Libvirt setup

Cover Image for Libvirt setup
Tomas
Tomas

To take advantage of full networking features in libvirt, a connection to system driver is required. There are multiple ways to specify hypervisor uri when running virsh. Default uri can be changed by setting environment variable LIBVIRT_DEFAULT_URI=qemu:///system. Alternatively, virsh accepts --connect or -c parameter where default uri can be overridden. It's also possible to connect to different hypervisors including remote connections1.

On Fedora libvirt and supporting tools installed via dnf

$ sudo dnf install @virtualization python-libvirt python-lxml -y

Access

Connection to system hypervisor requires root level access and authentication

$ LIBVIRT_DEFAULT_URI=qemu:///system virsh uri
==== AUTHENTICATING FOR org.libvirt.unix.manage ====
System policy prevents management of local virtualized systems
Authenticating as: ansible
Password:

Lbvirt supports interacting with access control framework using polkit driver2, libvirt-daemon package in fedora comes with polkit rule allowing members of libvirt group to manage libvirt

$ sudo cat /usr/share/polkit-1/rules.d/50-libvirt.rules
// Allow any user in the 'libvirt' group to connect to system libvirtd
// without entering a password.

polkit.addRule(function(action, subject) {
    if (action.id == "org.libvirt.unix.manage" &&
        subject.isInGroup("libvirt")) {
        return polkit.Result.YES;
    }
});

Alternatively, rule can be setup implementing %wheel ALL=(ALL) NOPASSWD:ALL sudo functionality

$ sudo cat /usr/share/polkit-1/rules.d/49-nopasswd_global.rules
polkit.addRule(function(action, subject) {
    if (subject.isInGroup("wheel")) {
        return polkit.Result.YES;
    }
});
$ sudo systemctl restart polkit

With polkit setup correctly, libvirt will not require password authentication

$ LIBVIRT_DEFAULT_URI=qemu:///system virsh uri
qemu:///system

Hypervisor running as qemu user will need search access to the home dir. Permissions can be granted using setfacl

$ setfacl -m u:qemu:rx $HOME

Networking

Network manager comes with dnsmasq plugin, when setup, dns queries are resolved by dnsmasq instance running locally. This is useful to resolve hosts in libvirt network3.

Setup network manager to use dnsmasq plugin

$ cat /etc/NetworkManager/conf.d/01-use-dnsmasq.conf
[main]
dns=dnsmasq

Setup dnsmasq plugin to resolve names in cosmos.local domain

$ cat /etc/NetworkManager/dnsmasq.d/01-libvirt_dnsmasq.conf
# Add name server for cosmos.local domain
server=/cosmos.local/192.168.30.1

NetworkManager should be restarted via systemctl restart NetworkManager for changes to take affect.

Setup libvirt network

$ cat /tmp/network.xml
<network>
  <name>cosmos</name>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr1'/>
  <domain name='cosmos.local' localOnly='yes'/>
  <ip address='192.168.30.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.30.2' end='192.168.30.254'/>
    </dhcp>
  </ip>
</network>    
$ virsh -c qemu:///system net-define /tmp/network.xml
$ virsh -c qemu:///system net-autostart cosmos
$ virsh -c qemu:///system net-start cosmos
$ virsh -c qemu:///system net-list

Storage

Location is set to store virtual machine images and storage pool is defined in hypervisor

$ sudo mkdir -p /storage/images
$ sudo chown 1000:1000 /storage/images

$ cat storage.xml
<pool type='dir'>
  <name>images</name>
  <source>
  </source>
  <target>
    <path>/storage/images</path>
    <permissions>
      <mode>0755</mode>
      <owner>1000</owner>
      <group>1000</group>
    </permissions>
  </target>
</pool>
$ virsh -c qemu:///system pool-define storage.xml
$ virsh -c qemu:///system pool-autostart images
$ virsh -c qemu:///system pool-start images
$ virsh -c qemu:///system pool-list

Creating virtual machines

Create 30G disk image in images storage pool backed by f32-base image which was built for base-image article

$ qemu-img create \
    -f qcow2 \
    -b /storage/images/f32-base.vda.x86_64.qcow2 \
    /storage/images/jupiter.vda.x86_64.qcow2 \
    30G

Setup static dhcp address on cosmos network for jupiter host

$ virsh -c qemu:///system net-update cosmos add-last ip-dhcp-host \
    "<host mac='52:54:00:da:70:35' name='jupiter' ip='192.168.30.2'/>" \
    --live --config --parent-index 0

Import jupiter vm

$ virt-install \
    --name jupiter \
    --ram 1024 \
    --os-type linux \
    --os-variant fedora31 \
    --graphics none \
    --network network=cosmos,mac=52:54:00:da:70:35 \
    --disk=/storage/images/jupiter.vda.x86_64.qcow2,bus=virtio,format=qcow2 \
    --import

Now libvirt is setup to allow connections to system hypervisor by the members of the wheel group.

1 :https://libvirt.org/uri.html
2 :https://libvirt.org/aclpolkit.html
3 :https://fedoramagazine.org/using-the-networkmanagers-dnsmasq-plugin/

back