Howto setup a kvm user on gentoo

The follow softwarepackages is required:

• iproute2
• brctl
• tunctl
• tightvnc (for example this vncserver)
• subversion ( optinal can be on the workstation )

Other packages should be on default installation.

first create an user whom start the kvm-guests

#useradd kvm


 add the user to the group kvm 

#gpasswd -a kvm kvm


Now i had done some stupid.  Fixme: Wrapper for kvm-disk-user



add kvm-user to the disk-group 

#gpasswd -a kvm disk

Now modify the udev-rules so that while booting all will be done comfortable.

For this i go to directory /etc/udev/rules.d. There i look for tun, kvm and disk.

cd /etc/udev/rules.d
 
grep tun *
  50-udev-default.rules:KERNEL=="tun", NAME="net/%k", MODE="0666", OPTIONS+="ignore_remove"
grep kvm *
grep block.*disk.*MODE *
  50-udev-default.rules:SUBSYSTEM=="block", GROUP="disk", MODE="0640"

Find the line under the option: ‘# network devices’ and add GROUP=”kvm” and set MODE=”660”.

KERNEL=="tun", NAME="net/%k", MODE="0660", GROUP="kvm", OPTIONS+="ignore_remove"

Add a new option: ‘# kvm device’ and add this line, this is required for /dev/kvm.

KERNEL=="kvm", NAME="%k", MODE="0660", Group="kvm"

Only If you used LVM for guest drives then change this rule, because the diskgroup need read and write access on the device.

SUBSYSTEM=="block", GROUP="disk", MODE="0660"

The next step is, to tell the system that the unprivileged kvm-user can create a tap-device and add this to the a bridge. I use the sudo command and edit therefore the file ‘/etc/sudoers’.

• add a new line

kvm All=(All) NOPASSWD: /sbin/brctl, /sbin/ifconfig, /sbin/start-stop-deamon, /usr/bin/tunctl

Fixme: maybe more restrict

My setup include two bridges. One for the local guests and one for a dmz. The dmz-bridge i do add in the system-configuration to build on startup. For local-bridge i use a script, and this do rename the local networkdevice eth1 → reth1 and create a bridge with name eth1 and add the interface reth1 to bridge eth1.

• add to the file ‘/etc/conf.d/net’ this lines (for dmz(bridge))

config_dmz=( "10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255" )
brctl_dmz=( "setfd 0" "sethello 0" "stp off" )

Change the IP to your ip-address. Than the kvm-guests in the dmz have in this example a ip in this range: 10.0.0.(1-254)
Then i have a small script, this idea i find on a website but i dont rember from where, so thanks to unkown :).
All kvm stuff i have placed in the directory /etc/kvm.
So the next script for create the local-connectet bridge i have in ‘/etc/kvm/scirpts/bridge_starter’.
For do this on bootup:

• add this line in ‘/etc/conf.d/local.start’

/etc/kvm/scripts/bridge_starter

This is the script bridge_starter.

#!/bin/bash
### bridge_starter
ip=$(which ip)
ifconfig=$(which ifconfig)
brctl=$(which brctl)
 
dev=eth1
dev_old=reth1
ip_dev='ip_address_from_the_local_net_device'  # eg.192.168.0.1

$ip addr flush $dev
$ip link set $dev down
$ip link set $dev name $dev_old 
$ip link set $dev_old up
$brctl addbr $dev
$brctl addif $dev $dev_old
$ip link set $dev up
$ifconfig $dev $ip_dev up

For firewall i use the shorewall and i have do a nat for both bridges.

So as next is to prepare the directory to store the ‘guest.img’. When now the kvm-user is starting the process than he must able to enter the directory and must have to write access to the image.
For example:

#chmod 770 /vmserver
#chgrp kvm /vmserver/guest.img


 Also for storing the pidfile do


 add directory and change group and set permission


#mkdir /var/run/kvm
#chgrp kvm /var/run/kvm
#chmod 770 /var/run/kvm


 

All preparation is done.
I have wrote a script to easy managing kvm-guests.
This script is in beta stage.
It can be find here http://svn.kasten-edv.de/svn/kvm-admin/trunk/.
For using it, iam doing this:

• create a dir for storing and check it out via svn

$mkdir ~/kvm
$cd ~/kvm

svn checkout http://svn.kasten-edv.de/svn/kvm-admin/trunk/ .

• copy it to ‘/etc’ - Directory

$cd ..
$su
#cp -a kvm /etc
#chmod 750 /etc/kvm
#chgrp kvm /etc/kvm

If all done then add or if it already there in ‘/etc/kvm/guestconfig/’ a file example.
Open it and add this:

#################################################################################
#   the config/default.cfg and path_config.cfg has the predefined variables	#
#################################################################################
#verbose = enabled		# give an output what is set, not work in moment
test-only = enabled		# does not execute it but show it
name = example			# the name for ifname when used the tap option and ifname is not set
 
#hda = /vmserver/qemu.img
cdrom = /usr/src/ISOS/debian-40r3-i386-netinst.iso
 
 
## if use the virtio drive the if = virtio must set
#file = file:/dev/sda1, if:virtio, boot:on
file = file:/vmserver/qemu.img, if:scsi, boot:on
#file = file:/vmserver/qemu_1.img, if:ide, index:0, media:disk
#file = file:/vmserver/cd.iso, if:ide, index:1, media:cdrom
 
script = kvm-dmz-ifup   	# default qemu-ifup
mem = 265                	# default 128 MB => size in MB
vnc = 4                 	# would be on to connect to your vnc host:4 than for use
				# vnc-max-client is set to 998
#vlan = 1                 	# default 0, vlan-max is set to 254
#mac = 00:00:00:00:00:01 	#
#nic-model = virtio       	# ne2k_pci is default, with wrong driver wich qemu not supported 
                         	# the kvm-manager will show wich avaible
net-tap = enabled           	# use net option -tap
net-user = disabled	 	# if tun-tap setup fail it will user -net user as defaul
	                 	# -user is not actived in the moment
boot = d                 	# default is c first drive "file" oder "hda"
usb = enabled               	# turn on usb support
usbdevice = tablet       	# is good if you used vnc with dektop on guest
nographic = disabled		# 
pid = enabled		     	# 
ifname = iface_test      	# it is the name for the tap,ifname ;
				# is not set the name will be used
			 	# and if name not set the filename
				# from the guest-config will be used 
language = en-us         	# default is de
smp = 2                  	# default is no smp enabled
localtime = enabled         	# default is False
daemonize = enabled         	# default is enabled
no-fd-bootchk = enabled     	# default is disabled
keymaps = enabled          	# default is disabled, it need the path set in 
				# config/path_config.cfg for keymaps
no-acpi = disabled           	# default is disabled
std-vga = enabled	 	# default is enabled

Now is time to test it.

• #cd /etc/kvm
• #ln -s kvm-admin.py /bin/kvm-admin

#kvm-admin start example
uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb)
[Errno 2] No such file or directory: '/vmserver/qemu.img'
Setting up tun-tap-device, done ....
The follow command would be executing: 
['/usr/local/kvm/72/bin/qemu-system-x86_64', '-cdrom', '/usr/src/ISOS/debian-40r3-i386-netinst.iso', '-net', 'nic,vlan=0,macaddr=A9:B9:C9:D9:E9:F0,model=rtl8139', '-net', 'tap,vlan=0,ifname=iface_test,script=/etc/kvm/scripts/kvm-dmz-ifup', '-vnc', ':4', '-m', '265', '-boot', 'd', '-k', 'en-us', '-pidfile', '/var/run/kvm/example.pid', '-smp', '2', '-L', '/usr/local/kvm/72/share/qemu', '-usb', '-usbdevice', 'tablet', '-name', 'example', '-no-fd-bootchk', '-daemonize', '-std-vga', '-localtime']

Top