /etc/ssh/sshd_config

systemctl start sshd.service

Network

# /etc/resolv.conf  
nameserver 10.0.0.1

pacman -S iproute2 ip link add link eno1 name eno1.100 type vlan id 100 ip link add link eno1 name eno1.200 type vlan id 200 Note: If 8021q (VLAN) doesn't seem to be working or the module is missing it could be possible that you updated your kernel and have yet to reboot. lspci lsmod | grep 8021q modprobe 8021q modinfo 8021q systool -v -m 8021q ls /usr/lib/modules/3.19.3-3-ARCH/

iw list | less

`nano /etc/systemd/network

egrep '(vmx|svm)' /proc/cpuinfo egrep --color=auto 'vmx|svm|0xc0f' /proc/cpuinfo

(OLD NETCTL stuff no longer used use systemd-networkd instead) nano /etc/netctl/vlan-static

Description='Virtual LAN 100,200 on interface eno1'
Interface=eno1.100
Connection=vlan
# The variable name is plural, but needs precisely one interface
BindsToInterfaces=eno1
VLANID=100
IP=no
#Address="10.0.0.30/24"
#Gateway="10.0.0.1"
#DNS=("10.0.0.2")
#Hostname="myhost"
#DNSDomain="mydomain.com"
#DNSSearch="mydomain.com"

Interface=eno1.200
Connection=vlan
BindsToInterfaces=eno1
VLANID=200
IP=no

netctl enable vlan-static netctl start vlan-static netctl disable vlan-static

Description='HQ basic dhcp ethernet connection'
Interface=eno1
Connection=ethernet
IP=dhcp
DHCPClient=dhcpcd
DHCPReleaseOnStop=no
## for DHCPv6
#IP6=dhcp
#DHCP6Client=dhclient
## for IPv6 autoconfiguration
#IP6=stateless

netctl enable ethernet-dhcp netctl start ethernet-dhcp netctl disable ethernet-dhcp

nano /etc/systemd/network/vlan100.netdev

[NetDev]
Name=eno1.100
Kind=vlan

[VLAN]
Id=100

nano /etc/systemd/network/zeno1.100.network

[Match]
Name=eno1.100

[Network]
DHCP=v4

nano /etc/systemd/network/vlan200.netdev

[NetDev]
Name=eno1.200
Kind=vlan

[VLAN]
Id=200

nano /etc/systemd/network/hqdhcp.network

[Match]
Name=eno1

[Network]
DHCP=v4
VLAN=eno1.100
VLAN=eno1.200

systemctl enable systemd-networkd systemctl start systemd-networkd systemctl status systemd-networkd -l journalctl -xe

/etc/polkit-1/rules.d/49-nopasswd_limited.rules

/* Allow members of the wheel group to execute the defined actions
 * without password authentication, similar to "sudo NOPASSWD:"
 */
polkit.addRule(function(action, subject) {
    if (action.id == "org.libvirt.unix.manage"
            && subject.local
            && subject.active
            && subject.isInGroup("libvirt")) {
        return polkit.Result.YES;
    }
});

systemctl restart polkit.service systemctl restart dhcpcd dhcpcd eno1.100 ping 8.8.8.8

nano /boot/loader/entries/arch.conf

title  Arch Linux
linux  /vmlinuz-linux
initrd  /initramfs-linux.img
options root=/dev/sda2 rw intel_iommu=on pci-stub.ids=8086:0082

nano /etc/modprobe.d/modprobe.conf

options kvm_intel nested=1

dmesg | grep iwlwifi echo "blacklist iwlwifi" >> /etc/modprobe.d/blacklist.conf modprobe -r iwlwifi modprobe -r -f iwlwifi

dmesg | grep intel_iommu=on mesg | grep -e DMAR -e IOMMU modprobe pci_stub lspci -n echo "8086 0082" > /sys/bus/pci/drivers/pci-stub/new_id nano /etc/mkinitcpio.conf

# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES="piix ide_disk reiserfs"
MODULES="pci-stub"

##Virtual Machine

zgrep CONFIG_KVM /proc/config.gz

zgrep CONFIG_VIRTIO /proc/config.gz

lsmod | grep kvm lsmod | grep virtio

modprobe -r kvm_intel modprob kvm_intel nested=1

/etc/modprobe.d/modprobe.conf options kvm_intel nested=1 systool -m kvm_intel -v | grep nested

osinfo-query os

groupadd libvirt gpasswd -a someusername libvirt pacman -S libvirt qemu systemctl enable libvirtd systemctl start libvirtd /etc/libvirt/libvirtd.conf pacman -S cpio usermod -aG libvirt someusername usermod -aG kvm someusername

=== Enabling huge pages ===

{{Accuracy|With systemd, {{ic|hugetlbfs}} is mounted on {{ic|/dev/hugepages}} by default, but with mode 0755 and root's uid and gid.}} {{Merge|QEMU|qemu-kvm no longer exists as all of its features have been merged into {{Pkg|qemu}}. After the above issue is cleared, I suggest merging this section into QEMU.}}

You may also want to enable hugepages to improve the performance of your virtual machine. With an up to date Arch Linux and a running KVM you probably already have everything you need. Check if you have the directory {{ic|/dev/hugepages}}. If not, create it. Now we need the right permissions to use this directory.

Add to your {{ic|/etc/fstab}}: hugetlbfs /dev/hugepages hugetlbfs mode=1770,gid=78 0 0

Of course the gid must match that of the {{ic|kvm}} group. The mode of {{ic|1770}} allows anyone in the group to create files but not unlink or rename each other's files. Make sure {{ic|/dev/hugepages}} is mounted properly: {{hc|# umount /dev/hugepages

mount /dev/hugepages

$ mount | grep huge| 2=hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,mode=1770,gid=78) }}

Now you can calculate how many hugepages you need. Check how large your hugepages are: $ grep Hugepagesize /proc/meminfo

Normally that should be 2048 kB ≙ 2 MB. Let's say you want to run your virtual machine with 1024 MB. 1024 / 2 = 512. Add a few extra so we can round this up to 550. Now tell your machine how many hugepages you want:

echo 550 > /proc/sys/vm/nr_hugepages

If you had enough free memory you should see: {{hc|$ grep HugePages_Total /proc/meminfo | HugesPages_Total: 550 }}

If the number is smaller, close some applications or start your virtual machine with less memory (number_of_pages x 2): $ qemu-system-x86_64 -enable-kvm -m 1024 -mem-path /dev/hugepages -hda <disk_image> [...]

Note the {{ic|-mem-path}} parameter. This will make use of the hugepages.

Now you can check, while your virtual machine is running, how many pages are used: {{hc|$ grep HugePages /proc/meminfo | HugePages_Total: 550 HugePages_Free: 48 HugePages_Rsvd: 6 HugePages_Surp: 0 }}

Now that everything seems to work you can enable hugepages by default if you like. Add to your {{ic|/etc/sysctl.d/40-hugepage.conf}}: vm.nr_hugepages = 550

See also:

# Master libvirt daemon configuration file
#
# For further information consult http://libvirt.org/format.html
#
# NOTE: the tests/daemon-conf regression test script requires
# that each "PARAMETER = VALUE" line in this file have the parameter
# name just after a leading "#".

#################################################################
#
# Network connectivity controls
#

# Flag listening for secure TLS connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
# have any effect.
#
# It is necessary to setup a CA and issue server certificates before
# using this capability.
#
# This is enabled by default, uncomment this to disable it
listen_tls = 0
unix_sock_group = "libvirt"
unix_sock_ro_perms = "0777"
unix_sock_rw_perms = "0770"
unix_sock_dir = "/var/run/libvirt"
auth_unix_ro = "none"
auth_unix_rw = "none"

# Listen for unencrypted TCP connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
# have any effect.
#
# Using the TCP socket requires SASL authentication by default. Only
# SASL mechanisms which support data encryption are allowed. This is
# DIGEST_MD5 and GSSAPI (Kerberos5)
#
# This is disabled by default, uncomment this to enable it.
listen_tcp = 1
# Override the port for accepting secure TLS connections
# This can be a port number, or service name
#
#tls_port = "16514"

# Override the port for accepting insecure TCP connections
# This can be a port number, or service name
#
#tcp_port = "16509"


# Override the default configuration which binds to all network
# interfaces. This can be a numeric IPv4/6 address, or hostname
#
# If the libvirtd service is started in parallel with network
# startup (e.g. with systemd), binding to addresses other than
# the wildcards (0.0.0.0/::) might not be available yet.
#
listen_addr = "0.0.0.0"
...
# Change the authentication scheme for TCP sockets.
#
# If you don't enable SASL, then all TCP traffic is cleartext.
# Don't do this outside of a dev/test scenario. For real world
# use, always enable SASL and use the GSSAPI or DIGEST-MD5
# mechanism in /etc/sasl2/libvirt.conf
auth_tcp = "none"

# Change the authentication scheme for TLS sockets.
#
# TLS sockets already have encryption provided by the TLS
# layer, and limited authentication is done by certificates
#
# It is possible to make use of any SASL authentication
# mechanism as well, by using 'sasl' for this option
#auth_tls = "none"
...

nano /etc/conf.d/libvirtd LIBVIRTD_ARGS="-p /var/run/libvirtd.pid --listen"

sudo losetup -f /home/vm/vm1/vm01.raw sudo kpartx -l /dev/loop0 kpartx -d /dev/loop0 kpartx -av /dev/loop0 kpartx -a -v /dev/loop0 kpartx -a -v -s /dev/loop0 kpartx -l /dev/loop0 sudo losetup -f --show /home/vm/vm01/vm01.raw sudo losetup --list pacman -S setconf pacman -S libaio pacman -S device-mapper yaourt -S multipath-tools-git kpartx -l /dev/loop0 pacman -S extlinux pacman -S syslinux genfstab -U /home/vm/duke/tmp >> /home/vm/duke/tmp/etc/fstab extlinux --install /home/vm/duke/tmp/boot

dd if=/usr/lib/syslinux/bios/mbr.bin conv=notrunc bs=440 count=1 of=/dev/loop0 nano /home/vm/duke/tmp/boot/extlinux.conf

umount /home/vm/duke/tmp/

###VM1

Purpose: Router DHCP / DNS / Access Point
OS: Debian 8

Software:

hostapd
dnsmasq
iptables
dhcpcd
wireless-tools
firmware-iwlwifi
wpasupplicant
iw

###VM2

Purpose: Asterisk
OS: CentOS 7

###VM3 Purpose: Database
OS:

Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️