In the Linux world, a lot of people have heard of the Xen hypervisor. Recently, a newcomer to the Linux virtualization world has emerged: KVM, or Kernel-based Virtual Machine. More feature rich than other recent newcomer lguest but not quite on par with Xen, KVM was added to the mainline kernel in the 2.6.20 release. One of KVM's more interesting features is the ability to live migrate a guest from one host to another.
Currently, KVM supports full virtualization of guest operating systems, but relies on Intel VT or AMD-V hardware functionality to do so (though a version called KVM-Lite which does not use the hardware virtualisation technology is under development). KVM also has limited paravirtualization function, which currently only supports Linux and Windows guest operating systems. Also a limitation at this stage is kvm's inability to run SMP guests.
KVM is currently primarily developed and supported by Avi Kivity of Qumranet. Qumanet, a stealth-mode start-up, develops kvm as an open source hypervisor. It also has a yet to be undisclosed virtual computing product under development which uses kvm as its basis. Also under development is a port to FreeBSD and hardware ports to s390, PowerPC and IA64 architectures.
How to check for KVM hardware support
Let's have a look at KVM and create a guest. Firstly, we need to check that your processor has support for Intel VT or AMD-V. You can check for KVM hardware support using the information in /proc/cpuinfo like so:
# egrep '^flags.*(vmx|svm)' /proc/cpuinfo
If you have the required support the egrep will return flags like so:
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow pni cx16 lahf_lm cmp_legacy svm extapic cr8_legacy flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow pni cx16 lahf_lm cmp_legacy svm extapic cr8_legacy
If the svm flag is returned then your processor supports AMD-V or if the vmx flag is returned then your processor supports Intel VT.
Now, before installing KVM, you need to confirm you have all the required prerequisites. These are:
- gcc 3.x
- SDL libraries and headers (on Red Hat the SDL and SDL-devel packages)
- ALSA libraries and headers (on Red Hat the alsa-lib-devel package)
- libuuid (from the e2fsprogs-devel package)
- kernel headers (generally obtained by installing your distribution's kernel-devel or kernel-headers package)
Once you have all the prerequisites then download the current KVM release (39 at the time of writing) unpack it and change into the resulting directory. You can download the required code to create the kernel module and associated userspace tools at kvm.qumranet.com.
$ tar -xzf kvm-release.tar.gz $ cd kvm-release
Installing and configuring KVM
Next we need to make and configure KVM. If you have a kernel release of 2.6.20 or later then you can use the following configure command:
$ ./configure --prefix=/usr/local/kvm
If you need to override the gcc compiler because you want to use a version other than 3.x then use this command.
$ ./configure --prefix=/usr/local/kvm --qemu-cc="/usr/bin/gcc" --disable-gcc-check
If you have a custom-built and patched kernel then you should use the --with-patched-kernel configure option.
Now, you need to make and install KVM. You will need to be root, or use sudo, to install KVM.
$ make # make install
Like lguest, KVM is a loadable kernel module, with a module for Intel and a module for AMD architectures. Depending on what flag was returned when you grep'ed your /proc/cpuinfo file you should load the appropriate module. For Intel VT support, if grep returned the vmx flag, then use the following command:
# /sbin/modprobe kvm-intel
Or for AMD-V support, if the svm flag was returned, then use:
# /sbin/modprobe kvm-amd
You should see some log messages in dmesg, or wherever your distribution sends kernel messages, indicating the module has been loaded successfully. If you've loaded the wrong module for your processor or your processor doesn't support KVM then error messages indicating this will be returned.
Once you have KVM installed and the module loaded you can create a guest. We will need a disk image for the guest. We can use the qemu-img binary that comes with KVM to create an image
# /usr/local/kvm/bin/qemu-img create -f qcow2 disk.img 5G
Here we've used qemu-img to create an image called disk.img, formatted as qcow2 (QEMU's standard image format) with a size of 5GB.
We can now install a guest operating system on our disk image. Download some appropriate media, for example to install an OpenBSD guest, download the CD iso:
$ wget ftp://ftp.openbsd.org/pub/OpenBSD/4.1/i386/cd41.iso
(All of this section needs to be run in an SDL-enabled environment, i.e. X, to allow the appropriate output to be displayed. You can't run it via an SSH session.)
Then run qemu (or qemu-system-x86_64 for 64-bit) to install the guest like so:
# /usr/local/kvm/bin/qemu-system-x86_64 -hda disk.img –cdrom /home/guest/cd41.iso -boot d -m 128We've created a guest, using our disk image as the hard disk, and specified the ISO we downloaded as the CD-ROM. We've also used the –m option to specify the ram available to the guest, in this case 128MB. We would then follow the prompts to install the guest using its installation mechanism.
Once we've installed the guest we can run it again using the same qemu binary:
# /usr/local/kvm/bin/qemu-system-x86_64 disk.img –m 128
This assumes you've got fairly simple bridged networking. If you want to configure more complicated networking or use more advanced features of kvm then I recommend reading the KVM FAQ.
If you are interested in reading more about kvm's live migration feature you can see details at KVM's wiki on migration. You can also get support from the KVM mailing lists and IRC channel. James Turnbull is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows, and storage systems. He has been involved in security consulting, infrastructure security design, SLA and service definition and has an abiding interest in security metrics and measurement.