How to use qemu correctly

Add-Ons
1

I struggle with the qemu example (wiki.ipfire.org - QEMU).

Initial situation:
I installed my IPfire on HW and installed 2 network cards. One NIV for red, one NIC for green. There is currently no orange or blue. VLANS are planned, but not yet implemented.
Now I would like to use the free capacities of the Ipfire HW for further services.

The first goal is to run a virtual Linux (Ubuntu) on IPfire that provides services for the green zone.

So I have installed qemu and created a virtual disk:

qemu-img create -f vmdk /var/lib/libvirt/filesystems/ubuntu.vmdk 1200000

I was able to start the VM:
qemu -vnc :1 -hda /var/lib/libvirt/filesystems/ubuntu.vmdk -cdrom /tmp/ubuntu-22.04.3-live-server-amd64.iso -m 2048 -net nic -net user -boot d -usbdevice tablet &

Then install the OS via vnc and reboot without CD:
qemu -vnc :1 -hda /var/lib/libvirt/filesystems/ubuntu_pihole.vmdk -m 1152 -net nic -net user -boot d -usbdevice tablet &

Until here everything is fine. The VM also has internet access; although I don’t know how, it doesn’t seem to have received an address from DHCP:

$ hostname -i
127.0.1.1

But I don’t know how to proceed now. According to the instructions, the way differs depending on whether you have HW-NIC or not. But what is meant by this? A separate NIC for the VM, or in the host?

If that were done, the question would be how I can start the VM automatically. Do I necessarily need the virt-manager for this? If so, don’t I have to install it on my desktop PC to use the UI?

The next step would then be a separate VM that provides services for the internet (i.e. the red interface).

But first things first. First, straighten out the network connection for the first VM.

Can anyone help me what to do now?

2

The point is how do the guest machine and the host OS communicate? Is the guest sending a stream of packets trough a real network interface, or through a virtual interface created by the host OS?

If you have a HW-NIC available for the Ubuntu guest machine, you will create a bridge device on the IPFire host. This will logically connect the physical interface from the IPFire host with a virtual one used by the Ubuntu guest, facilitating network communications through the physical NIC.

If you don’t have a separate HW-NIC to assign to the Ubuntu guest, you can utilize a tun/tap device to create a virtual network interface. A tun/tap device is a kernel network device, which operates at either layer 3 (tun) or layer 2 (tap) of the OSI model, allowing you to create virtual network interfaces. In this context, it will help to establish a virtual network card to enable the Ubuntu VM to communicate with the green zone network.

No, using virt-manager is not a necessity. You can automate the startup of your VM using the virsh command-line tool that comes with libvirt. To set a VM to start automatically, you would use the following command in your IPFire host’s terminal:

virsh autostart VM_name

Replace “VM_name” with the actual name of your VM. This allows you to control VM autostart settings without a graphical user interface.

Here a tutorial and some reading material on everything lib-virt on the console.

3 Likes
3

If IPFire is protecting anything of value, you do not want to do this. It will increase the surface of attack and make your network less secure. You need to balance the tradeoff between convenience and security and be mindful of the risk associated to run a virtual machine inside your firewall.

2 Likes
4

The point is how do the guest machine and the host OS communicate? Is the guest sending a stream of packets trough a real network interface, or through a virtual interface created by the host OS?
If you have a HW-NIC available for the Ubuntu guest machine, you will create a bridge device on the IPFire host.

Ok, that makes Sens!
I’ll try to do it tomorrow. And i’m a bit optimistic. :slight_smile:

Here a tutorial and some reading material on everything lib-virt on the console.

The virsh tutorial is exactly what i have searching for!
Thanks

If IPFire is protecting anything of value, you do not want to do this. It will increase the surface of attack and make your network less secure. You need to balance the tradeoff between convenience and security and be mindful of the risk associated to run a virtual machine inside your firewall.
Thats a good Point! Especially for externally reachable services. I’d better not do that. For internal services it doesn’t matter. Whoever would attack me from my home network does not need to challenge the firewall anymore.