QEMU

QEMU is a versatile piece of software that has lots of different use cases. Here are some common configurations to (manually…) check.

Emulation mode:
  • throw-away, user-mode/non-accelerated emulation – here are some images

  • KVM guest (incompatible with Xen)

  • Xen HVM guest

User interfaces:
  • virt-manager/libvirt

  • gnome-boxes

  • ProxMox is Debian-based and would be a good test case, but they ship their own modified qemu version

  • Xen xl CLI

Guest systems:
  • GNU/Linux

  • Windows: trial versions of Windows Server ISOs are easily available; pre-installed VMs are also available through modern.ie, with a conversion script; 2012R2 is known to crash with Xen HVM on first boot (Jessie)

Networking card:
  • basic Ethernet emulation

  • VirtIO networking (accelerated)

Networking attachment:
  • slirp user-mode networking (NAT)

  • bridge

Disk types:
  • IDE, SCSI emulation (non-accelerated)

  • VirtIO disk (accelerated, may require drivers ISO)

  • iSCSI client/initiator (you can install tgt on a separate box for a test server/target, and qemu-block-extra

  • VirtIO crypto

Graphic access:
  • SDL (direct window)

  • VNC (e.g. with vncviewer)

  • Spice (e.g. with virt-manager)

Network Block Device support

QEMU ships a server that makes it possible to export a QEMU disk via NBD.

modprobe nbd
qemu-nbd -v -f qcow2 <image.qcow2>
nbd-client localhost

Then mount and test the export.

NBD also support TLS:

mkdir -p $HOME/.pki/qemu

certtool --generate-privkey >  $HOME/.pki/qemu/ca-key.pem

cat > $HOME/.pki/qemu/ca.info <<EOF
cn = Debian
ca
cert_signing_key
EOF

certtool --generate-self-signed \
       --load-privkey $HOME/.pki/qemu/ca-key.pem \
       --template $HOME/.pki/qemu/ca.info \
       --outfile $HOME/.pki/qemu/ca-cert.pem

Create a certificate that can be used by a server and a client:

cd $HOME/.pki/qemu

cat > both-host.info <<EOF
country = GB
state = London
locality = City Of London
organization = Name of your organization
cn = host.foo.example.com
dns_name = host
dns_name = host.foo.example.com
ip_address = 127.0.0.1
ip_address = 192.168.122.1
ip_address = 2001:db8:cafe::2
tls_www_server
tls_www_client
encryption_key
signing_key
EOF

certtool --generate-privkey > both-host-key.pem

certtool --generate-certificate \
           --load-ca-certificate ca-cert.pem \
           --load-ca-privkey ca-key.pem \
           --load-privkey both-host-key.pem \
           --template both-host.info \
           --outfile both-host-cert.pem

ln -s both-host-cert.pem server-cert.pem
ln -s both-host-key.pem server-key.pem

ln -s both-host-cert.pem client-cert.pem
ln -s both-host-key.pem client-key.pem

Start the server:

qemu-nbd \
  --object tls-creds-x509,id=tls0,endpoint=server,dir=$HOME/.pki/qemu/ \
  --object 'authz-simple,id=auth0,identity=CN=host.foo.example.com,,O=Name of your organization,,L=City Of London,,ST=London,,C=GB' \
  --tls-creds tls0 --tls-authz auth0 \
  -t -p 10810 -v \
  -f qcow2 <image.qcow2>

nbd-client localhost 10810 /dev/nbd0 -cacertfile $HOME/.pki/qemu/ca-cert.pem -certfile $HOME/.pki/qemu/client-cert.pem -keyfile $HOME/.pki/qemu/client-key.pem

The disk should be available on /dev/nbd0pX

QEMU User Emulation

QEMU makes it possible to run packages for incompatible architectures. QEMU User Emulation is documented at the Debian QemuUserEmulation wiki page.

Common issues

Make sure you reserve enough memory (-m). QEMU’s default is 128M but running the Debian Installer ISO plain panics with that amount (512M only gets you buster’s “low-memory” mode).

ASAN build

ASan doesn’t support static builds, so in addition to the DEB_*FLAGS_APPEND drop qemu-user/qemu-user-static from debian/control and debian/control-in before building.

Copyright (C) 2019, 2020, 2021, 2022, 2023 Sylvain Beucler