yum install centos-release-qemu-ev yum install qemu-kvm-ev libvirt systemctl start libvirtd
FUSEの設定が必要。
yum install qemu-kvm-tools-ev virt-install virt-top virt-dib virt-v2v libguestfs-tools libguestfs-bash-completion libguestfs-rsync libguestfs-xfs perl-XML-XPath
yum install virt-manager virt-viewer
パッケージ名 | 主要なコマンド | 概要 | |
---|---|---|---|
qemu-kvm-ev | qemu-kvm 2.12.0 | 必須 | |
qemu-img-ev | qemu-img | 仮想ディスクイメージの操作 | |
libvirt | libvirt 4.5.0 | 必須 | |
libvirt-client | virsh, virt-host-validate, libvirt-guests.service | 基本ツール | |
qemu-kvm-tools-ev | kvm_stat | ||
virt-install | virt-install | 仮想マシンの作成 | |
virt-top | virt-top | ||
virt-dib | virt-dib | 仮想ディスクイメージの作成 | |
virt-v2v | virt-v2v | 仮想マシンの変換 | |
libguestfs-tools | guestfish, virt-sysprep, virt-df, virt-ls | ゲスト(の中のファイル)を操作するツール | |
libguestfs-rsync | ディスクイメージをrsyncで操作 | ||
libguestfs-xfs | XFSのディスクイメージ操作 | ||
perl-XML-XPath | xpath |
centos-release-qemu-ev
を使用しない場合のQEMUのパッケージ名とバージョン。
パッケージ名 | 主要なコマンド | 概要 | |
---|---|---|---|
qemu-kvm | qemu-kvm 1.5.3 | 必須 | |
qemu-img | qemu-img | 仮想ディスクイメージの操作 | |
qemu-kvm-tools | kvm_stat |
virt-host-validate
全てPASS
、あるいはWARN
であること。
LXC: Checking if device /sys/fs/fuse/connections exists : FAIL (Load the 'fuse' module to enable /proc/ overrides)
と表示された場合。
modprobe fuse
を実行して改善されるか確認。
改善されるなら設定を永続化する。
echo fuse > /etc/modules-load.d/fuse.conf
QEMU: Checking if IOMMU is enabled by kernel : WARN (IOMMU appears to be disabled in kernel. Add intel_iommu=on to kernel cmdline arguments)
と表示された場合。
vi /etc/sysconfig/grub
CPUがIntel製ならGRUB_CMDLINE_LINUX
にintel_iommu=on iommu=pt
を追加。
AMD製ならiommu=pt
を追加。
UEFIブートなら/etc/grub2-efi.cfg
に出力、BIOSブートなら/etc/grub2.cfg
に出力。
grub2-mkconfig -o /etc/grub2-efi.cfg reboot
virt-install
の--os-variant
に設定可能な値。
osinfo-query os
一部抜粋
Short ID | Name | CentOS 7 |
---|---|---|
centos7.0 | CentOS 7 | x |
centos8 | CentOS 8 | x |
debian10 | Debian 10 | x |
freebsd12.1 | FreeBSD 12.1 | x |
rhel7.9 | Red Hat Enterprise Linux 7.9 | x |
rhel8-unknown | Red Hat Enterprise Linux 8 Unknown | x |
[root@kvmhost ~]# virsh net-dumpxml default <network> <name>default</name> <uuid>7ee64691-b5b4-4f7e-affe-df96fe6268bd</uuid> <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> <bridge name='virbr0' stp='on' delay='0'/> <mac address='52:54:00:fb:05:99'/> <ip address='192.168.122.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.122.2' end='192.168.122.254'/> </dhcp> </ip> </network>
[root@kvmhost ~]# nmcli con NAME UUID TYPE DEVICE eth0 e1a84776-5009-44b4-a597-47e8707ec615 ethernet eth0 virbr0 ff8c7f60-bdc3-45d4-8aab-b67d03d431fc bridge virbr0 [root@kvmhost ~]# nmcli -f connection.zone con show eth0 connection.zone: -- [root@kvmhost ~]# nmcli -f connection.zone con show virbr0 connection.zone: -- [root@kvmhost ~]# nmcli dev DEVICE TYPE STATE CONNECTION eth0 ethernet connected eth0 virbr0 bridge connected virbr0 lo loopback unmanaged -- virbr0-nic tun unmanaged -- [root@kvmhost ~]# nmcli dev show virbr0 GENERAL.DEVICE: virbr0 GENERAL.TYPE: bridge GENERAL.HWADDR: 52:54:00:FB:05:99 GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected) GENERAL.CONNECTION: virbr0 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/2 IP4.ADDRESS[1]: 192.168.122.1/24 IP4.GATEWAY: -- IP4.ROUTE[1]: dst = 192.168.122.0/24, nh = 0.0.0.0, mt = 0 IP6.GATEWAY: -- [root@kvmhost ~]# nmcli dev show virbr0-nic GENERAL.DEVICE: virbr0-nic GENERAL.TYPE: tun GENERAL.HWADDR: 52:54:00:FB:05:99 GENERAL.MTU: 1500 GENERAL.STATE: 10 (unmanaged) GENERAL.CONNECTION: -- GENERAL.CON-PATH: --
[root@kvmhost ~]# brctl show bridge name bridge id STP enabled interfaces virbr0 8000.525400fb0599 yes virbr0-nic [root@kvmhost ~]# brctl showstp virbr0 virbr0 bridge id 8000.525400fb0599 designated root 8000.525400fb0599 root port 0 path cost 0 max age 20.00 bridge max age 20.00 hello time 2.00 bridge hello time 2.00 forward delay 2.00 bridge forward delay 2.00 ageing time 300.00 hello timer 1.46 tcn timer 0.00 topology change timer 0.00 gc timer 235.90 flags virbr0-nic (1) port id 8001 state disabled designated root 8000.525400fb0599 path cost 100 designated bridge 8000.525400fb0599 message age timer 0.00 designated port 8001 forward delay timer 0.00 designated cost 0 hold timer 0.00 flags [root@kvmhost ~]# ip netns [root@kvmhost ~]# ip -detail link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 00:15:5d:00:24:2a brd ff:ff:ff:ff:ff:ff promiscuity 0 addrgenmode none numtxqueues 64 numrxqueues 64 gso_max_size 62780 gso_max_segs 65535 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000 link/ether 52:54:00:fb:05:99 brd ff:ff:ff:ff:ff:ff promiscuity 0 bridge forward_delay 200 hello_time 200 max_age 2000 ageing_time 30000 stp_state 1 priority 32768 vlan_filtering 0 vlan_protocol 802.1Q bridge_id 8000.52:54:0:fb:5:99 designated_root 8000.52:54:0:fb:5:99 root_port 0 root_path_cost 0 topology_change 0 topology_change_detected 0 hello_timer 0.34 tcn_timer 0.00 topology_change_timer 0.00 gc_timer 224.78 vlan_default_pvid 1 vlan_stats_enabled 0 group_fwd_mask 0 group_address 01:80:c2:00:00:00 mcast_snooping 1 mcast_router 1 mcast_query_use_ifaddr 0 mcast_querier 0 mcast_hash_elasticity 4 mcast_hash_max 512 mcast_last_member_count 2 mcast_startup_query_count 2 mcast_last_member_interval 100 mcast_membership_interval 26000 mcast_querier_interval 25500 mcast_query_interval 12500 mcast_query_response_interval 1000 mcast_startup_query_interval 3125 mcast_stats_enabled 0 mcast_igmp_version 2 mcast_mld_version 1 nf_call_iptables 0 nf_call_ip6tables 0 nf_call_arptables 0 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT group default qlen 1000 link/ether 52:54:00:fb:05:99 brd ff:ff:ff:ff:ff:ff promiscuity 1 tun bridge_slave state disabled priority 32 cost 100 hairpin off guard off root_block off fastleave off learning on flood on port_id 0x8001 port_no 0x1 designated_port 32769 designated_cost 0 designated_bridge 8000.52:54:0:fb:5:99 designated_root 8000.52:54:0:fb:5:99 hold_timer 0.00 message_age_timer 0.00 forward_delay_timer 0.00 topology_change_ack 0 config_pending 0 proxy_arp off proxy_arp_wifi off mcast_router 1 mcast_fast_leave off mcast_flood on addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 [root@kvmhost ~]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:5d:00:24:2a brd ff:ff:ff:ff:ff:ff inet 172.31.0.120/24 brd 172.31.0.255 scope global noprefixroute eth0 valid_lft forever preferred_lft forever inet6 fe80::8364:c19b:ca0b:310a/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 52:54:00:fb:05:99 brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000 link/ether 52:54:00:fb:05:99 brd ff:ff:ff:ff:ff:ff [root@kvmhost ~]# ip route default via 172.31.0.1 dev eth0 proto static metric 100 172.31.0.0/24 dev eth0 proto kernel scope link src 172.31.0.120 metric 100 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
[root@kvmhost ~]# ps ax | grep [d]nsmasq 1389 ? S 0:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper 1390 ? S 0:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper [root@kvmhost ~]# cat /var/lib/libvirt/dnsmasq/default.conf ##WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE ##OVERWRITTEN AND LOST. Changes to this configuration should be made using: ## virsh net-edit default ## or other application using the libvirt API. ## ## dnsmasq conf file created by libvirt strict-order pid-file=/var/run/libvirt/network/default.pid except-interface=lo bind-dynamic interface=virbr0 dhcp-range=192.168.122.2,192.168.122.254 dhcp-no-override dhcp-authoritative dhcp-lease-max=253 dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts [root@kvmhost ~]# cat /var/lib/libvirt/dnsmasq/default.hostsfile [root@kvmhost ~]# cat /var/lib/libvirt/dnsmasq/default.addnhosts
[root@kvmhost ~]# cat /proc/sys/net/ipv4/ip_forward 1 [root@kvmhost ~]# iptables -S -t filter -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N FORWARD_IN_ZONES -N FORWARD_IN_ZONES_SOURCE -N FORWARD_OUT_ZONES -N FORWARD_OUT_ZONES_SOURCE -N FORWARD_direct -N FWDI_public -N FWDI_public_allow -N FWDI_public_deny -N FWDI_public_log -N FWDO_public -N FWDO_public_allow -N FWDO_public_deny -N FWDO_public_log -N INPUT_ZONES -N INPUT_ZONES_SOURCE -N INPUT_direct -N IN_public -N IN_public_allow -N IN_public_deny -N IN_public_log -N OUTPUT_direct -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i eth0 -g FWDI_public -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_OUT_ZONES -o eth0 -g FWDO_public -A FORWARD_OUT_ZONES -g FWDO_public -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDI_public -p icmp -j ACCEPT -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A INPUT_ZONES -i eth0 -g IN_public -A INPUT_ZONES -g IN_public -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public -p icmp -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT [root@kvmhost ~]# iptables -S -t nat -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N OUTPUT_direct -N POSTROUTING_ZONES -N POSTROUTING_ZONES_SOURCE -N POSTROUTING_direct -N POST_public -N POST_public_allow -N POST_public_deny -N POST_public_log -N PREROUTING_ZONES -N PREROUTING_ZONES_SOURCE -N PREROUTING_direct -N PRE_public -N PRE_public_allow -N PRE_public_deny -N PRE_public_log -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o eth0 -g POST_public -A POSTROUTING_ZONES -g POST_public -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow -A PREROUTING_ZONES -i eth0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow [root@kvmhost ~]# iptables -S -t mangle -P PREROUTING ACCEPT -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N FORWARD_direct -N INPUT_direct -N OUTPUT_direct -N POSTROUTING_direct -N PREROUTING_ZONES -N PREROUTING_ZONES_SOURCE -N PREROUTING_direct -N PRE_public -N PRE_public_allow -N PRE_public_deny -N PRE_public_log -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i eth0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow [root@kvmhost ~]# iptables -S -t raw -P PREROUTING ACCEPT -P OUTPUT ACCEPT -N OUTPUT_direct -N PREROUTING_ZONES -N PREROUTING_ZONES_SOURCE -N PREROUTING_direct -N PRE_public -N PRE_public_allow -N PRE_public_deny -N PRE_public_log -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A PREROUTING_ZONES -i eth0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow [root@kvmhost ~]# iptables -S -t security -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N FORWARD_direct -N INPUT_direct -N OUTPUT_direct -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct [root@kvmhost ~]# ebtables-save # Generated by ebtables-save v1.0 *nat :PREROUTING ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT :PREROUTING_direct ACCEPT :POSTROUTING_direct ACCEPT :OUTPUT_direct ACCEPT -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_direct -j RETURN -A POSTROUTING_direct -j RETURN -A OUTPUT_direct -j RETURN *broute :BROUTING ACCEPT :BROUTING_direct ACCEPT -A BROUTING -j BROUTING_direct -A BROUTING_direct -j RETURN *filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT :INPUT_direct ACCEPT :OUTPUT_direct ACCEPT :FORWARD_direct ACCEPT -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A INPUT_direct -j RETURN -A OUTPUT_direct -j RETURN -A FORWARD_direct -j RETURN
[root@kvmhost ~]# firewall-cmd --state running [root@kvmhost ~]# firewall-cmd --get-default-zone public [root@kvmhost ~]# firewall-cmd --get-active-zones public interfaces: eth0 [root@kvmhost ~]# firewall-cmd --info-zone=public public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@kvmhost ~]# firewall-cmd --get-zone-of-interface=virbr0 no zone [root@kvmhost ~]# firewall-cmd --get-zone-of-interface=virbr0-nic no zone [root@kvmhost ~]# firewall-cmd --get-zones block dmz drop external home internal public trusted work