Created
September 30, 2020 01:42
-
-
Save relvinhas/80471ea965d292f9cb2ad02657adada4 to your computer and use it in GitHub Desktop.
Fedora Server - Virtualization Host - Nvidia passthrough
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Fedora 31 Server Edition - Virtualization Host | |
| sudo dnf remove -y plymouth | |
| # Upgrade packages | |
| sudo dnf upgrade -y | |
| # Install virtualization group | |
| sudo dnf groupinstall "Virtualization" -y | |
| sudo dnf install -y net-tools wget rsync git lsof | |
| sudo dnf install -y \ | |
| kernel-tools \ | |
| virt-top \ | |
| atop \ | |
| iotop \ | |
| htop \ | |
| vim \ | |
| hdparm \ | |
| libguestfs-tools \ | |
| iperf \ | |
| tcpdump \ | |
| git \ | |
| lsof | |
| # Allow non-root access to tcpdump[1] | |
| sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump | |
| # Add user to virtualization groups | |
| sudo usermod -G libvirt -a $(whoami) | |
| sudo usermod -G kvm -a $(whoami) | |
| # Create proper hosts file | |
| sudo sed -i '1s;^;192.168.122.1 virtualization-host.intra.example.net virtualization-host\n;' /etc/hosts | |
| # How can i prevent chronyd to listen on IPv6 socket? [2] | |
| sudo sed -i 's/OPTIONS=""/OPTIONS="-4"/' /etc/sysconfig/chronyd | |
| # Setup bridge interface | |
| sudo sed -i 's/BOOTPROTO=dhcp/BOOTPROTO=none\nBRIDGE=br0/' /etc/sysconfig/network-scripts/ifcfg-enp6s0 | |
| # Configure the bridge and use libvirt dnsmasq as primary DNS server (for the default network) | |
| sudo tee /etc/sysconfig/network-scripts/ifcfg-br0 > /dev/null << 'EOF' | |
| DEVICE="br0" | |
| TYPE=BRIDGE | |
| ONBOOT=yes | |
| BOOTPROTO="static" | |
| IPADDR=[IP ADDRESS] | |
| NETMASK=[NETMASK] | |
| BROADCAST=[BROADCAST ADDRESS] | |
| NETWORK=[NETWORK] | |
| GATEWAY=[GATEWAY] | |
| PEERDNS=no | |
| DNS1=192.168.122.1 | |
| DNS2=[SECONDARY DNS] | |
| EOF | |
| # Set default libvirt uri | |
| echo "export LIBVIRT_DEFAULT_URI=\"qemu:///system\"" | tee -a ~/.bashrc > /dev/null | |
| # Goodbye grub, remove resume, set proper kernel arguments | |
| # pcie_acs_override=downstream for whoever needs it | |
| # [WARNING] double check if you are using an INTEL or AMD CPU... | |
| # Depending on the motherboard you may only need this: rd.driver.pre=vfio-pci | |
| sudo sed -i 's/GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/;s/resume=[^ ]* //;s/quiet/quiet intel_iommu=on rd.driver.pre=vfio-pci video=efifb:off/' /etc/default/grub | |
| # Update grub | |
| sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg | |
| # If you are not using EFI... Use this instead | |
| # sudo grub2-mkconfig -o /boot/grub2/grub.cfg | |
| # Disable IPv6 | |
| # echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf > /dev/null | |
| # Add vfio drivers to initramfs | |
| sudo tee /etc/dracut.conf.d/vfio.conf > /dev/null << 'EOF' | |
| add_drivers+="vfio vfio_iommu_type1 vfio_pci vfio_virqfd" | |
| EOF | |
| # Enable nested virtualization | |
| # AMD | |
| sudo sed -i 's/#options kvm_amd/options kvm_amd npt=1 avic=1 /' /etc/modprobe.d/kvm.conf | |
| # INTEL | |
| sudo sed -i 's/#options kvm_intel/options kvm_intel npt=1 avic=1 /' /etc/modprobe.d/kvm.conf | |
| # Configure vfio to control devices | |
| # 0b:00.0 VGA compatible controller [0300]: NVIDIA Corporation GP102 [GeForce GTX 1080 Ti] [10de:1b06] (rev a1) (prog-if 00 [VGA controller]) | |
| # 0b:00.1 Audio device [0403]: NVIDIA Corporation GP102 HDMI Audio Controller [10de:10ef] (rev a1) | |
| sudo tee /etc/modprobe.d/vfio.conf > /dev/null << 'EOF' | |
| options vfio-pci ids=10de:1b06,10de:10ef | |
| EOF | |
| # Update initramfs | |
| sudo dracut -f --regenerate-all | |
| # Configure default network to automate DNS updates[3] | |
| sudo systemctl start libvirtd | |
| sudo virsh net-destroy default | |
| sudo virsh net-undefine default | |
| tee network-default.xml > /dev/null << 'EOF' | |
| <network> | |
| <name>default</name> | |
| <forward mode='nat'> | |
| <nat> | |
| <port start='1024' end='65535'/> | |
| </nat> | |
| </forward> | |
| <bridge name='virbr0' stp='on' delay='0'/> | |
| <domain name='virtualization-host.intra.example.net' localOnly='no'/> | |
| <ip address='192.168.122.1' netmask='255.255.255.0'> | |
| <dhcp> | |
| <range start='192.168.122.2' end='192.168.122.254'/> | |
| </dhcp> | |
| </ip> | |
| </network> | |
| EOF | |
| sudo virsh net-define network-default.xml | |
| rm network-default.xml | |
| sudo virsh net-start default | |
| sudo virsh net-autostart default | |
| # Fail2ban | |
| sudo dnf install fail2ban -y | |
| sudo systemctl start fail2ban | |
| sudo systemctl enable fail2ban | |
| sudo tee /etc/fail2ban/jail.local > /dev/null << 'EOF' | |
| [DEFAULT] | |
| bantime = 3600 | |
| [sshd] | |
| enabled = true | |
| EOF | |
| sudo dnf install -y rsync | |
| # Troubleshoot | |
| ## SElinux <3[4] | |
| ## After changes in boot/ images | |
| # sudo restorecon -R -v /var/lib/libvirt/boot/ | |
| # sudo restorecon -R -v /var/lib/libvirt/images/ | |
| # | |
| ## Check attributes | |
| # ls -lasZ /var/lib/libvirt/boot/ | |
| # ls -lasZ /var/lib/libvirt/images/ | |
| sudo reboot | |
| # References | |
| # [1] https://access.redhat.com/solutions/131583 | |
| # [2] https://access.redhat.com/solutions/2026723 | |
| # [3] https://m0dlx.com/blog/Automatic_DNS_updates_from_libvirt_guests.html | |
| # [4] https://docs-old.fedoraproject.org/en-US/Fedora/13/html/Virtualization_Guide/sect-Virtualization-Security_for_virtualization-SELinux_and_virtualization.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
X570 AORUS XTREME (rev. 1.0)