Correct way to move kvm vm

I have a problem to do live migration between two host computers via virt manager. It is a permission issue but I don’t have time to fig it out. It is not a big deal. It is ok to move KVM vms offline.

  1. stop VM from gui or cli or guest console
  2. dump guest configuration as xml
    virsh dumpxml VMNAME > domxml.xml
  3. copy the guest images to another server with same path
  4. define a VM from the dump xml file
    virsh define domxml.xml
  5. Check the configuration and start VM on new host. Usually need to check the network configuration, CPU, and memory.


KVM access guest from outside host on CentOS

For default virbr0, it provides a way to help guest to access host (VM<–>host). But the guest cannot be accessed from outside host. But we can use the following commands to enable it temporally.

# iptables -D  FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
# iptables -D  FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable

The best way is to create another bridge for guest.

  1. create new bridge xml file (routeNetwork.xml)

      <bridge name="virbr100" />
      <forward mode="route" />
      <ip address="" netmask="" />
  2. create new bridge
    # virsh net-create routeNetwork.xml
  3. edit the bridge to enable dhcp (I think if we define DHCP at the first step, no need this one. If we don’t do this step, the persistent state is no. Not sure what the impact is.)
    # virsh net-edit routenetwork
      <forward mode='route'/>
      <bridge name='virbr100' stp='on' delay='0'/>
      <mac address='52:54:00:cc:3b:aa'/>
      <ip address='' netmask=''>
          <range start='' end=''/>
  4. Set the bridge autostart
    # virsh net-autostart routenetwork
  5. Check virtual networks
    # virsh net-list
     Name                 State      Autostart     Persistent
     default              active     yes           yes
     routenetwork         active     yes           yes
  6. add masquerade to firewalld
    # firewall-cmd --permanent --add-masquerade
  7. change guest network type
    # virsh --connect qemu:///system
    virsh # edit <VM's name>
    <interface type='bridge'>
      <mac address='52:54:00:ea:98:1a'/>
      <source bridge='virbr100'/>
      <model type='e1000'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
  8. shutdown and start the guest again
  9. add route on your router
    # sudo route -n add <host ip>

    Now the guest can access from your network via it ip 10.10.120.x.

    Other virsh commands used in managing virtual networks are:

    • virsh net-list — list virtual networks
    • virsh net-autostart [network name] — Autostart a network specified as [network name]
    • virsh net-create [XML file] — Generates and starts a new network using a preexisting XML file
    • virsh net-define [XML file] — Generates a new network from a preexisting XML file without starting it
    • virsh net-destroy [network name] — Destroy a network specified as [network name]
    • virsh net-name [network UUID] — Convert a specified [network UUID] to a network name
    • virsh net-uuid [network name — Convert a specified [network name] to a network UUID
    • virsh net-start [name of an inactive network] — Starts a previously undefined inactive network
    • virsh net-undefine [name of an inactive network] — Undefine an inactive network
    • virsh net-dumpxml [network name] — Dump network as xml file

How to edit KVM VM profile which is created by virt-manager and add port-forwarding function?

Virt-manager hides some functions such as port-forwarding. We can edit the VM profile form terminal.

# virsh --connect qemu:///system

List all VMs in virsh envrionment

virsh # list --all

Edit VM’s profile

virsh # edit <VM's name>

Add qemu namespace

<domain type='kvm'>
<domain type='kvm' xmlns:qemu=''>

Change network type from network to user

   <interface type='network'>
      <mac address='xx:xx:xx:xx:xx:xx'/>
      <model type='e1000'/>
      <source network='default'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
  <interface type='user'>
    <mac address='xx:xx:xx:xx:xx:xx'/>
    <model type='e1000'/>
    <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>

Add port-forwarding arguments before tag </domain>

    <qemu:arg value='-redir'/>
    <qemu:arg value='tcp:2001::3389'/>
    <qemu:arg value='-redir'/>
    <qemu:arg value='tcp:2002::80'/>



Using KVM on CentOS7

1. Install CentOS7 with Virtualization Host feature

The Virtualization Host doesn’t install the virt-install and virt-manager. Run the following command to install them.

$ sudo yum install virt-install virt-manager

Also you can install KVM by following command if you didn’t install Virtualization Host feature.

$ sudo yum install kvm virt-manager libvirt virt-install qemu-kvm xauth dejavu-lgc-sans-fonts

2. check kvm module installation

$ lsmod|grep kvm
kvm_intel             162153  110
kvm                   525409  1 kvm_intel

3. Setup X server and run virt-manager

$ export DISPLAY
$ sudo virt-manager

5. KVM cli examples

// check cpu info
$ egrep -c '(vmx|svm)' /proc/cpuinfo
// list templates
$ osinfo-query os
// list VMs
$ sudo virsh --connect qemu:///system list
$ sudo virsh --connect qemu:///system list --all

// show guest infomration
$ sudo virsh dominfo Fedora24
Id:             -
Name:           Fedora24
UUID:           d1e8dd90-54fb-46ee-92af-dad8ec914b2e
OS Type:        hvm
State:          shut off
CPU(s):         2
Max memory:     4194304 KiB
Used memory:    0 KiB
Persistent:     yes
Autostart:      disable
Managed save:   no
Security model: selinux
Security DOI:   0

// shutdown
$ sudo virsh --connect qemu:///system shutdown Fedora24
// force stop
$ sudo virsh --connect qemu:///system destroy Fedora24
// start
$ sudo virsh --connect qemu:///system start Fedora24

// delete guest
$ sudo virsh --connect qemu:///system destroy Fedora24
$ sudo virsh --connect qemu:///system undefine Fedora24
$ sudo rm -f /var/lib/libvirt/images/Fedora24.img
$ sudo virsh pool-refresh default

6. Autostart guest

// autostart guest
$ sudo virsh --connect qemu:///system autostart Fedora24
$ sudo virsh --connect qemu:///system dominfo Fedora24|grep Auto

Set auto start from GUI


7. Issues

a) Using samba share file failed. Report permission denied. Copy install iso images to local and it works fine

b) After clone a VM from GUI, cannot start and report missing the folder such as Fedora24-template which is the source VM name. Created a tool to check the folder.  If the folder is gone, the tool creates it immediately.


Securing Linux SSH

$ sudo vi /etc/ssh/sshd_config
# Run ssh on a non-standard port:
Port 2345 # Change the port as you want 

# Disable protocol 1
# Protocol 2,1
Protocol 2

# Prevent root logins:
PermitRootLogin no

# Limit user logins:
AllowUsers alice bob

# Disable password authentication forcing use of keys
PasswordAuthentication no

How to generate your own private key

$ ssh-keygen -t rsa

Customize DNS nameservers with DHCP setting by NetworkManger on CentOS 7

By default, Network Manager always changes the resolv.conf file if the interface is using DHCP. The NetworkManger puts the records from DHCP server on top and the customize DNS servers at bottom. It causes private DNS setting cannot be found. To fix it, just change the PEERDNS=no in /etc/sysconfig/network-scripts/ifcfg-eth0 and restart network

Change hostname on CentOS/Fedora

$ sudo hostnamectl set-hostname --static "YOUR-HOSTNAME-HERE"

If the hostname cannot be saved on Fedora after reboot, using the following command to fix it.

$ sudo restorecon -v /etc/hostname

This works on CentOS

$ sudo vi /etc/sysconfig/network

$ sudo vi /etc/hosts

$ sudo vi /etc/hostname

firewall-cmd examples

firewall-cmd --get-default-zone
firewall-cmd --get-zones

firewall-cmd --list-interfaces
firewall-cmd --add-interface=<interface>

firewall-cmd --add-service=http

firewall-cmd --add-port=443/tcp
firewall-cmd --permanent --add-port=443/tcp

firewall-cmd --add-masquerade
firewall-cmd --add-service=dns --add-service=dhcp
firewall-cmd --runtime-to-permanent

firewall-cmd --permanent --direct --get-all-rules

Move mysql data folder to ZFS on CentOS 7

1. change origin data folder as mount point

sudo systemctl stop mariadb.service
cd /var/lib
sudo mv mysql mysql.bak
sudo mkdir mysql
sudo chown mysql:mysql mysql

2. create zfs file system

sudo zfs create -o mountpoint=/var/lib/mysql mysqldata/mysql

3. mount zfs file system

sudo zfs mount -a

4. change mount point owner as mysql and cp all data file to /var/lib/mysql

sudo chown mysql:mysql mysql
cd mysql.bak
sudo cp -p -r * ../mysql
cd ..

5. install package policycoreutils-python

sudo yum install policycoreutils-python

6. run semanage fcontext and restorecon

sudo semanage fcontext -a -t mysqld_db_t "/mysql(/.*)?"
sudo grep -i mysql /etc/selinux/targeted/contexts/files/file_contexts.local
sudo restorecon -R -v /var/lib/mysql

7. start mysql

sudo systemctl start mariadb.service

Reference: MariaDB Changing Database Location