Kernel-based Virtual Machine (KVM) is rapidly becoming the most popular open-source virtualization technology on Linux. As per the latest Linux Foundation Report, over 80% of virtualized Linux production workloads now run on KVM compared to proprietary solutions:
With full hardware virtualization support now available on most modern Linux platforms, KVM delivers exceptional performance while being tightly integrated with the Linux ecosystem.
In this comprehensive guide, we will go through the process of setting up a high-performance KVM virtualization stack on Ubuntu 20.04 specifically for production workloads.
KVM Architecture Overview
To understand how to best optimize KVM for resources and security, we need to first understand how it works under the hood.
The main components that make up KVM virtualization include:
-
KVM Kernel Module – This loads the
kvm.kokernel module that enables core virtualization functionality. -
QEMU – User-space component that handles emulation of virtual hardware like disk, network, GPU that allow VMs to function.
-
Libvirt – Provides a common layer to manage VMs using virsh and libvirt APIs across different hypervisors including Xen, VMWare.
So when you run a VM, the guest operating system talks to virtual devices emulated by QEMU. But the actual execution runs on the host machine‘s physical CPU managed by KVM to achieve native performance. This architecture is shown below:
The CPU and memory are shared efficiently between multiple guests in a secure isolated manner. Linux itself acts as the hypervisor for managing VM access to host resources.
Prerequisites
Before installing KVM, make sure your Ubuntu 20.04 system meets the minimum recommended requirements:
-
4 cores x86-64 CPU – Modern processors like Intel i5/i7 or AMD Ryzen with AMD-V/VT-x hardware virtualization enabled. More cores allow you to allocate more VCPUs to guest VMs.
-
8 GB RAM – At least 2 GB free RAM should be there for guest VMs to operate smoothly. RAM can be overcommitted up to 4x times depending on workload.
-
20 GB Free Storage – Will be used for virtual disk images for guest OS and applications. SSD storage highly recommended for optimal performance. Network attached storage can also be used.
You can verify hardware virtualization support on your processor using:
egrep -c ‘(vmx|svm)‘ /proc/cpuinfoThis will return 1 or more lines indicating the available extensions.
Step 1 – Install KVM Packages
Update Ubuntu package index before installing KVM:
sudo apt updateNow install the core virtualization components which include:
qemu-kvm– Kernel-based VM emulator and processor modulelibvirt-bin– Management tools for managing virtualization hostsvirt-manager– Desktop user interface for creating and managing VMs
sudo apt install qemu-kvm libvirt-bin virt-manager virt-viewerAdditional important tools include:
virt-install– Command line tool for creating new VMsvirt-top– CLI utility to monitor VM CPU/memory usagevirt-sysprep– To customize and clone existing VMs
Install them as follows:
sudo apt install virt-install virt-top virt-sysprepThat completes our base KVM software installation!
Step 2 – Configure Network Bridges
Networking plays a major role in allowing virtual machines access to LAN and WAN connectivity.
The default networking configuration provides a private NAT setup for VMs. But for better flexibility and performance, we will create Linux Ethernet bridges to map VM ports to physical network interfaces.
First, enable IP forwarding in the host kernel:
echo 1 > /proc/sys/net/ipv4/ip_forwardDefine a new bridge interface br0 and assign the primary network interface (usually eno1 or eth0) as a port member:
cat >> /etc/network/interfaces <<EOF
auto br0
iface br0 inet dhcp
bridge_ports eno1
bridge_stp off
bridge_fd 0
EOFReboot the server or restart networking services for changes to apply:
sudo systemctl restart networkingThe host machine and subsequently all VMs configured with this bridge will now have access to the same external connectivity of the wired LAN.
You can create multiple bridge interfaces bound to different NICs or subnets if required.
Step 3 – Storage Configuration
KVM virtual machines require virtual disk images to store the guest OS filesystem and data. These images can reside on the host machine disk, external storage like iSCSI/NFS mounts or SAN volumes.
Some recommendations for best performance:
- Use QCOW2 image format – Provides compression, copy-on-write, encryption and snapshots
- Locate images on SSD storage – Minimize disk latency especially for I/O intensive workloads
- Size images appropriately – Avoid thin provisioning to prevent out of space errors
- Leverage LVM volumes – Create logical volumes with thinpools to efficiently allocate storage
First create a dedicated volume group (VG) using LVM to store VM images:
sudo vgcreate vms /dev/sda3Now create a thinpool logical volume (LV) within it. A thinpool allows you to allocate storage on-demand from this pool to minimize wasted space:
sudo lvcreate -L 500G --thinpool vmsYou can monitor free space in the pool by checking LV VG size:
sudo lvsWith this storage backend ready, we can now create VMs using space from the vms thin pool as needed.
Step 4 – Create KVM Virtual Machine
Let‘s launch an Ubuntu 20.04 server VM leveraging the storage and networking created earlier.
Use qemu-img to allocate a 30GB disk image from the LVM thin pool:
sudo qemu-img create -f qcow2 /dev/vms/ubuntu-vm1.img 30GNow install Ubuntu server with virt-install using bridges networking and console access:
sudo virt-install \
--name ubuntu-vm1 \
--memory 4096 \
--vcpus=2 \
--disk /dev/vms/ubuntu-vm1.img,format=qcow2 \
--network bridge=br0 \
--graphics none \
--extra-args ‘console=tty0 console=ttyS0‘ \
--os-type linux \
--os-variant ubuntu20.04Follow the prompts to complete OS installation. The VM will have native network connectivity through br0 bridge interface to transfer install files.
You can monitor resource usage in real-time using virt-top:
sudo virt-top --domain ubuntu-vm1Also check VM logs through libvirt logs:
sudo tail -f /var/log/libvirt/qemu/ubuntu-vm1.logThat completes the deployment and you will have an Ubuntu 20.04 server VM running on KVM!
Security Best Practices
Since KVM deals with virtualized hardware access, it is important to secure the environment against breaches with best practices:
- Restrict KVM management to dedicated admin groups using libvirt ACLs instead of root access
- Leverage TLS certificates for traffic encryption between libvirt and clients
- Use SELinux/AppArmor mandatory access controls to lock down QEMU processes
- Enable virsh two-factor authentication using SASL for admin actions
- Integrate compute nodes with central RBAC directory services like LDAP
- Isolate VM networks using firewall rules, bridge interfaces and VLANs
- Regularly audit VM host kern.log logs and access logs in
/var/log/libvirtfor anomalies
Here is an example libvirtd configuration enforcing read-only access:
<libvirtd_opts>
<listen_tls>0</listen_tls>
<listen_tcp>1</listen_tcp>
<tls_no_verify_certificate>1</tls_no_verify_certificate>
<auth_tcp>
<acl check=‘write‘ deny=‘all‘/>
</auth_tcp>
</libvirtd_opts>Automation and Infrastructure Management
While KVM itself is very lightweight, managing even a few dozen server, storage and network resources manually becomes complex.
This is where infrastructure automation and configuration management systems like Ansible, Terraform and Cloudinit come in.
For example, you can configure an Ansible playbook to build KVM compute machines from scratch including:
- Install necessary packages
- Compile and set sysctl tunables
- Construct libvirtd authorization policies
- Launch bridge interfaces
- Allocate and mount LVM thinpools
Then utilize Terraform to declaratively spin up new Ubuntu VMs while dynamically binding to next available VLANs and disk volumes.
You can even launch an autoscaling group of short-lived Jenkins build agents using ephemeral VMs under peak CI workload through code.
This infrastructure-as-code approach translates to a very agile and self-serve environment.
Comparison with Other Solutions
Here is how KVM compares to other popular hypervisor platforms:
| Feature | KVM | Xen | VMWare vSphere |
|---|---|---|---|
| Open source license | Yes | Partial | No |
| Cost | Free | Free hyperviseor cost | Expensive licensing |
| Ecosystem support | Excellent | Limited | Broad |
| Performance | Near bare-metal | Para-virtualization overhead | Hypervisor tax |
| Cloud integration | AWS, Google Cloud, Azure | AWS | VMWare cloud only |
| Resource sharing | Excellent | Good | Great |
| Live migration | Supported | Supported | Mature solution |
| Storage interfacing | Multiple backends | More limited | Advanced features |
| Learning curve | Medium | High | Complex |
As shown above, KVM strikes a nice balance of cost, performance and rich functionality while tightly integrating with Linux.
Conclusion
I hope this guide gave you a comprehensive overview of installing KVM virtualization on an Ubuntu host and configuring it for best performance and security based on industry best practices.
Some key takeaways include:
- Create bridge interfaces for guest VM networking to retain native host NIC speeds
- Leverage LVM thin volumes for right-sized storage allocation
- Follow locking down compute hosts for attack surface minimization
- Automate infrastructure deployment for efficient management at scale
- Evaluate KVM to avoid expensive proprietary hypervisor licensing costs
KVM is quickly becoming the virtualization technology of choice for Linux based environments. Its tight integration with the Linux ecosystem and great support for cloud platforms makes it an ideal solution.
Let me know if you have any other questions!
