myuser
. First of all:
sudo apt install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils virt-manager ovmf
sudo adduser myuser libvirt
sudo adduser myuser kvm
virsh net-list --all
Name State Autostart Persistent
--------------------------------------------
default active yes yes
/var/lib/libvirt/images
:
mkdir ~/qemu
mkdir ~/qemu/vmpool
virsh pool-define-as --name myuservmpool --type dir --target /home/myuser/qemu/vmpool
virsh pool-build myuservmpool
virsh pool-start myuservmpool
virsh pool-autostart myuservmpool
virsh pool-list
/home/myuser/qemu/vmpool
for ease of finding, but can be anywhere your user has read permissions./var/lib/libvirt/images
. Choose "Select or create custom storage" instead, then select myuservmpool
as pool, then add a new storage file, say 30 GB, called myvm.qcow2
."VM name and hostname: myvm; user: myuservm; password: mypassword"
. Select Chipset "Q35" and firmware "UEFI".
<type arch="x86_64" machine="pc-q35-8.2">hvm</type>
<firmware>
<feature enabled="yes" name="enrolled-keys"/>
<feature enabled="yes" name="secure-boot"/>
</firmware>
virsh destroy myvm
virsh undefine myvm --nvram
virsh vol-delete --pool myuservmpool myvm.qcow2
virsh domrename myvm newvmname
virsh edit newvmname
myvm.qcow2
to newvmname.qcow2
.
virsh pool-refresh myuservmpool
10.0.0.2
in a local network behind a NAT, and make it discoverable from the host for, e.g., SSH access.
virsh domiflist myvm
52:54:00:01:02:03
, write it down somewhere. Then do:
virsh net-list --all
virsh net-destroy default
virsh net-edit default
<network>
<name>default</name>
<uuid>LEAVE-UNCHANGED</uuid>
<forward mode="nat">
<nat>
<port start="1024" end="65535"/>
</nat>
</forward>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address=LEAVE-UNCHANGED/>
<ip address='10.0.0.1' netmask='255.255.255.0'>
<dhcp>
<range start='10.0.0.128' end='10.0.0.254'/>
<host mac='52:54:00:01:02:03' ip='10.0.0.2' name='myvm'/>
</dhcp>
</ip>
</network>
virsh net-start default
virsh net-autostart default
ping myvm
from a VM in the same network, but not from your host. For this, it is sufficient to create an alias by adding the following line to the host's /etc/hosts
file:
10.0.0.2 myvm
sudo apt update && sudo apt upgrade
sudo apt install apt-transport-https
/etc/apt/sources.list
and /etc/apt/sources.list.d
file entries, changing "http" into "https".
sudo apt update
/home/myuser/qemu/shared/myvm
, which we can use to move files from the host to one or more VMs and vice versa. This directory will not be part of the VM's image file, it will be mounted in the VM as an external media, so it won't be included in a VM backup: you have to backup its content from the host. For this to work in a secure enough way, we will have to play a lot with Linux permissions.
mkdir ~/qemu/shared
mkdir ~/qemu/shared/myvm
setfacl -m u:libvirt-qemu:--x /home/myuser
setfacl -m u:libvirt-qemu:--x /home/myuser/qemu
setfacl -m u:libvirt-qemu:--x /home/myuser/qemu/shared
setfacl -m u:libvirt-qemu:rwx /home/myuser/qemu/shared/myvm
virtiofsd
, a powerful virtual I/O filesystem layer:
sudo apt update
sudo apt install virtiofsd
sudo systemctl restart libvirtd
virtiofs
/home/myuser/qemu/shared/myvm
shared
(This is a "mount tag," not a path. The VM will use this tag to identify the share).
sudo mkdir -p /media/myuservm/Shared
/etc/fstab
:
shared /media/myuservm/Shared virtiofs defaults 0 0
sudo apt install libvirglrenderer1 virgl-server
ls -l /dev/dri/
video
or render
. Add your host user to those groups:
sudo usermod -a -G render $(whoami)
sudo usermod -a -G video $(whoami)
qemu-img resize /home/myuser/qemu/vmpool/myvm.qcow2 +20G
/dev/vda
) and you will see that there is some free space available (the 20 GB you added before). You can use the slider to increase the size of the partition you want up to filling the maximum available space. Then, save the changes./dev/vda
as primary boot device. GParted takes care of both increasing the available partition space and expanding the filesystem within, so you should now see the extra 20 GB available in your VM filesystem./dev/vda1
) and use the slider to reduce its size by 5 GB. Then, save the changes, switch off the VM, detach the bootable ISO from the CDROM and re-enable /dev/vda
as primary boot device. Do not start the VM yet.
qemu-img resize --shrink /home/myuser/qemu/vmpool/myvm.qcow2 -5G
--shrink
flag is a safety check: it will fail and abort the operation if the new, smaller virtual disk size would cut off the end of any existing partition. This prevents you from accidentally destroying data. For this to work, the value you shrink by on the host (-5G) should match (or be slightly less than) the amount of space you freed up in GParted. If you want to be super-precise and cut the partition at the exact limit of available space provided by the image file, you could use GParted again to enlarge the partition to maximum so to not waste any buffer space, but it's generally irrelevant (and unnecessary complex) since, as said before, .qcow2 files compact unused space.
sudo fstrim /
sudo dd if=/dev/zero of=zero.file bs=1M status=progress
zero.file
and shut down the VM.df
or du
. For the next step, for safety, you should have at least that amount of available space on the host.
cd /home/myuser/qemu/vmpool
qemu-img convert -p -O qcow2 myvm.qcow2 vmsmall.qcow2
sudo mv myvm.qcow2 myvm.qcow2.bkp
sudo mv vmsmall.qcow2 myvm.qcow2
sudo chown libvirt-qemu:kvm myvm.qcow2
sudo chmod 644 myvm.qcow2
myvm.qcow2.bkp
backup file.myvm.qcow2
), but it grows as new snapshot data is added. This is often simpler to manage.rsync
is smart enough to find and transfer only these changed blocks, it has to perform thousands of slow, random read/write operations on the disk. With external snapshots, instead, the changes are written to a new, relatively small, separate file, which is easier and faster to backup.
virsh snapshot-create-as --domain myvm --name internalsnap001 --description "This is a first internal snapshot"
virsh snapshot-create-as --domain myvm --name externalsnap001 --description "This is a first external snapshot" --disk-only --atomic --diskspec vda,file=/home/myuser/qemu/vmpool/myvm.extsnap001.qcow2
sudo chown libvirt-qemu:kvm /home/myuser/qemu/vmpool/myvm.extsnap001.qcow2
myvm.qcow2
):
qemu-img info /home/myuser/qemu/vmpool/myvm.extsnap001.qcow2
virsh domblklist myvm
virsh snapshot-create-as --domain myvm --name externalsnap002 --description "This is a second external snapshot" --disk-only --atomic --diskspec vda,file=/home/myuser/qemu/vmpool/myvm.extsnap002.qcow2
virsh domblklist myvm
virsh snapshot-list myvm
myvm.qcow2
and two, incremental snapshots file myvm.extsnap001.qcow2
(named externalsnap001) and myvm.extsnap002.qcow2
(named externalsnap002, this last one being the active state). Now, to "flatten the chain" of snapshots, we will have to merge these files in reverse order, from the latest down to the base file, so first merging externalsnap002 into its parent:
qemu-img commit /home/myuser/qemu/vmpool/myvm.extsnap002.qcow2
virsh snapshot-delete myvm externalsnap002 --metadata
sudo rm /home/myuser/qemu/vmpool/myvm.extsnap002.qcow2
qemu-img commit /home/myuser/qemu/vmpool/myvm.extsnap001.qcow2
virsh snapshot-delete myvm externalsnap001 --metadata
sudo rm /home/myuser/qemu/vmpool/myvm.extsnap001.qcow2
myvm.qcow2
file that has all snapshots committed. You can check this with:
virsh domblklist myvm
virsh snapshot-list myvm
myvm.extsnap002.qcow2
snapshot file, which you deleted. In order to fix this, do the following: In virt-manager, go to the XML tab of your VM, where you can edit by hand the settings. Find this section:
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<disk type="file" device="disk">
<driver name="qemu" type="qcow2" discard="unmap"/>
<source file="/home/myuser/qemu/vmpool//myvm.snapshot002.qcow2"/>
<target dev="vda" bus="virtio"/>
<boot order="1"/>
<address type="pci" domain="0x0000" bus="0x04" slot="0x00" function="0x0"/>
</disk>
<source file="/home/myuser/qemu/vmpool/myvm.qcow2"/>
virsh blockcommit myvm vda --active --verbose --pivot
git pull
git checkout --orphan tmp-main
git add -A
git commit -m 'Initial commit'
git branch -D main
git branch -m main
git push -f origin main
git branch --set-upstream-to=origin/main main
git gc --aggressive --prune=all
git fetch --all
git reset --hard origin/main
/var/www/mysite.net
. Needless to say, Apache must be configured to support SSL, so at the very minimum do a2enmod ssl
. Added bonus since you're at it: do a2enmod headers
so you can add MIME and XSS protection later. Make sure to only enable strong TLS ciphers (notice: will break compatibility with some older browsers) by making sure these lines appear in /etc/apache2/mods-available/ssl.conf
:
SSLCipherSuite TLS_AES_256_GCM_SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLCompression off
SSLHonorCipherOrder on
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLSessionTickets off
/etc/ssl/letsencrypt/mysite.net
. Finally, make sure that the Apache website entry in /etc/apache2/sites-available/mysite.net.conf
has HTTPS enabled and correctly points to the two (not yet created) files key.pem
and cert.pem
.
<VirtualHost 1.2.3.4:80>
ServerAdmin admin@mysite.net
ServerName www.mysite.net
ServerAlias mysite.net *.mysite.net
# Redirect permanent / https://mysite.net/
DocumentRoot /var/www/mysite.net
<Directory />
Order Deny,Allow
Options -Indexes
AllowOverride None
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options DENY
Header set X-Content-Type-Options nosniff
</VirtualHost>
<VirtualHost 1.2.3.4:443>
ServerAdmin admin@mysite.net
ServerName www.mysite.net
ServerAlias mysite.net *.mysite.net
DocumentRoot /var/www/mysite.net
# SSLEngine on
# SSLCertificateKeyFile /etc/ssl/letsencrypt/mysite.net/key.pem
# SSLCertificateFile /etc/ssl/letsencrypt/mysite.net/fullchain.pem
# <If "%{HTTP_HOST} == 'www.mysite.net'">
# Redirect permanent / https://mysite.net/
# </If>
<Directory />
Order Deny,Allow
Options -Indexes
AllowOverride None
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options DENY
Header set X-Content-Type-Options nosniff
</VirtualHost>
a2ensite mysite.net
if not already enabled. Now check that the configuration looks OK with apache2ctl configtest
. If everything looks OK you can restart Apache with systemctl restart apache2
. Point your domain name to the server's IP if not done already and make sure that the non-HTTPS version of the website works.
curl https://get.acme.sh | sh -s email=me@whatever.com
acme.sh --set-default-ca --server letsencrypt
acme.sh --issue -d mysite.net -d www.mysite.net -w /var/www/mysite.net --keylength 4096
acme.sh --install-cert -d mysite.net --cert-file /etc/ssl/letsencrypt/mysite.net/cert.pem --key-file /etc/ssl/letsencrypt/mysite.net/key.pem --ca-file /etc/ssl/letsencrypt/mysite.net/ca.cer --fullchain-file /etc/ssl/letsencrypt/mysite.net/fullchain.pem --reloadcmd "systemctl restart apache2"
--reloadcmd
parameter, I guess root is required. Technically speaking, it might not be totally necessary, but I'm afraid it will make autorenewal fail. Well, let's see after 60 days what happens, we'll find out. (UPDATE 2022-11-09: I still haven't figured it out whether it works or not, because in the meantime I had to restart apache manually a couple of times, so I'm still not 100% sure)/etc/apache2/sites-available/mysite.net.conf
so to enable the SSL engine (these lines will remove the non-HTTPS version of the website because it's 2023 now), then reload Apache with systemctl restart apache2
et voila'!cryptfs
command, whose syntax has changed.su
vdc cryptfs changepw TYPEOFNEWPASSWORD OLDPASSWORD NEWPASSWORD
TYPEOFNEWPASSWORD
can be any of password, pin, pattern
(if you use a pattern, match the position of the dots with corresponding numbers on keypad to obtain a numeric string)
sudo su
lsblk -o name,uuid,mountpoint
/etc/fstab
or /etc/crypttab
. I assume you are a pr0 and this is not your case. Then, identify boot and encrypted partitions on your hard drive, and unmount them if not already dismounted. For the following we assume:
cryptsetup open /dev/sda3 sda3_crypt
mount /dev/mapper/sda3_crypt /mnt
mount /dev/sda2 /mnt/boot
mount /dev/sda1 /mnt/boot/efi
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
mount --bind /run /mnt/run
chroot /mnt
firmware-linux
removed the warnings. So, check that you have network connection in the chrooted system (if necessary edit resolv.conf to add DNS). Edit /etc/apt/sources.list
and make sure that there are the following two lines:
deb http://debian.org/debian/ sid main contrib non-free
deb-src http://debian.org/debian sid main contrib non-free
apt update
apt upgrade
depmod `uname -r`
cd /boot
and ls -Al
. You will see a bunch of files, for example:
total 107976
drwxr-xr-x 5 root root 4096 Jul 26 08:15 ./
drwxr-xr-x 24 root root 4096 Jul 21 21:39 ../
-rw-r--r-- 1 root root 206118 Mar 15 03:16 config-4.19.0-4-amd64
-rw-r--r-- 1 root root 206213 Jul 19 00:23 config-4.19.0-5-amd64
drwx------ 3 root root 4096 Jan 1 1970 efi/
drwxr-xr-x 5 root root 4096 Jul 23 20:54 grub/
-rw-r--r-- 1 root root 40260505 May 1 13:57 initrd.img-4.19.0-4-amd64
-rw-r--r-- 1 root root 52681191 Jul 26 08:15 initrd.img-4.19.0-5-amd64
drwx------ 2 root root 16384 Jan 10 2019 lost+found/
-rw-r--r-- 1 root root 3365519 Mar 15 03:16 System.map-4.19.0-4-amd64
-rw-r--r-- 1 root root 3371003 Jul 19 00:23 System.map-4.19.0-5-amd64
-rw-r--r-- 1 root root 5213424 Mar 15 03:16 vmlinuz-4.19.0-4-amd64
-rw-r--r-- 1 root root 5217520 Jul 19 00:23 vmlinuz-4.19.0-5-amd64
4.19.0-5-amd64
, so in this case do:
depmod 4.19.0-5-amd64
update-initramfs -u
dpkg-reconfigure locales
(and then select `update all`, will take some minutes, then redo update-initramfs -u
)
update-grub
grub-install /dev/sda
exit
unmount /mnt/boot/efi
unmount /mnt/boot
unmount /mnt
fsck -f /dev/sda3_crypt
cryptsetup close sda3_crypt
exit