Setting up a Debian KVM virtual machine on a headless server with libvirt
2022 January 18
This guide will refer to the physical machine as the host and the virtual machine installed in the host as the VM.
My host system while preparing this guide is a Debian Testing system without a GUI.
This guide does not use virt-manager, which requires a GUI.
Check CPU compatibility
Note: This step only applies to AMD and Intel CPUs. If you have an ARM, PowerPC, etc. CPU, I don't know how to tell if your CPU supports virtualization or not.
If your CPU doesn't support virtualization, you won't be able to follow this guide. Run this command to check:
user@host:~$ grep --color "svm\|vmx" /proc/cpuinfo
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good acc_power nopl nonstop_tsc cpuid extd_apicid aperfmper f pni pclmulqdq monitor ssse3 cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch o svw ibs skinit wdt topoext perfctr_nb bpext ptsc perfctr_llc cpb hw_pstate ssbd vmmcall bmi1 xsaveopt arat npt lbrv svm_lock nrip_save tsc_scale flushbyasid dec odeassists pausefilter pfthreshold overflow_recov
Assuming your CPU supports virtualization, this should output a list of flags including either svm (on AMD) or vmx (on Intel) which indicates virtualization support. If there's no output, your CPU does not have virtualization support enabled.
If you don't get any output, check your BIOS settings to see if virtualization is just disabled. If your CPU doesn't support it, you won't be able to follow this guide.
Load kernel module
Check if there's a KVM module already loaded:
root@host:~# lsmod | grep --color kvm
kvm_amd 143360 13 kvm 1019904 1 kvm_amd irqbypass 16384 14 kvm ccp 106496 1 kvm_amd
Look for either kvm_amd (if you have an AMD CPU) or kvm_intel (for Intel). If neither shows up, issue the appropriate command to load the one you need:
root@host:~# modprobe kvm_amd
or
root@host:~# modprobe kvm_intel
Dependencies
We need these packages:
- qemu-kvm
- qemu-utils
- libvirt-clients
- libvirt-daemon-system
- virtinst
- dnsmasq
In Debian, qemu-kvm is actually a virtual package. It will instead install the appropriate package based on your CPU, in my case qemu-system-x86.
root@host:~# apt update && apt install --no-install-recommends qemu-kvm qemu-utils libvirt-clients libvirt-daemon-system virtinst dnsmasq
(We're using --no-install-recommends here to avoid pulling in unnecessary graphical packages.)
Make sure libvirtd is running and enabled at start:
root@host:~# systemctl enable --now libvirtd
Download and verify a Debian iso
Go to https://www.debian.org/download to download the newest netinstall iso.
Also download the SHA512SUMS and Signature files to the same directory.
If you don't already have the Debian CD signing key, you can get it from keyring.debian.org:
user@host:~$ gpg --keyserver keyring.debian.org --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created gpg: key DA87E80D6294BE9B: public key "Debian CD signing key <debian-cd@lists.de bian.org>" imported gpg: Total number processed: 1 gpg: imported: 1
Now, verify that the SHA512 sums were signed properly:
user@host:~$ gpg --verify-files SHA512SUMS.sign
gpg: assuming signed data in 'SHA512SUMS' gpg: Signature made Sat Dec 18 00:00:00 2021 UTC gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [u nknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
(Key line bolded for emphasis.)
The warning line says that this key is not certified with a trusted signature because I haven't been able to verify that the key is authentic. Unfortunately, that's not something I can reasonably do.
Now, confirm that the SHA512 hash of the iso you downloaded is correct:
user@host:~$ sha512sum --ignore-missing -c SHA512SUMS
debian-11.2.0-amd64-netinst.iso: OK
It should say the name of the file and that it's OK.
Create the VM
First, create the qcow2 file. The disk storage for the VM will be stored in this file.
root@host:~# qemu-img create -f qcow2 /var/lib/libvirt/images/my-vm-name.qcow2 10G
Replace "my-vm-name" and the size as needed.
Now here's the key step. We're going to create the VM, but we need to ensure that we can access it without needing to launch a GUI.
root@host:~# virt-install \
--name my-vm-name \
--description "Debian VM" \
--ram=1024 \
--vcpus=1 \
--cpu host \
--location /path/to/debian/iso \
--graphics none \
--disk path=/var/lib/libvirt/images/my-vm-name.qcow2,size=10 \
--extra-args 'console=ttyS0,115200n8 serial' \
--network default
The --graphics none and --extra-args 'console=ttyS0,115200n8 serial' enable us to start the Debian installer in the terminal without launching a GUI.
The Debian installer should start. Do the next section before going through the installer.
Assign the VM an IP address
Open a second terminal on the host.
You should have a "default virtual network" by default. To confirm this,
root@host:~# virsh net-list --all
Name State Autostart Persistent -------------------------------------------- default active yes yes
If not, see the Networking page on the Libvirt Wiki.
When your VM is created, it should be assigned a MAC address. To get this MAC address, run
root@host:~# virsh dumpxml my-vm-name | grep "mac address"
<mac address='52:54:00:b0:bc:b4'/>
Find subnet used by libvirt for VMs:
user@host:~$ ip a
[...] 10: virbr0:mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 52:54:00:3f:5a:65 brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever [...]
(Look for virbr0 or something similar.) In this example, your VMs will identify the host machine as 192.168.122.1, and you can assign other 192.168.122.x addresses to VMs.
Assign an IP address to the new VM:
root@host:~# virsh net-update default add ip-dhcp-host "<host mac='52:54:00:b0:bc:b4' name='my-vm-name' ip='192.168.122.2' />" --live --config
Install Debian
Now go back to the terminal running the Debian installer and walk through the installation process as normal. You should be able to configure networking, but you might have to manually specify it, for instance:
- IP address: 192.168.122.2/24
- Gateway: 192.168.122.1
- Name server addresses: <whatever DNS server(s) you want to use>
What you install is up to you, but for this guide, you will only need the base system and an SSH server.
When the installer is finished, it should boot into a working Debian system. Make sure to set up ssh so you can connect to this VM easily!
Set up ssh
To ensure you can still connect to the VM after you set it up, make sure to set up ssh.
On the VM, install openssh-server if you didn't already:
root@vm:~# apt install openssh-server
It will generate keys and print their hashes.
Edit your sshd config:
root@vm:~# nano /etc/ssh/sshd_config
Uncomment and set the following two lines:
PubkeyAuthentication yes
PasswordAuthentication no
We want to use public key authentication, rather than password authentication. (Host-based authentication would be acceptable as well, since you should only be connecting from the host machine.)
Restart the ssh service to apply the new changes and ensure it's running:
root@vm:~# systemctl restart ssh
Also ensure ssh is enabled so it runs on startup:
root@vm:~# systemctl enable ssh
On the host device, generate an ssh key if you don't already have one:
user@host:~$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair. Enter file in which to save the key (/home/user/.ssh/id_ed25519): Created directory '/home/user/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_ed25519 Your public key has been saved in /home/user/.ssh/id_ed25519.pub The key fingerprint is: SHA256:+aot/GJT+/1KmKuJB2IJkBhmzbOOYEBRGqZj3oddUZk user@host The key's randomart image is: +--[ED25519 256]--+ |+X=. ...o | |X o+ .E | |++ o . | |+oo.o . . | |o.o+ + S | | . .= . .. o | | . o o .+ . | | *ooo + | | .oB*oo oo. | +----[SHA256]-----+
(I've assumed defaults here, but you can change it if you want.)
Configure ssh on the host.
user@host:~$ nano ~/.ssh/config
Write a config something like this:
Host my-vm-name HostName 192.168.122.2 User username Port 22 IdentityFile ~/.ssh/id_ed25519 PubkeyAuthentication yes ServerAliveInterval 120
Most of this should be clear. Change it as needed. The ServerAliveInterval mitigates an annoying issue where ssh sessions freeze up because one side disconnects without notifying the other.
For security reasons, ssh files must be readable only by the owner. Change the permissions accordingly:
user@host:~$ chmod 600 ~/.ssh/config
Output your public key:
user@host:~$ cat ~/.ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy84ATUtHwlyepnXrU1vKsgfSmHRxmA5KOZlQLhhtg4 user@host
You'll need this in a moment.
On the VM, authorize the host's key.
First, create a .ssh folder and an authorized_keys file and set the appropriate permissions:
user@vm:~$ mkdir -p ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys
Now, copy your public key from above into the authorized_keys file:
user@vm:~$ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy84ATUtHwlyepnXrU1vKsgfSmHRxmA5KOZlQLhhtg4 user@host" >> ~/.ssh/authorized_keys
(Using >> will append the key to the file. Using only one > will overwrite the file. You can have multiple authorized keys, and they should be one per line.)
Now, get the VM's key fingerprint:
user@vm:~$ ssh-keygen -lf <(ssh-keyscan -t ed25519 localhost 2>/dev/null)
256 SHA256:H5WgbU/P3K0m8deOvXTHdAArAPMlfdN1HJVroLNP2b8 localhost (ED25519)
You'll need this in a moment.
On the host, try to ssh into the VM:
user@host:~$ ssh my-vm-name
The authenticity of host '192.168.122.2 (192.168.122.2)' can't be established. ED25519 key fingerprint is SHA256:H5WgbU/P3K0m8deOvXTHdAArAPMlfdN1HJVroLNP2b8. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])?
The first time you connect to a new host, ssh will ask you to verify its fingerprint.
Ensure that the fingerprint matches the one from above and enter yes. Alternatively, you can directly enter the fingerprint from before.
If all went well, you should now be logged into the VM over ssh.
To be extra safe, you should reboot the VM and ensure that you can still ssh in.
Once you've confirmed that you can ssh in even after a reboot, it's safe to disconnect from the terminal where you were originally setting up the VM. Press Ctrl + ] to disconnect.
Basic virsh commands
You can use the virsh utility to manage VMs. Here are some useful commands...
View all VMs:
root@host:~# virsh list --all
Id Name State -------------------------- 12 my-vm-name running
Start a VM:
root@host:~# virsh start my-vm-name
Shutdown a VM:
root@host:~# virsh shutdown my-vm-name
Reboot a VM:
root@host:~# virsh reboot my-vm-name
Force shutdown a VM:
root@host:~# virsh destroy my-vm-name
Delete a VM:
root@host:~# virsh undefine my-vm-name
Edit a VM:
root@host:~# virsh edit my-vm-name
Congratulations! You should now be running a Debian virtual machine which you can ssh into.
This VM will be accessible from the private IP address 192.168.122.2 or whatever you set it as. You can use this to reverse-proxy, etc.
Thanks
These pages were helpful: