qemu-img Invocation
qemu-nbd Invocation
QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.
QEMU has the following features:
QEMU user mode emulation has the following features:
QEMU full system emulation has the following features:
The QEMU PC System emulator simulates the following peripherals:
SMP is supported with up to 255 CPUs.
QEMU uses the PC BIOS from the Seabios project and the Plex86/Bochs LGPL VGA BIOS.
QEMU uses YM3812 emulation by Tatsuyuki Satoh.
QEMU uses GUS emulation (GUSEMU32 http://www.deinmeister.de/gusemu/) by Tibor "TS" Schütz.
Note that, by default, GUS shares IRQ(7) with parallel ports and so QEMU must be told to not have parallel ports to have working GUS.
qemu-system-i386 dos.img -soundhw gus -parallel none
Alternatively:
qemu-system-i386 dos.img -device gus,irq=5
Or some other unclaimed IRQ.
CS4231A is the chip used in Windows Sound System and GUSMAX products
Download and uncompress the linux image (linux.img) and type:
qemu-system-i386 linux.img
Linux should boot and give you a prompt.
qemu-system-i386 [options] [disk_image]
disk_image is a raw hard disk image for IDE hard disk 0. Some targets do not need a disk image.
-machine help to list
available machines.
For architectures which aim to support live migration compatibility across releases, each release will introduce a new versioned machine type. For example, the 2.8.0 release introduced machine types “pc-i440fx-2.8” and “pc-q35-2.8” for the x86_64/i686 architectures.
To allow live migration of guests from QEMU version 2.8.0, to QEMU version 2.9.0, the 2.9.0 version must support the “pc-i440fx-2.8” and “pc-q35-2.8” machines too. To allow users live migrating VMs to skip multiple intermediate releases when upgrading, new releases of QEMU will support machine types from many previous versions.
Supported machine properties are:
-cpu help for list and additional feature selection)
Legacy VCPU assignment uses `cpus' option where firstcpu and lastcpu are CPU indexes. Each `cpus' option represent a contiguous range of CPU indexes (or a single VCPU if lastcpu is omitted). A non-contiguous set of VCPUs can be represented by providing multiple `cpus' options. If `cpus' is omitted on all nodes, VCPUs are automatically split between them.
For example, the following option assigns VCPUs 0, 1, 2 and 5 to a NUMA node:
-numa node,cpus=0-2,cpus=5
`cpu' option is a new alternative to `cpus' option which uses `socket-id|core-id|thread-id' properties to assign CPU objects to a node using topology layout properties of CPU. The set of properties is machine specific, and depends on used machine type/`smp' options. It could be queried with `hotpluggable-cpus' monitor command. `node-id' property specifies node to which CPU object will be assigned, it's required for node to be declared with `node' option before it's used with `cpu' option.
For example:
-M pc \
-smp 1,sockets=2,maxcpus=2 \
-numa node,nodeid=0 -numa node,nodeid=1 \
-numa cpu,node-id=0,socket-id=0 -numa cpu,node-id=1,socket-id=1
`mem' assigns a given RAM amount to a node. `memdev' assigns RAM from a given memory backend device to a node. If `mem' and `memdev' are omitted in all nodes, RAM is split equally between them.
`mem' and `memdev' are mutually exclusive. Furthermore, if one node uses `memdev', all of them have to use it.
source and destination are NUMA node IDs. distance is the NUMA distance from source to destination. The distance from a node to itself is always 10. If any pair of nodes is given a distance, then all pairs must be given distances. Although, when distances are only given in one direction for each pair of nodes, then the distances in the opposite directions are assumed to be the same. If, however, an asymmetrical pair of distances is given for even one node pair, then all node pairs must be provided distance values for both directions, even when they are symmetrical. When a node is unreachable from another node, set the pair's distance to 255.
Note that the -numa option doesn't allocate any of the
specified resources, it just assigns existing resources to NUMA
nodes. This means that one still has to use the -m,
-smp options to allocate RAM and VCPUs respectively.
You can open an image using pre-opened file descriptors from an fd set:
qemu-system-i386
-add-fd fd=3,set=2,opaque="rdwr:/path/to/file"
-add-fd fd=4,set=2,opaque="rdonly:/path/to/file"
-drive file=/dev/fdset/2,index=0,media=disk
qemu-system-i386 -global ide-hd.physical_block_size=4096 disk-image.img
In particular, you can use this to set driver properties for devices which are created automatically by the machine model. To create a device which is not created automatically and set properties on it, use -device.
-global driver.prop=value is shorthand for -global
driver=driver,property=prop,value=value. The
longhand syntax works even when driver contains a dot.
Interactive boot menus/prompts can be enabled via menu=on as far as firmware/BIOS supports them. The default is non-interactive boot.
A splash picture could be passed to bios, enabling user to show it as logo, when option splash=sp_name is given and menu=on, If firmware/BIOS supports them. Currently Seabios for X86 system support it. limitation: The splash file could be a jpeg file or a BMP file in 24 BPP format(true color). The resolution should be supported by the SVGA mode, so the recommended is 320x240, 640x480, 800x640.
A timeout could be passed to bios, guest will pause for rb_timeout ms when boot failed, then reboot. If rb_timeout is '-1', guest will not reboot, qemu passes '-1' to bios by default. Currently Seabios for X86 system support it.
Do strict boot via strict=on as far as firmware/BIOS supports it. This only effects when boot priority is changed by bootindex options. The default is non-strict boot.
# try to boot from network first, then from hard disk
qemu-system-i386 -boot order=nc
# boot from CD-ROM first, switch back to default order after reboot
qemu-system-i386 -boot once=d
# boot with a splash picture for 5 seconds.
qemu-system-i386 -boot menu=on,splash=/root/boot.bmp,splash-time=5000
Note: The legacy format '-boot drives' is still supported but its
use is discouraged as it may be removed from future versions.
For example, the following command-line sets the guest startup RAM size to 1GB, creates 3 slots to hotplug additional memory and sets the maximum memory the guest can reach to 4GB:
qemu-system-x86_64 -m 1G,slots=3,maxmem=4G
If slots and maxmem are not specified, memory hotplug won't
be enabled and the guest startup RAM will never increase.
fr for
French). This option is only needed where it is not easy to get raw PC
keycodes (e.g. on Macs, with some X11 servers or with a VNC or curses
display). You don't normally need to use it on PC/Linux or PC/Windows
hosts.
The available layouts are:
ar de-ch es fo fr-ca hu ja mk no pt-br sv
da en-gb et fr fr-ch is lt nl pl ru th
de en-us fi fr-be hr it lv nl-be pt sl tr
The default is en-us.
in|out..
You can set the input's property with in.prop and the
output's property with out.prop. For example:
-audiodev alsa,id=example,in.frequency=44110,out.frequency=8000
-audiodev alsa,id=example,out.channels=1 # leaves in.channels unspecified
Valid global options are:
s8, s16, s32, u8,
u16, u32. Default is s16.
ALSA specific options are:
default.
Core Audio specific options are:
DirectSound specific options are:
OSS specific options are:
/dev/dsp.
buffer and buffer-count. This option is
ignored if you do not have OSS 4. Default is 5.
PulseAudio specific options are:
-spice and automatically selected in that case, so usually you
can ignore this option. This backend has no backend specific
properties.
Backend specific options are:
qemu.wav.
qemu-system-i386 -soundhw sb16,adlib disk.img
qemu-system-i386 -soundhw es1370 disk.img
qemu-system-i386 -soundhw ac97 disk.img
qemu-system-i386 -soundhw hda disk.img
qemu-system-i386 -soundhw all disk.img
qemu-system-i386 -soundhw help
Note that Linux's i810_audio OSS kernel (for AC97) module might require manually specifying clocking.
modprobe i810_audio clocking=48000
-device help and
-device driver,help.
Some drivers are:
The IPMI slave address to use for the BMC. The default is 0x20. This address is the BMC's address on the I2C network of management controllers. If you don't know what this means, it is safe to ignore it.
A connection is made to an external BMC simulator. If you do this, it is strongly recommended that you use the "reconnect=" chardev option to reconnect to the simulator if the connection is lost. Note that if this is not used carefully, it can be a security issue, as the interface has the ability to send resets, NMIs, and power off the VM. It's best if QEMU makes a connection to an external simulator running on a secure port on localhost, so neither the simulator nor QEMU is exposed to any outside network.
See the "lanserv/README.vm" file in the OpenIPMI library for more
details on the external interface.
Options that expect a reference to another node (e.g. file) can be
given in two ways. Either you specify the node name of an already existing node
(file=node-name), or you define a new node inline, adding options
for the referenced node after a dot (file.filename=path,file.aio=native).
A block driver node created with -blockdev can be used for a guest
device by specifying its node name for the drive property in a
-device argument that defines a block device.
drivernode-nameIf no node name is specified, it is automatically generated. The generated node
name is not intended to be predictable and changes between QEMU invocations.
For the top level, an explicit node name must be specified.
read-onlycache.directcache.no-flushdiscard=discarddiscard (also known as trim or unmap) requests are
ignored or passed to the filesystem. Some machine types may not support
discard requests.
detect-zeroes=detect-zeroesunmap operation.
filefilenameaiolocking -blockdev driver=file,node-name=disk,filename=disk.img
rawfile.
filefile driver node)
-blockdev driver=file,node-name=disk_file,filename=disk.img
-blockdev driver=raw,node-name=disk,file=disk_file
Example 2:
-blockdev driver=raw,node-name=disk,file.driver=file,file.filename=disk.img
qcow2file.
filefile driver node)
backingnull here in order to disable
the default backing file.
lazy-refcountscache-sizel2-cache-sizerefcount-cache-sizecache-clean-intervalpass-discard-requestpass-discard-snapshotpass-discard-otheroverlap-checkblockdev-add.
Example 1:
-blockdev driver=file,node-name=my_file,filename=/tmp/disk.qcow2
-blockdev driver=qcow2,node-name=hda,file=my_file,overlap-check=none,cache-size=16777216
Example 2:
-blockdev driver=qcow2,node-name=disk,file.driver=http,file.filename=http://example.com/image.qcow2
blockdev-add QMP command.
-drive accepts all options that are accepted by -blockdev. In addition, it knows the following options:
Special files such as iSCSI devices can be specified using protocol
specific URLs. See the section for "Device URL Syntax" for more information.
│ cache.writeback cache.direct cache.no-flush
─────────────┼─────────────────────────────────────────────────
writeback │ on off off
none │ on on off
writethrough │ off off off
directsync │ off on off
unsafe │ on off on
The default mode is cache=writeback.
By default, the cache.writeback=on mode is used. It will report data writes as completed as soon as the data is present in the host page cache. This is safe as long as your guest OS makes sure to correctly flush disk caches where needed. If your guest OS does not handle volatile disk write caches correctly and your host crashes or loses power, then the guest may experience data corruption.
For such guests, you should consider using cache.writeback=off. This means that the host page cache will be used to read and write data, but write notification will be sent to the guest only after QEMU has made sure to flush each write to the disk. Be aware that this has a major impact on performance.
When using the -snapshot option, unsafe caching is always used.
Copy-on-read avoids accessing the same backing file sectors repeatedly and is useful when the backing file is over a slow network. By default copy-on-read is off.
Instead of -cdrom you can use:
qemu-system-i386 -drive file=file,index=2,media=cdrom
Instead of -hda, -hdb, -hdc, -hdd, you can use:
qemu-system-i386 -drive file=file,index=0,media=disk
qemu-system-i386 -drive file=file,index=1,media=disk
qemu-system-i386 -drive file=file,index=2,media=disk
qemu-system-i386 -drive file=file,index=3,media=disk
You can open an image using pre-opened file descriptors from an fd set:
qemu-system-i386
-add-fd fd=3,set=2,opaque="rdwr:/path/to/file"
-add-fd fd=4,set=2,opaque="rdonly:/path/to/file"
-drive file=/dev/fdset/2,index=0,media=disk
You can connect a CDROM to the slave of ide0:
qemu-system-i386 -drive file=file,if=ide,index=1,media=cdrom
If you don't specify the "file=" argument, you define an empty drive:
qemu-system-i386 -drive if=ide,index=1,media=cdrom
Instead of -fda, -fdb, you can use:
qemu-system-i386 -drive file=file,index=0,if=floppy
qemu-system-i386 -drive file=file,index=1,if=floppy
By default, interface is "ide" and index is automatically incremented:
qemu-system-i386 -drive file=a -drive file=b"
is interpreted like:
qemu-system-i386 -hda a -hdb b
-fsdev option is used along with -device driver "virtio-9p-...".
-fsdev synth and -device virtio-9p-... instead.
-device usb-... instead. See usb_devices.
charset option, for example charset=CP850 for IBM CP850
encoding. The default is CP437.
change command
can be used to later start the VNC server.
Following the display value there may be one or more option flags separated by commas. Valid options are
reverse), the d argument
is a TCP port number, not a display number.
websocket=port.
If host is specified connections will only be allowed from this host.
It is possible to control the websocket listen address independently, using
the syntax websocket=host:port.
If no TLS credentials are provided, the websocket connection runs in
unencrypted mode. If TLS credentials are provided, the websocket connection
requires encrypted client connections.
The password must be set separately using the set_password command in
the pcsys_monitor. The syntax to change your password is:
set_password <protocol> <password> where <protocol> could be either
"vnc" or "spice".
If you would like to change <protocol> password expiration, you should use
expire_password <protocol> <expiration-time> where expiration time could
be one of the following options: now, never, +seconds or UNIX time of
expiration, e.g. +60 to make password expire in 60 seconds, or 1335196800
to make password expire on "Mon Apr 23 12:00:00 EDT 2012" (UNIX time for this
date and time).
You can also use keywords "now" or "never" for the expiration time to
allow <protocol> password to expire immediately or never expire.
authz-list objects with IDs of vnc.username and
vnc.x509dname. The rules for these objects must be configured
with the HMP ACL commands.
This option is deprecated and should no longer be used. The new
sasl-authz and tls-authz options are a
replacement.
The following two example do exactly the same, to show how -nic can be used to shorten the command line length (note that the e1000 is the default on i386, so the model=e1000 parameter could even be omitted here, too):
qemu-system-i386 -netdev user,id=n1,ipv6=off -device e1000,netdev=n1,mac=52:54:98:76:54:32
qemu-system-i386 -nic user,ipv6=off,model=e1000,mac=52:54:98:76:54:32
Example:
qemu-system-i386 -nic user,dnssearch=mgmt.example.org,dnssearch=example.org
bin of the Unix TFTP client).
Example (using pxelinux):
qemu-system-i386 -hda linux.img -boot n -device e1000,netdev=n1 \
-netdev user,id=n1,tftp=/path/to/tftp/files,bootfile=/pxelinux.0
In the guest Windows OS, the line:
10.0.2.4 smbserver
must be added in the file C:\WINDOWS\LMHOSTS (for windows 9x/Me) or C:\WINNT\SYSTEM32\DRIVERS\ETC\LMHOSTS (Windows NT/2000).
Then dir can be accessed in \\smbserver\qemu.
Note that a SAMBA server must be installed on the host OS.
For example, to redirect host X11 connection from screen 1 to guest screen 0, use the following:
# on the host
qemu-system-i386 -nic user,hostfwd=tcp:127.0.0.1:6001-:6000
# this host xterm should open in the guest X11 server
xterm -display :1
To redirect telnet connections from host port 5555 to telnet port on the guest, use the following:
# on the host
qemu-system-i386 -nic user,hostfwd=tcp::5555-:23
telnet localhost 5555
Then when you use on the host telnet localhost 5555, you
connect to the guest telnet server.
You can either use a chardev directly and have that one used throughout QEMU's lifetime, like in the following example:
# open 10.10.1.1:4321 on bootup, connect 10.0.2.100:1234 to it whenever
# the guest accesses it
qemu-system-i386 -nic user,guestfwd=tcp:10.0.2.100:1234-tcp:10.10.1.1:4321
Or you can execute a command on every TCP connection established by the guest, so that QEMU behaves similar to an inetd process for that virtual server:
# call "netcat 10.10.1.1 4321" on every TCP connection to 10.0.2.100:1234
# and connect the TCP stream to its stdin/stdout
qemu-system-i386 -nic 'user,id=n1,guestfwd=tcp:10.0.2.100:1234-cmd:netcat 10.10.1.1 4321'
Use the network script file to configure it and the network script dfile to deconfigure it. If name is not provided, the OS automatically provides one. The default network configure script is /etc/qemu-ifup and the default network deconfigure script is /etc/qemu-ifdown. Use script=no or downscript=no to disable script execution.
If running QEMU as an unprivileged user, use the network helper helper to configure the TAP interface and attach it to the bridge. The default network helper executable is /path/to/qemu-bridge-helper and the default bridge device is br0.
fd=h can be used to specify the handle of an already opened host TAP interface.
Examples:
#launch a QEMU instance with the default network script
qemu-system-i386 linux.img -nic tap
#launch a QEMU instance with two NICs, each one connected
#to a TAP device
qemu-system-i386 linux.img \
-netdev tap,id=nd0,ifname=tap0 -device e1000,netdev=nd0 \
-netdev tap,id=nd1,ifname=tap1 -device rtl8139,netdev=nd1
#launch a QEMU instance with the default network helper to
#connect a TAP device to bridge br0
qemu-system-i386 linux.img -device virtio-net-pci,netdev=n1 \
-netdev tap,id=n1,"helper=/path/to/qemu-bridge-helper"
Use the network helper helper to configure the TAP interface and attach it to the bridge. The default network helper executable is /path/to/qemu-bridge-helper and the default bridge device is br0.
Examples:
#launch a QEMU instance with the default network helper to
#connect a TAP device to bridge br0
qemu-system-i386 linux.img -netdev bridge,id=n1 -device virtio-net,netdev=n1
#launch a QEMU instance with the default network helper to
#connect a TAP device to bridge qemubr0
qemu-system-i386 linux.img -netdev bridge,br=qemubr0,id=n1 -device virtio-net,netdev=n1
Example:
# launch a first QEMU instance
qemu-system-i386 linux.img \
-device e1000,netdev=n1,mac=52:54:00:12:34:56 \
-netdev socket,id=n1,listen=:1234
# connect the network of this instance to the network of the first instance
qemu-system-i386 linux.img \
-device e1000,netdev=n2,mac=52:54:00:12:34:57 \
-netdev socket,id=n2,connect=127.0.0.1:1234
Example:
# launch one QEMU instance
qemu-system-i386 linux.img \
-device e1000,netdev=n1,mac=52:54:00:12:34:56 \
-netdev socket,id=n1,mcast=230.0.0.1:1234
# launch another QEMU instance on same "bus"
qemu-system-i386 linux.img \
-device e1000,netdev=n2,mac=52:54:00:12:34:57 \
-netdev socket,id=n2,mcast=230.0.0.1:1234
# launch yet another QEMU instance on same "bus"
qemu-system-i386 linux.img \
-device e1000,netdev=n3,mac=52:54:00:12:34:58 \
-netdev socket,id=n3,mcast=230.0.0.1:1234
Example (User Mode Linux compat.):
# launch QEMU instance (note mcast address selected is UML's default)
qemu-system-i386 linux.img \
-device e1000,netdev=n1,mac=52:54:00:12:34:56 \
-netdev socket,id=n1,mcast=239.192.168.1:1102
# launch UML
/path/to/linux ubd0=/path/to/root_fs eth0=mcast
Example (send packets from host's 1.2.3.4):
qemu-system-i386 linux.img \
-device e1000,netdev=n1,mac=52:54:00:12:34:56 \
-netdev socket,id=n1,mcast=239.192.168.1:1102,localaddr=1.2.3.4
This transport allows a VM to communicate to another VM, router or firewall directly.
For example, to attach a VM running on host 4.3.2.1 via L2TPv3 to the bridge br-lan on the remote Linux host 1.2.3.4:
# Setup tunnel on linux host using raw ip as encapsulation
# on 1.2.3.4
ip l2tp add tunnel remote 4.3.2.1 local 1.2.3.4 tunnel_id 1 peer_tunnel_id 1 \
encap udp udp_sport 16384 udp_dport 16384
ip l2tp add session tunnel_id 1 name vmtunnel0 session_id \
0xFFFFFFFF peer_session_id 0xFFFFFFFF
ifconfig vmtunnel0 mtu 1500
ifconfig vmtunnel0 up
brctl addif br-lan vmtunnel0
# on 4.3.2.1
# launch QEMU instance - if your network has reorder or is very lossy add ,pincounter
qemu-system-i386 linux.img -device e1000,netdev=n1 \
-netdev l2tpv3,id=n1,src=4.2.3.1,dst=1.2.3.4,udp,srcport=16384,dstport=16384,rxsession=0xffffffff,txsession=0xffffffff,counter
Example:
# launch vde switch
vde_switch -F -sock /tmp/myswitch
# launch QEMU instance
qemu-system-i386 linux.img -nic vde,sock=/tmp/myswitch
Example:
qemu -m 512 -object memory-backend-file,id=mem,size=512M,mem-path=/hugetlbfs,share=on \
-numa node,memdev=mem \
-chardev socket,id=chr0,path=/path/to/socket \
-netdev type=vhost-user,id=net0,chardev=chr0 \
-device virtio-net-pci,netdev=net0
The hubport netdev lets you connect a NIC to a QEMU emulated hub instead of a
single netdev. Alternatively, you can also connect the hubport to another
netdev with ID nd by using the netdev=nd option.
-net nic,model=help for a list of available devices for your target.
The general form of a character device option is:
Use -chardev help to print all available chardev backend types.
All devices must have an id, which can be any string up to 127 characters long. It is used to uniquely identify this device in other command line directives.
A character device may be used in multiplexing mode by multiple front-ends. Specify mux=on to enable this mode. A multiplexer is a "1:N" device, and here the "1" end is your specified chardev backend, and the "N" end is the various parts of QEMU that can talk to a chardev. If you create a chardev with id=myid and mux=on, QEMU will create a multiplexer with your specified ID, and you can then configure multiple front ends to use that chardev ID for their input/output. Up to four different front ends can be connected to a single multiplexed chardev. (Without multiplexing enabled, a chardev can only be used by a single front end.) For instance you could use this to allow a single stdio chardev to be used by two serial ports and the QEMU monitor:
-chardev stdio,mux=on,id=char0 \
-mon chardev=char0,mode=readline \
-serial chardev:char0 \
-serial chardev:char0
You can have more than one multiplexer in a system configuration; for instance you could have a TCP port multiplexed between UART 0 and UART 1, and stdio multiplexed between the QEMU monitor and a parallel port:
-chardev stdio,mux=on,id=char0 \
-mon chardev=char0,mode=readline \
-parallel chardev:char0 \
-chardev tcp,...,mux=on,id=char1 \
-serial chardev:char1 \
-serial chardev:char1
When you're using a multiplexed character device, some escape sequences are interpreted in the input. See Keys in the character backend multiplexer.
Note that some other command line options may implicitly create multiplexed character backends; for instance -serial mon:stdio creates a multiplexed stdio backend connected to the serial port and the QEMU monitor, and -nographic also multiplexes the console and the monitor to stdio.
There is currently no support for multiplexing in the other direction (where a single QEMU front end takes input and output from multiple chardevs).
Every backend supports the logfile option, which supplies the path to a file to record all data transmitted via the backend. The logappend option controls whether the log file will be truncated or appended to when opened.
The available backends are:
server specifies that the socket shall be a listening socket.
nowait specifies that QEMU should not block waiting for a client to connect to a listening socket.
telnet specifies that traffic on the socket should interpret telnet escape sequences.
websocket specifies that the socket uses WebSocket protocol for communication.
reconnect sets the timeout for reconnecting on non-server sockets when the remote end goes away. qemu will delay this many seconds and then attempt to reconnect. Zero disables reconnecting, and is the default.
tls-creds requests enablement of the TLS protocol for encryption, and specifies the id of the TLS credentials to use for the handshake. The credentials must be previously created with the -object tls-creds argument.
tls-auth provides the ID of the QAuthZ authorization object against which the client's x509 distinguished name will be validated. This object is only resolved at time of use, so can be deleted and recreated on the fly while the chardev server is active. If missing, it will default to denying access.
TCP and unix socket options are given below:
0.0.0.0.
port for a listening socket specifies the local port to be bound. For a connecting socket specifies the port on the remote host to connect to. port can be given as either a port number or a service name. port is required.
to is only relevant to listening sockets. If it is specified, and port cannot be bound, QEMU will attempt to bind to subsequent ports up to and including to until it succeeds. to must be specified as a port number.
ipv4 and ipv6 specify that either IPv4 or IPv6 must be used. If neither is specified the socket may use either protocol.
nodelay disables the Nagle algorithm.
host specifies the remote host to connect to. If not specified it
defaults to localhost.
port specifies the port on the remote host to connect to. port is required.
localaddr specifies the local address to bind to. If not specified it
defaults to 0.0.0.0.
localport specifies the local port to bind to. If not specified any available local port will be used.
ipv4 and ipv6 specify that either IPv4 or IPv6 must be used.
If neither is specified the device may use either protocol.
width and height specify the width and height respectively of the console, in pixels.
cols and rows specify that the console be sized to fit a text
console with the given dimensions.
64K.
path specifies the path of the file to be opened. This file will be
created if it does not already exist, and overwritten if it does. path
is required.
On Windows, a single duplex pipe will be created at \\.pipe\path.
On other hosts, 2 pipes will be created called path.in and path.out. Data written to path.in will be received by the guest. Data written by the guest can be read from path.out. QEMU will not create these fifos, and requires them to be present.
path forms part of the pipe path as described above. path is
required.
console is only available on Windows hosts.
On Unix hosts serial will actually accept any tty device, not only serial lines.
path specifies the name of the serial device to open.
pty is not available on Windows hosts.
signal controls if signals are enabled on the terminal, that includes
exiting QEMU with the key sequence <Control-c>. This option is enabled by
default, use signal=off to disable it.
path specifies the path to the tty. path is required.
Connect to a local parallel port.
path specifies the path to the parallel port device. path is
required.
debug debug level for spicevmc
name name of spice channel to connect to
Connect to a spice virtual machine channel, such as vdiport.
debug debug level for spicevmc
name name of spice port to connect to
Connect to a spice port, allowing a Spice client to handle the traffic identified by a name (preferably a fqdn).
-bt hci[...] option is valid and defines the HCI's
logic. The Transport Layer is decided by the machine type. Currently
the machines n800 and n810 have one HCI and all other
machines have none.
Note: This option and the whole bluetooth subsystem is considered as deprecated. If you still use it, please send a mail to qemu-devel@nongnu.org where you describe your usecase.
The following three types are recognized:
bluez only) The corresponding HCI passes commands / events
to / from the physical HCI identified by the name id (default:
hci0) on the computer running QEMU. Only available on bluez
capable systems like Linux.
0). Similarly to -net
VLANs, devices inside a bluetooth network n can only communicate
with other devices in the same network (scatternet).
vhci driver installed. Can
be used as following:
qemu-system-i386 [...OPTIONS...] -bt hci,vlan=5 -bt vhci,vlan=5
0). QEMU can only emulate one type of bluetooth devices
currently:
The general form of a TPM device option is:
-tpmdev option creates the TPM backend and requires a
-device option that specifies the TPM frontend interface model.
Use -tpmdev help to print all available TPM backend types.
The available backends are:
path specifies the path to the host's TPM device, i.e., on
a Linux host this would be /dev/tpm0.
path is optional and by default /dev/tpm0 is used.
cancel-path specifies the path to the host TPM device's sysfs entry allowing for cancellation of an ongoing TPM command. cancel-path is optional and by default QEMU will search for the sysfs entry to use.
Some notes about using the host's TPM with the passthrough driver:
The TPM device accessed by the passthrough driver must not be used by any other application on the host.
Since the host's firmware (BIOS/UEFI) has already initialized the TPM, the VM's firmware (BIOS/UEFI) will not be able to initialize the TPM again and may therefore not show a TPM-specific menu that would otherwise allow the user to configure the TPM, e.g., allow the user to enable/disable or activate/deactivate the TPM. Further, if TPM ownership is released from within a VM then the host's TPM will get disabled and deactivated. To enable and activate the TPM again afterwards, the host has to be rebooted and the user is required to enter the firmware's menu to enable and activate the TPM. If the TPM is left disabled and/or deactivated most TPM commands will fail.
To create a passthrough TPM use the following two options:
-tpmdev passthrough,id=tpm0 -device tpm-tis,tpmdev=tpm0
Note that the -tpmdev id is tpm0 and is referenced by
tpmdev=tpm0 in the device option.
chardev specifies the unique ID of a character device backend that provides connection to the software TPM server.
To create a TPM emulator backend device with chardev socket backend:
-chardev socket,id=chrtpm,path=/tmp/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0
When using these options, you can use a given Linux or Multiboot kernel without installing it in the disk image. It can be useful for easier testing of various kernels.
Use file1 and file2 as modules and pass arg=foo as parameter to the
first module.
The terminating NUL character of the contents of str will not be included as part of the fw_cfg item data. To insert contents with embedded NUL characters, you have to use the file parameter.
The fw_cfg entries are passed by QEMU through to the guest.
Example:
-fw_cfg name=opt/com.mycompany/blob,file=./my_blob.bin
creates an fw_cfg entry named opt/com.mycompany/blob with contents
from ./my_blob.bin.
vc in graphical mode and
stdio in non graphical mode.
This option can be used several times to simulate up to 4 serial ports.
Use -serial none to disable all serial ports.
Available character devices are:
vc:800x600
It is also possible to specify width or height in characters:
vc:80Cx24C
-chardev option.
0.0.0.0.
When not using a specified src_port a random port is automatically chosen.
If you just want a simple readonly console you can use netcat or
nc, by starting QEMU with: -serial udp::4555 and nc as:
nc -u -l -p 4555. Any time QEMU writes something to that port it
will appear in the netconsole session.
If you plan to send characters back via netconsole or you want to stop
and start QEMU a lot of times, you should have QEMU use the same
source port each time by using something like -serial
udp::4555@:4556 to QEMU. Another approach is to use a patched
version of netcat which can listen to a TCP port and send and receive
characters via udp. If you have a patched version of netcat which
activates telnet remote echo and single char transfer, then you can
use the following options to set up a netcat redirector to allow
telnet on port 5555 to access the QEMU port.
QEMU Options:netcat options:telnet options:nowait
option was specified. The nodelay option disables the Nagle buffering
algorithm. The reconnect option only applies if noserver is
set, if the connection goes down it will attempt to reconnect at the
given interval. If host is omitted, 0.0.0.0 is assumed. Only
one TCP connection at a time is accepted. You can use telnet to
connect to the corresponding character device.
Example to send tcp console to 192.168.0.2 port 4444Example to listen and wait on port 4444 for connectionExample to not wait and listen on ip 192.168.0.100 port 4444-serial tcp. The
difference is that the port acts like a telnet server or client using
telnet option negotiation. This will also allow you to send the
MAGIC_SYSRQ sequence if you use a telnet that supports sending the break
sequence. Typically in unix telnet you do it with Control-] and then
type "send break" followed by pressing the enter key.
-serial tcp except the unix domain socket
path is used for connections.
-serial mon:telnet::4444,server,nowaitThis option can be used several times to simulate up to 3 parallel ports.
Use -parallel none to disable all parallel ports.
vc in graphical mode and stdio in
non graphical mode.
Use -monitor none to disable the default monitor.
pretty turns on JSON pretty printing
easing human reading and debugging.
vc in graphical mode and stdio in
non graphical mode.
Locking qemu and guest memory can be enabled via mem-lock=on (disabled by default). This works when host memory is not overcommitted and reduces the worst-case latency for guest. This is equivalent to realtime.
Guest ability to manage power state of host cpus (increasing latency for other
processes on the same host cpu, but decreasing latency for guest) can be
enabled via cpu-pm=on (disabled by default). This works best when
host CPU is not overcommitted. When used, host estimates of CPU cycle and power
utilization will be incorrect, not taking into account guest idle time.
(gdb) target remote | exec qemu-system-i386 -gdb stdio ...
-dfilter 0x8000..0x8fff,0xffffffc000080000+0x200,0xffffffc000060000-0x1000
Will dump output for any code in the 0x1000 sized block starting at 0x8000 and
the 0x200 sized block starting at 0xffffffc000080000 and another 0x1000 sized
block starting at 0xffffffc00005f000.
To list all the data directories, use -L help.
loadvm in monitor)
utc or localtime to let the RTC start at the current
UTC or local time, respectively. localtime is required for correct date in
MS-DOS or Windows. To start at a specific point in time, provide datetime in the
format 2006-06-17T16:01:21 or 2006-06-17. The default base is UTC.
By default the RTC is driven by the host system time. This allows using of the
RTC as accurate reference clock inside the guest, specifically if the host
time is smoothly following an accurate external reference clock, e.g. via NTP.
If you want to isolate the guest time from the host, you can set clock
to rt instead, which provides a host monotonic clock if host support it.
To even prevent the RTC from progressing during suspension, you can set clock
to vm (virtual clock). `clock=vm' is recommended especially in
icount mode in order to preserve determinism; however, note that in icount mode
the speed of the virtual clock is variable and can in general differ from the
host clock.
Enable driftfix (i386 targets only) if you experience time drift problems,
specifically with Windows' ACPI HAL. This option will try to figure out how
many timer interrupts were not processed by the Windows guest and will
re-inject them.
auto is specified
then the virtual cpu speed will be automatically adjusted to keep virtual
time within a few seconds of real time.
When the virtual cpu is sleeping, the virtual time will advance at default speed unless sleep=on|off is specified. With sleep=on|off, the virtual time will jump to the next timer deadline instantly whenever the virtual cpu goes to sleep mode and will not advance if no timer is enabled. This behavior give deterministic execution times from the guest point of view.
Note that while this option can give deterministic behavior, it does not provide cycle accurate emulation. Modern CPUs contain superscalar out of order cores with complex cache hierarchies. The number of instructions executed often has little or no correlation with actual performance.
align=on will activate the delay algorithm which will try
to synchronise the host clock and the virtual clock. The goal is to
have a guest running at the real frequency imposed by the shift option.
Whenever the guest clock is behind the host clock and if
align=on is specified then we print a message to the user
to inform about the delay.
Currently this option does not work when shift is auto.
Note: The sync algorithm will work for those shift values for which
the guest clock runs ahead of the host clock. Typically this happens
when the shift value is high (how high depends on the host machine).
When rr option is specified deterministic record/replay is enabled. Replay log is written into filename file in record mode and read from this file in replay mode.
Option rrsnapshot is used to create new vm snapshot named snapshot
at the start of execution recording. In replay mode this option is used
to load the initial VM state.
The model is the model of hardware watchdog to emulate. Use
-watchdog help to list available hardware models. Only one
watchdog can be enabled for a guest.
The following models may be available:
reset (forcefully reset the guest).
Other possible actions are:
shutdown (attempt to gracefully shutdown the guest),
poweroff (forcefully poweroff the guest),
inject-nmi (inject a NMI into the guest),
pause (pause the guest),
debug (print a debug message and continue), or
none (do nothing).
Note that the shutdown action requires that the guest responds
to ACPI signals, which it may not be able to do in the sort of
situations where the watchdog would have expired, and thus
-watchdog-action shutdown is not recommended for production use.
Examples:
-watchdog i6300esb -watchdog-action pause-watchdog ib7000x01 when using the
-nographic option. 0x01 is equal to pressing
Control-a. You can select a different character from the ascii
control keys where 1 through 26 map to Control-a through Control-z. For
instance you could use the either of the following to change the escape
character to Control-t.
-echr 0x14-echr 20-nodefaults option will disable all those
default devices.
native|gdb|autonative)
or to GDB (gdb). The default is auto, which means gdb
during debug sessions and native otherwise.
-kernel/-append method of passing a
command line is still supported for backward compatibility. If both the
--semihosting-config arg and the -kernel/-append are
specified, the former is passed to semihosting as it always takes precedence.
-) character to print the
output to stdout. This can be later used as input file for -readconfig option.
-no-user-config option makes QEMU not load any of the user-provided
config files on sysconfdir.
Use -trace help to print a list of names of trace points.
The id parameter is a unique ID that will be used to reference this memory region when configuring the -numa argument.
The size option provides the size of the memory region, and accepts common suffixes, eg 500M.
The mem-path provides the path to either a shared memory or huge page filesystem mount.
The share boolean option determines whether the memory region is marked as private to QEMU, or shared. The latter allows a co-operating external process to access the QEMU memory region.
The share is also required for pvrdma devices due to limitations in the RDMA API provided by Linux.
Setting share=on might affect the ability to configure NUMA bindings for the memory backend under some circumstances, see Documentation/vm/numa_memory_policy.txt on the Linux kernel source tree for additional details.
Setting the discard-data boolean option to on indicates that file contents can be destroyed when QEMU exits, to avoid unnecessarily flushing data to the backing file. Note that discard-data is only an optimization, and QEMU might not discard file contents if it aborts unexpectedly or is terminated using SIGKILL.
The merge boolean option enables memory merge, also known as MADV_MERGEABLE, so that Kernel Samepage Merging will consider the pages for memory deduplication.
Setting the dump boolean option to off excludes the memory from core dumps. This feature is also known as MADV_DONTDUMP.
The prealloc boolean option enables memory preallocation.
The host-nodes option binds the memory range to a list of NUMA host nodes.
The policy option sets the NUMA policy to one of the following values:
The align option specifies the base address alignment when QEMU mmap(2) mem-path, and accepts common suffixes, eg 2M. Some backend store specified by mem-path requires an alignment different than the default one used by QEMU, eg the device DAX /dev/dax0.0 requires 2M alignment rather than 4K. In such cases, users can specify the required alignment via this option.
The pmem option specifies whether the backing file specified
by mem-path is in host persistent memory that can be accessed
using the SNIA NVM programming model (e.g. Intel NVDIMM).
If pmem is set to 'on', QEMU will take necessary operations to
guarantee the persistence of its own writes to mem-path
(e.g. in vNVDIMM label emulation and live migration).
Also, we will map the backend-file with MAP_SYNC flag, which ensures the
file metadata is in sync for mem-path in case of host crash
or a power failure. MAP_SYNC requires support from both the host kernel
(since Linux kernel 4.15) and the filesystem of mem-path mounted
with DAX option.
The seal option creates a sealed-file, that will block further resizing the memory ('on' by default).
The hugetlb option specify the file to be created resides in the hugetlbfs filesystem (since Linux 4.14). Used in conjunction with the hugetlb option, the hugetlbsize option specify the hugetlb page size on systems that support multiple hugetlb page sizes (it must be a power of 2 value supported by the system).
In some versions of Linux, the hugetlb option is incompatible with the seal option (requires at least Linux 4.16).
Please refer to memory-backend-file for a description of the other options.
The share boolean option is on by default with memfd.
The dir parameter tells QEMU where to find the credential
files. For server endpoints, this directory may contain a file
dh-params.pem providing diffie-hellman parameters to use
for the TLS server. If the file is missing, QEMU will generate
a set of DH parameters at startup. This is a computationally
expensive operation that consumes random pool entropy, so it is
recommended that a persistent set of parameters be generated
upfront and saved.
The dir parameter tells QEMU where to find the keys file.
It is called “dir/keys.psk” and contains “username:key”
pairs. This file can most easily be created using the GnuTLS
psktool program.
For server endpoints, dir may also contain a file
dh-params.pem providing diffie-hellman parameters to use
for the TLS server. If the file is missing, QEMU will generate
a set of DH parameters at startup. This is a computationally
expensive operation that consumes random pool entropy, so it is
recommended that a persistent set of parameters be generated
up front and saved.
The dir parameter tells QEMU where to find the credential files. For server endpoints, this directory may contain a file dh-params.pem providing diffie-hellman parameters to use for the TLS server. If the file is missing, QEMU will generate a set of DH parameters at startup. This is a computationally expensive operation that consumes random pool entropy, so it is recommended that a persistent set of parameters be generated upfront and saved.
For x509 certificate credentials the directory will contain further files providing the x509 certificates. The certificates must be stored in PEM format, in filenames ca-cert.pem, ca-crl.pem (optional), server-cert.pem (only servers), server-key.pem (only servers), client-cert.pem (only clients), and client-key.pem (only clients).
For the server-key.pem and client-key.pem files which
contain sensitive private keys, it is possible to use an encrypted
version by providing the passwordid parameter. This provides
the ID of a previously created secret object containing the
password for decryption.
The priority parameter allows to override the global default
priority used by gnutls. This can be useful if the system administrator
needs to use a weaker set of crypto priorities for QEMU without
potentially forcing the weakness onto all applications. Or conversely
if one wants wants a stronger default for QEMU than for all other
applications, they can do this through this parameter. Its format is
a gnutls priority string as described at
https://gnutls.org/manual/html_node/Priority-Strings.html.
queue all|rx|tx is an option that can be applied to any netfilter.
all: the filter is attached both to the receive and the transmit queue of the netdev (default).
rx: the filter is attached to the receive queue of the netdev, where it will receive packets sent to the netdev.
tx: the filter is attached to the transmit queue of the netdev,
where it will receive packets sent by the netdev.
usage:
colo secondary:
-object filter-redirector,id=f1,netdev=hn0,queue=tx,indev=red0
-object filter-redirector,id=f2,netdev=hn0,queue=rx,outdev=red1
-object filter-rewriter,id=rew0,netdev=hn0,queue=all
we must use it with the help of filter-mirror and filter-redirector.
KVM COLO
primary:
-netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown
-device e1000,id=e0,netdev=hn0,mac=52:a4:00:12:78:66
-chardev socket,id=mirror0,host=3.3.3.3,port=9003,server,nowait
-chardev socket,id=compare1,host=3.3.3.3,port=9004,server,nowait
-chardev socket,id=compare0,host=3.3.3.3,port=9001,server,nowait
-chardev socket,id=compare0-0,host=3.3.3.3,port=9001
-chardev socket,id=compare_out,host=3.3.3.3,port=9005,server,nowait
-chardev socket,id=compare_out0,host=3.3.3.3,port=9005
-object iothread,id=iothread1
-object filter-mirror,id=m0,netdev=hn0,queue=tx,outdev=mirror0
-object filter-redirector,netdev=hn0,id=redire0,queue=rx,indev=compare_out
-object filter-redirector,netdev=hn0,id=redire1,queue=rx,outdev=compare0
-object colo-compare,id=comp0,primary_in=compare0-0,secondary_in=compare1,outdev=compare_out0,iothread=iothread1
secondary:
-netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,down script=/etc/qemu-ifdown
-device e1000,netdev=hn0,mac=52:a4:00:12:78:66
-chardev socket,id=red0,host=3.3.3.3,port=9003
-chardev socket,id=red1,host=3.3.3.3,port=9004
-object filter-redirector,id=f1,netdev=hn0,queue=tx,indev=red0
-object filter-redirector,id=f2,netdev=hn0,queue=rx,outdev=red1
Xen COLO
primary:
-netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown
-device e1000,id=e0,netdev=hn0,mac=52:a4:00:12:78:66
-chardev socket,id=mirror0,host=3.3.3.3,port=9003,server,nowait
-chardev socket,id=compare1,host=3.3.3.3,port=9004,server,nowait
-chardev socket,id=compare0,host=3.3.3.3,port=9001,server,nowait
-chardev socket,id=compare0-0,host=3.3.3.3,port=9001
-chardev socket,id=compare_out,host=3.3.3.3,port=9005,server,nowait
-chardev socket,id=compare_out0,host=3.3.3.3,port=9005
-chardev socket,id=notify_way,host=3.3.3.3,port=9009,server,nowait
-object filter-mirror,id=m0,netdev=hn0,queue=tx,outdev=mirror0
-object filter-redirector,netdev=hn0,id=redire0,queue=rx,indev=compare_out
-object filter-redirector,netdev=hn0,id=redire1,queue=rx,outdev=compare0
-object iothread,id=iothread1
-object colo-compare,id=comp0,primary_in=compare0-0,secondary_in=compare1,outdev=compare_out0,notify_dev=nofity_way,iothread=iothread1
secondary:
-netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,down script=/etc/qemu-ifdown
-device e1000,netdev=hn0,mac=52:a4:00:12:78:66
-chardev socket,id=red0,host=3.3.3.3,port=9003
-chardev socket,id=red1,host=3.3.3.3,port=9004
-object filter-redirector,id=f1,netdev=hn0,queue=tx,indev=red0
-object filter-redirector,id=f2,netdev=hn0,queue=rx,outdev=red1
If you want to know the detail of above command line, you can read
the colo-compare git log.
# qemu-system-x86_64 \
[...] \
-object cryptodev-backend-builtin,id=cryptodev0 \
-device virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 \
[...]
# qemu-system-x86_64 \
[...] \
-chardev socket,id=chardev0,path=/path/to/socket \
-object cryptodev-vhost-user,id=cryptodev0,chardev=chardev0 \
-device virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 \
[...]
The sensitive data can be provided in raw format (the default), or base64. When encoded as JSON, the raw format only supports valid UTF-8 characters, so base64 is recommended for sending binary data. QEMU will convert from which ever format is provided to the format it needs internally. eg, an RBD password can be provided in raw format, even though it will be base64 encoded when passed onto the RBD sever.
For added protection, it is possible to encrypt the data associated with a secret using the AES-256-CBC cipher. Use of encryption is indicated by providing the keyid and iv parameters. The keyid parameter provides the ID of a previously defined secret that contains the AES-256 decryption key. This key should be 32-bytes long and be base64 encoded. The iv parameter provides the random initialization vector used for encryption of this particular secret and should be a base64 encrypted string of the 16-byte IV.
The simplest (insecure) usage is to provide the secret inline
# $QEMU -object secret,id=sec0,data=letmein,format=raw
The simplest secure usage is to provide the secret via a file
# printf "letmein" > mypasswd.txt # $QEMU -object secret,id=sec0,file=mypasswd.txt,format=raw
For greater security, AES-256-CBC should be used. To illustrate usage, consider the openssl command line tool which can encrypt the data. Note that when encrypting, the plaintext must be padded to the cipher block size (32 bytes) using the standard PKCS#5/6 compatible padding algorithm.
First a master key needs to be created in base64 encoding:
# openssl rand -base64 32 > key.b64
# KEY=$(base64 -d key.b64 | hexdump -v -e '/1 "%02X"')
Each secret to be encrypted needs to have a random initialization vector generated. These do not need to be kept secret
# openssl rand -base64 16 > iv.b64
# IV=$(base64 -d iv.b64 | hexdump -v -e '/1 "%02X"')
The secret to be defined can now be encrypted, in this case we're telling openssl to base64 encode the result, but it could be left as raw bytes if desired.
# SECRET=$(printf "letmein" |
openssl enc -aes-256-cbc -a -K $KEY -iv $IV)
When launching QEMU, create a master secret pointing to key.b64
and specify that to be used to decrypt the user password. Pass the
contents of iv.b64 to the second secret
# $QEMU \
-object secret,id=secmaster0,format=base64,file=key.b64 \
-object secret,id=sec0,keyid=secmaster0,format=base64,\
data=$SECRET,iv=$(<iv.b64)
When memory encryption is enabled, one of the physical address bit (aka the C-bit) is utilized to mark if a memory page is protected. The cbitpos is used to provide the C-bit position. The C-bit position is Host family dependent hence user must provide this value. On EPYC, the value should be 47.
When memory encryption is enabled, we loose certain bits in physical address space. The reduced-phys-bits is used to provide the number of bits we loose in physical address space. Similar to C-bit, the value is Host family dependent. On EPYC, the value should be 5.
The sev-device provides the device file to use for communicating with the SEV firmware running inside AMD Secure Processor. The default device is '/dev/sev'. If hardware supports memory encryption then /dev/sev devices are created by CCP driver.
The policy provides the guest policy to be enforced by the SEV firmware and restrict what configuration and operational commands can be performed on this guest by the hypervisor. The policy should be provided by the guest owner and is bound to the guest and cannot be changed throughout the lifetime of the guest. The default is 0.
If guest policy allows sharing the key with another SEV guest then handle can be use to provide handle of the guest from which to share the key.
The dh-cert-file and session-file provides the guest owner's Public Diffie-Hillman key defined in SEV spec. The PDH and session parameters are used for establishing a cryptographic session with the guest owner to negotiate keys used for attestation. The file must be encoded in base64.
e.g to launch a SEV guest
# $QEMU \
......
-object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=5 \
-machine ...,memory-encryption=sev0
.....
The identity parameter is identifies the user and its format depends on the network service that authorization object is associated with. For authorizing based on TLS x509 certificates, the identity must be the x509 distinguished name. Note that care must be taken to escape any commas in the distinguished name.
An example authorization object to validate a x509 distinguished name would look like:
# $QEMU \
...
-object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,O=Example Org,,L=London,,ST=London,,C=GB' \
...
Note the use of quotes due to the x509 distinguished name containing
whitespace, and escaping of ','.
The filename parameter is the fully qualified path to a file containing the access control list rules in JSON format.
An example set of rules that match against SASL usernames might look like:
{
"rules": [
{ "match": "fred", "policy": "allow", "format": "exact" },
{ "match": "bob", "policy": "allow", "format": "exact" },
{ "match": "danb", "policy": "deny", "format": "glob" },
{ "match": "dan*", "policy": "allow", "format": "exact" },
],
"policy": "deny"
}
When checking access the object will iterate over all the rules and the first rule to match will have its policy value returned as the result. If no rules match, then the default policy value is returned.
The rules can either be an exact string match, or they can use the simple UNIX glob pattern matching to allow wildcards to be used.
If refresh is set to true the file will be monitored and automatically reloaded whenever its content changes.
As with the authz-simple object, the format of the identity
strings being matched depends on the network service, but is usually
a TLS x509 distinguished name, or a SASL username.
An example authorization object to validate a SASL username would look like:
# $QEMU \
...
-object authz-simple,id=auth0,filename=/etc/qemu/vnc-sasl.acl,refresh=yes
...
The service parameter provides the name of a PAM service to use
for authorization. It requires that a file /etc/pam.d/service
exist to provide the configuration for the account subsystem.
An example authorization object to validate a TLS x509 distinguished name would look like:
# $QEMU \
...
-object authz-pam,id=auth0,service=qemu-vnc
...
There would then be a corresponding config file for PAM at
/etc/pam.d/qemu-vnc that contains:
account requisite pam_listfile.so item=user sense=allow \
file=/etc/qemu/vnc.allow
Finally the /etc/qemu/vnc.allow file would contain
the list of x509 distingished names that are permitted
access
CN=laptop.example.com,O=Example Home,L=London,ST=London,C=GB
In addition to using normal file images for the emulated storage devices, QEMU can also use networked resources such as iSCSI devices. These are specified using a special URL syntax.
Syntax for specifying iSCSI LUNs is “iscsi://<target-ip>[:<port>]/<target-iqn>/<lun>”
By default qemu will use the iSCSI initiator-name 'iqn.2008-11.org.linux-kvm[:<name>]' but this can also be set from the command line or a configuration file.
Since version Qemu 2.4 it is possible to specify a iSCSI request timeout to detect stalled requests and force a reestablishment of the session. The timeout is specified in seconds. The default is 0 which means no timeout. Libiscsi 1.15.0 or greater is required for this feature.
Example (without authentication):
qemu-system-i386 -iscsi initiator-name=iqn.2001-04.com.example:my-initiator \
-cdrom iscsi://192.0.2.1/iqn.2001-04.com.example/2 \
-drive file=iscsi://192.0.2.1/iqn.2001-04.com.example/1
Example (CHAP username/password via URL):
qemu-system-i386 -drive file=iscsi://user%password@192.0.2.1/iqn.2001-04.com.example/1
Example (CHAP username/password via environment variables):
LIBISCSI_CHAP_USERNAME="user" \
LIBISCSI_CHAP_PASSWORD="password" \
qemu-system-i386 -drive file=iscsi://192.0.2.1/iqn.2001-04.com.example/1
Syntax for specifying a NBD device using TCP “nbd:<server-ip>:<port>[:exportname=<export>]”
Syntax for specifying a NBD device using Unix Domain Sockets “nbd:unix:<domain-socket>[:exportname=<export>]”
Example for TCP
qemu-system-i386 --drive file=nbd:192.0.2.1:30000
Example for Unix Domain Sockets
qemu-system-i386 --drive file=nbd:unix:/tmp/nbd-socket
Examples:
qemu-system-i386 -drive file=ssh://user@host/path/to/disk.img
qemu-system-i386 -drive file.driver=ssh,file.user=user,file.host=host,file.port=22,file.path=/path/to/disk.img
Currently authentication must be done using ssh-agent. Other
authentication methods may be supported in future.
Syntax for specifying a sheepdog device
sheepdog[+tcp|+unix]://[host:port]/vdiname[?socket=path][#snapid|#tag]
Example
qemu-system-i386 --drive file=sheepdog://192.0.2.1:30000/MyVirtualMachine
See also https://sheepdog.github.io/sheepdog/.
Syntax for specifying a VM disk image on GlusterFS volume is
URI:
gluster[+type]://[host[:port]]/volume/path[?socket=...][,debug=N][,logfile=...]
JSON:
'json:{"driver":"qcow2","file":{"driver":"gluster","volume":"testvol","path":"a.img","debug":N,"logfile":"...",
"server":[{"type":"tcp","host":"...","port":"..."},
{"type":"unix","socket":"..."}]}}'
Example
URI:
qemu-system-x86_64 --drive file=gluster://192.0.2.1/testvol/a.img,
file.debug=9,file.logfile=/var/log/qemu-gluster.log
JSON:
qemu-system-x86_64 'json:{"driver":"qcow2",
"file":{"driver":"gluster",
"volume":"testvol","path":"a.img",
"debug":9,"logfile":"/var/log/qemu-gluster.log",
"server":[{"type":"tcp","host":"1.2.3.4","port":24007},
{"type":"unix","socket":"/var/run/glusterd.socket"}]}}'
qemu-system-x86_64 -drive driver=qcow2,file.driver=gluster,file.volume=testvol,file.path=/path/a.img,
file.debug=9,file.logfile=/var/log/qemu-gluster.log,
file.server.0.type=tcp,file.server.0.host=1.2.3.4,file.server.0.port=24007,
file.server.1.type=unix,file.server.1.socket=/var/run/glusterd.socket
See also http://www.gluster.org.
Syntax using a single filename:
<protocol>://[<username>[:<password>]@]<host>/<path>
where:
The following options are also supported:
Note that when passing options to qemu explicitly, driver is the value of <protocol>.
Example: boot from a remote Fedora 20 live ISO image
qemu-system-x86_64 --drive media=cdrom,file=http://dl.fedoraproject.org/pub/fedora/linux/releases/20/Live/x86_64/Fedora-Live-Desktop-x86_64-20-1.iso,readonly
qemu-system-x86_64 --drive media=cdrom,file.driver=http,file.url=http://dl.fedoraproject.org/pub/fedora/linux/releases/20/Live/x86_64/Fedora-Live-Desktop-x86_64-20-1.iso,readonly
Example: boot from a remote Fedora 20 cloud image using a local overlay for writes, copy-on-read, and a readahead of 64k
qemu-img create -f qcow2 -o backing_file='json:{"file.driver":"http",, "file.url":"https://dl.fedoraproject.org/pub/fedora/linux/releases/20/Images/x86_64/Fedora-x86_64-20-20131211.1-sda.qcow2",, "file.readahead":"64k"}' /tmp/Fedora-x86_64-20-20131211.1-sda.qcow2
qemu-system-x86_64 -drive file=/tmp/Fedora-x86_64-20-20131211.1-sda.qcow2,copy-on-read=on
Example: boot from an image stored on a VMware vSphere server with a self-signed certificate using a local overlay for writes, a readahead of 64k and a timeout of 10 seconds.
qemu-img create -f qcow2 -o backing_file='json:{"file.driver":"https",, "file.url":"https://user:password@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k",, "file.timeout":10}' /tmp/test.qcow2
qemu-system-x86_64 -drive file=/tmp/test.qcow2
During the graphical emulation, you can use special key combinations to change
modes. The default key mappings are shown below, but if you use -alt-grab
then the modifier is Ctrl-Alt-Shift (instead of Ctrl-Alt) and if you use
-ctrl-grab then the modifier is the right Ctrl key (instead of Ctrl-Alt):
In the virtual consoles, you can use <Ctrl-Up>, <Ctrl-Down>, <Ctrl-PageUp> and <Ctrl-PageDown> to move in the back log.
During emulation, if you are using a character backend multiplexer (which is the default if you are using -nographic) then several commands are available via an escape sequence. These key sequences all start with an escape character, which is <Ctrl-a> by default, but can be changed with -echr. The list below assumes you're using the default.
The QEMU monitor is used to give complex commands to the QEMU emulator. You can use it to:
The following commands are available:
(qemu) change ide1-cd0 /path/to/some.iso
format is optional.
read-only-mode may be used to change the read-only status of the device. It accepts the following values:
(qemu) change vnc localhost:1
(qemu) change vnc password
Password: ********
Since 4.0, savevm stopped allowing the snapshot id to be set, accepting
only tag as parameter.
Since 4.0, loadvm stopped accepting snapshot id as parameter.
Since 4.0, delvm stopped deleting snapshots by snapshot id, accepting
only tag as parameter.
fmt is a format which tells the command how to format the data. Its syntax is: /{count}{format}{size}
h or w can be specified with the i format to
respectively select 16 or 32 bit code instruction size.
Examples:
(qemu) x/10i $eip
0x90107063: ret
0x90107064: sti
0x90107065: lea 0x0(%esi,1),%esi
0x90107069: lea 0x0(%edi,1),%edi
0x90107070: ret
0x90107071: jmp 0x90107080
0x90107073: nop
0x90107074: nop
0x90107075: nop
0x90107076: nop
(qemu) xp/80hx 0xb8000
0x000b8000: 0x0b50 0x0b6c 0x0b65 0x0b78 0x0b38 0x0b36 0x0b2f 0x0b42
0x000b8010: 0x0b6f 0x0b63 0x0b68 0x0b73 0x0b20 0x0b56 0x0b47 0x0b41
0x000b8020: 0x0b42 0x0b69 0x0b6f 0x0b73 0x0b20 0x0b63 0x0b75 0x0b72
0x000b8030: 0x0b72 0x0b65 0x0b6e 0x0b74 0x0b2d 0x0b63 0x0b76 0x0b73
0x000b8040: 0x0b20 0x0b30 0x0b35 0x0b20 0x0b4e 0x0b6f 0x0b76 0x0b20
0x000b8050: 0x0b32 0x0b30 0x0b30 0x0b33 0x0720 0x0720 0x0720 0x0720
0x000b8060: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
0x000b8070: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
0x000b8080: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
0x000b8090: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
- to press
several keys simultaneously. Example:
sendkey ctrl-alt-f1
This command is useful to send keys that your graphical user interface
intercepts at low level, such as ctrl-alt-f1 in X Window.
info mice
Defaults:
info capture
-boot option.
The values that can be specified here depend on the machine type, but are
the same that can be specified in the -boot command line option.
allow|denydeny.
allow|deny [index]*@EXAMPLE.COM to
allow all users in the EXAMPLE.COM kerberos realm. The match will
normally be appended to the end of the ACL, but can be inserted
earlier in the list if the optional index parameter is supplied.
deny.
getfd command. This is only needed if the file descriptor was never
used by another monitor command.
This command is now obsolete and will always return an error since 2.10
device_add instead. For details, refer to
'docs/cpu-hotplug.rst'.
The monitor understands integers expressions for every integer argument. You can use register names to get the value of specifics CPU registers by prefixing them with $.
QEMU / KVM CPU model configuration
QEMU / KVM virtualization supports two ways to configure CPU models
In both cases, it is possible to optionally add or remove individual CPU features, to alter what is presented to the guest by default.
Libvirt supports a third way to configure CPU models known as "Host model". This uses the QEMU "Named model" feature, automatically picking a CPU model that is similar the host CPU, and then adding extra features to approximate the host model as closely as possible. This does not guarantee the CPU family, stepping, etc will precisely match the host CPU, as they would with "Host passthrough", but gives much of the benefit of passthrough, while making live migration safe.
The information that follows provides recommendations for configuring CPU models on x86 hosts. The goals are to maximise performance, while protecting guest OS against various CPU hardware flaws, and optionally enabling live migration between hosts with heterogeneous CPU models.
The following CPU models are preferred for use on Intel hosts. Administrators / applications are recommended to use the CPU model that matches the generation of the host CPUs in use. In a deployment with a mixture of host CPU models between machines, if live migration compatibility is required, use the newest CPU model that is compatible across all desired hosts.
Skylake-ServerSkylake-Server-IBRSSkylake-ClientSkylake-Client-IBRSBroadwellBroadwell-IBRSBroadwell-noTSXBroadwell-noTSX-IBRSHaswellHaswell-IBRSHaswell-noTSXHaswell-noTSX-IBRSIvyBridgeIvyBridge-IBRSSandyBridgeSandyBridge-IBRSWestmereWestmere-IBRSNehalemNehalem-IBRSPenrynConroeThe following are important CPU features that should be used on Intel x86 hosts, when available in the host CPU. Some of them require explicit configuration to enable, as they are not included by default in some, or all, of the named CPU models listed above. In general all of these features are included if using "Host passthrough" or "Host model".
pcidIncluded by default in Haswell, Broadwell & Skylake Intel CPU models.
Should be explicitly turned on for Westmere, SandyBridge, and IvyBridge
Intel CPU models. Note that some desktop/mobile Westmere CPUs cannot
support this feature.
spec-ctrlIncluded by default in Intel CPU models with -IBRS suffix.
Must be explicitly turned on for Intel CPU models without -IBRS suffix.
Requires the host CPU microcode to support this feature before it
can be used for guest CPUs.
stibpMust be explicitly turned on for all Intel CPU models.
Requires the host CPU microcode to support this feature before it
can be used for guest CPUs.
ssbdNot included by default in any Intel CPU model.
Must be explicitly turned on for all Intel CPU models.
Requires the host CPU microcode to support this feature before it
can be used for guest CPUs.
pdpe1gbNot included by default in any Intel CPU model.
Should be explicitly turned on for all Intel CPU models.
Note that not all CPU hardware will support this feature.
md-clearNot included by default in any Intel CPU model.
Must be explicitly turned on for all Intel CPU models.
Requires the host CPU microcode to support this feature before it can be used for guest CPUs.
The following CPU models are preferred for use on Intel hosts. Administrators / applications are recommended to use the CPU model that matches the generation of the host CPUs in use. In a deployment with a mixture of host CPU models between machines, if live migration compatibility is required, use the newest CPU model that is compatible across all desired hosts.
EPYCEPYC-IBPBOpteron_G5Opteron_G4Opteron_G3Opteron_G2Opteron_G1The following are important CPU features that should be used on AMD x86 hosts, when available in the host CPU. Some of them require explicit configuration to enable, as they are not included by default in some, or all, of the named CPU models listed above. In general all of these features are included if using "Host passthrough" or "Host model".
ibpbIncluded by default in AMD CPU models with -IBPB suffix.
Must be explicitly turned on for AMD CPU models without -IBPB suffix.
Requires the host CPU microcode to support this feature before it
can be used for guest CPUs.
stibpMust be explicitly turned on for all AMD CPU models.
Requires the host CPU microcode to support this feature before it
can be used for guest CPUs.
virt-ssbdNot included by default in any AMD CPU model.
Must be explicitly turned on for all AMD CPU models.
This should be provided to guests, even if amd-ssbd is also provided, for maximum guest compatibility.
Note for some QEMU / libvirt versions, this must be force enabled
when when using "Host model", because this is a virtual feature
that doesn't exist in the physical host CPUs.
amd-ssbdNot included by default in any AMD CPU model.
Must be explicitly turned on for all AMD CPU models.
This provides higher performance than virt-ssbd so should be
exposed to guests whenever available in the host. virt-ssbd
should none the less also be exposed for maximum guest
compatibility as some kernels only know about virt-ssbd.
amd-no-ssbNot included by default in any AMD CPU model.
Future hardware generations of CPU will not be vulnerable to
CVE-2018-3639, and thus the guest should be told not to enable
its mitigations, by exposing amd-no-ssb. This is mutually
exclusive with virt-ssbd and amd-ssbd.
pdpe1gbNot included by default in any AMD CPU model.
Should be explicitly turned on for all AMD CPU models.
Note that not all CPU hardware will support this feature.
The default QEMU CPU models are designed such that they can run on all hosts. If an application does not wish to do perform any host compatibility checks before launching guests, the default is guaranteed to work.
The default CPU models will, however, leave the guest OS vulnerable to various CPU hardware flaws, so their use is strongly discouraged. Applications should follow the earlier guidance to setup a better CPU configuration, with host passthrough recommended if live migration is not needed.
qemu32qemu64qemu64 is used for x86_64 guests and qemu32 is used for i686 guests, when no -cpu argument is given to QEMU, or no <cpu> is provided in libvirt XML.
The following CPUs models are compatible with most AMD and Intel x86 hosts, but their usage is discouraged, as they expose a very limited featureset, which prevents guests having optimal performance.
kvm32kvm64Legacy models just for historical compatibility with ancient QEMU versions.
486athlonphenomcoreduocore2duon270pentiumpentium2pentium3QEMU supports variety of MIPS CPU models:
The following CPU models are supported for use on MIPS32 hosts. Administrators / applications are recommended to use the CPU model that matches the generation of the host CPUs in use. In a deployment with a mixture of host CPU models between machines, if live migration compatibility is required, use the newest CPU model that is compatible across all desired hosts.
mips32r6-genericP5600M14KM14Kc74Kf34Kf24Kc24KEc24Kf4Kc4Km4KEcR14KEmR14KEc4KEmThe following CPU models are supported for use on MIPS64 hosts. Administrators / applications are recommended to use the CPU model that matches the generation of the host CPUs in use. In a deployment with a mixture of host CPU models between machines, if live migration compatibility is required, use the newest CPU model that is compatible across all desired hosts.
I6400Loongson-2FLoongson-2Emips64dspr2MIPS64R2-generic5KEc5KEf20Kc5Kc5KfVR5432R4000The following CPU models are supported for use on nanoMIPS hosts. Administrators / applications are recommended to use the CPU model that matches the generation of the host CPUs in use. In a deployment with a mixture of host CPU models between machines, if live migration compatibility is required, use the newest CPU model that is compatible across all desired hosts.
I7200The following CPU models are preferred for use on different MIPS hosts:
MIPS IIIMIPS32R2MIPS64R6nanoMIPSThe example below illustrate the approach to configuring the various CPU models / features in QEMU and libvirt
$ qemu-system-x86_64 -cpu host
With feature customization:
$ qemu-system-x86_64 -cpu host,-vmx,...
$ qemu-system-x86_64 -cpu Westmere
With feature customization:
$ qemu-system-x86_64 -cpu Westmere,+pcid,...
<cpu mode='host-passthrough'/>
With feature customization:
<cpu mode='host-passthrough'>
<feature name="vmx" policy="disable"/>
...
</cpu>
<cpu mode='host-model'/>
With feature customization:
<cpu mode='host-model'>
<feature name="vmx" policy="disable"/>
...
</cpu>
<cpu mode='custom'>
<model name="Westmere"/>
</cpu>
With feature customization:
<cpu mode='custom'>
<model name="Westmere"/>
<feature name="pcid" policy="require"/>
...
</cpu>
QEMU supports many disk image formats, including growable disk images (their size increase as non empty sectors are written), compressed and encrypted disk images.
You can create a disk image with the command:
qemu-img create myimage.img mysize
where myimage.img is the disk image filename and mysize is its
size in kilobytes. You can add an M suffix to give the size in
megabytes and a G suffix for gigabytes.
See qemu_img_invocation for more information.
If you use the option -snapshot, all disk images are
considered as read only. When sectors in written, they are written in
a temporary file created in /tmp. You can however force the
write back to the raw disk images by using the commit monitor
command (or <C-a s> in the serial console).
VM snapshots are snapshots of the complete virtual machine including
CPU state, RAM, device state and the content of all the writable
disks. In order to use VM snapshots, you must have at least one non
removable and writable block device using the qcow2 disk image
format. Normally this device is the first virtual hard drive.
Use the monitor command savevm to create a new VM snapshot or
replace an existing one. A human readable name can be assigned to each
snapshot in addition to its numerical ID.
Use loadvm to restore a VM snapshot and delvm to remove
a VM snapshot. info snapshots lists the available snapshots
with their associated information:
(qemu) info snapshots Snapshot devices: hda Snapshot list (from hda): ID TAG VM SIZE DATE VM CLOCK 1 start 41M 2006-08-06 12:38:02 00:00:14.954 2 40M 2006-08-06 12:43:29 00:00:18.633 3 msys 40M 2006-08-06 12:44:04 00:00:23.514
A VM snapshot is made of a VM state info (its size is shown in
info snapshots) and a snapshot of every writable disk image.
The VM state info is stored in the first qcow2 non removable
and writable block device. The disk image snapshots are stored in
every disk image. The size of a snapshot in a disk image is difficult
to evaluate and is not shown by info snapshots because the
associated disk sectors are shared among all the snapshots to save
disk space (otherwise each snapshot would need a full copy of all the
disk images).
When using the (unrelated) -snapshot option
(disk_images_snapshot_mode), you can always make VM snapshots,
but they are deleted as soon as you exit QEMU.
VM snapshots currently have the following known limitations:
qemu-img Invocation
qemu-img [standard options] command [command options]
qemu-img allows you to create, convert and modify images offline. It can handle all image formats supported by QEMU.
Warning: Never use qemu-img to modify images in use by a running virtual machine or any other process; this may destroy the image. Also, be aware that querying an image that is being modified by another process may encounter inconsistent state.
Standard options:
Use -trace help to print a list of names of trace points.
The following commands are supported:
Command parameters:
k or K
(kilobyte, 1024) M (megabyte, 1024k) and G (gigabyte, 1024M)
and T (terabyte, 1024G) are supported. b is ignored.
-o ? for an overview of the options supported
by the used format or see the format descriptions below for details.
qemu(1) manual
page for a description of the object properties. The most common object
type is a secret, which is used to supply passwords and/or encryption
keys.
qemu-img will open the image in shared mode, allowing
other QEMU processes to open it in write mode. For example, this can be used to
get the image information (with 'info' subcommand) when the image is used by a
running guest. Note that this could produce inconsistent results because of
concurrent metadata changes, etc. This option is only allowed when opening
images in read-only mode.
SIGUSR1 or
SIGINFO signal.
k for kilobytes.
-drive cache=... option for allowed
values.
-drive cache=... option for allowed
values.
Parameters to snapshot subcommand:
Parameters to compare subcommand:
Parameters to convert subcommand:
-q), errors
will still be printed. Areas that cannot be read from the source will be
treated as containing only zeroes.
Parameters to dd subcommand:
Command description:
-w is
specified, a write test is performed, otherwise a read test is performed.
A total number of count I/O requests is performed, each buffer_size bytes in size, and with depth requests in parallel. The first request starts at the position given by offset, each following request increases the current position by step_size. If step_size is not given, buffer_size is used for its value.
If flush_interval is specified for a write test, the request queue is
drained and a flush is issued before new writes are made whenever the number of
remaining requests is a multiple of flush_interval. If additionally
--no-drain is specified, a flush is issued without draining the request
queue first.
If -n is specified, the native AIO backend is used if possible. On
Linux, this option only works if -t none or -t directsync is
specified as well.
For write tests, by default a buffer filled with zeros is written. This can be
overridden with a pattern byte specified by pattern.
human or json.
The JSON output is an object of QAPI type ImageCheck.
If -r is specified, qemu-img tries to repair any inconsistencies found
during the check. -r leaks repairs only cluster leaks, whereas
-r all fixes all kinds of errors, with a higher risk of choosing the
wrong fix or hiding corruption that has already occurred.
Only the formats qcow2, qed and vdi support
consistency checks.
In case the image does not have any inconsistencies, check exits with 0.
Other exit codes indicate the kind of inconsistency found or if another error
occurred. The following table summarizes all exit codes of the check subcommand:
If -r is specified, exit codes representing the image state refer to the
state after (the attempt at) repairing it. That is, a successful -r all
will yield the exit code 0, independently of the image state before.
The image filename is emptied after the operation has succeeded. If you do
not need filename afterwards and intend to drop it, you may skip emptying
filename by specifying the -d flag.
If the backing chain of the given image file filename has more than one
layer, the backing file into which the changes will be committed may be
specified as base (which has to be part of filename's backing
chain). If base is not specified, the immediate backing file of the top
image (which is filename) will be used. Note that after a commit operation
all images between base and the top image will be invalid and may return
garbage data when read. For this reason, -b implies -d (so that
the top image stays valid).
The format is probed unless you specify it by -f (used for filename1) and/or -F (used for filename2) option.
By default, images with different size are considered identical if the larger image contains only unallocated and/or zeroed sectors in the area after the end of the other image. In addition, if any sector is not allocated in one image and contains only zero bytes in the second one, it is evaluated as equal. You can use Strict mode by specifying the -s option. When compare runs in Strict mode, it fails in case image size differs or a sector is allocated in one image and is not allocated in the second one.
By default, compare prints out a result message. This message displays information that both images are same or the position of the first different byte. In addition, result message can report different image size in case Strict mode is used.
Compare exits with 0 in case the images are equal and with 1
in case the images differ. Other exit codes mean an error occurred during
execution and standard error output should contain an error message.
The following table sumarizes all exit codes of the compare subcommand:
-c
option) or use any format specific options like encryption (-o option).
Only the formats qcow and qcow2 support compression. The
compression is read-only. It means that if a compressed sector is
rewritten, then it is rewritten as uncompressed data.
Image conversion is also useful to get smaller image when using a
growable format such as qcow: the empty sectors are detected and
suppressed from the destination image.
sparse_size indicates the consecutive number of bytes (defaults to 4k) that must contain only zeros for qemu-img to create a sparse image during conversion. If sparse_size is 0, the source will not be scanned for unallocated or zero sectors, and the destination image will always be fully allocated.
You can use the backing_file option to force the output image to be created as a copy on write image of the specified base image; the backing_file should have the same content as the input's base image, however the path, image format, etc may differ.
If a relative path name is given, the backing file is looked up relative to the directory containing output_filename.
If the -n option is specified, the target volume creation will be
skipped. This is useful for formats such as rbd if the target
volume has already been created with site specific options that cannot
be supplied through qemu-img.
Out of order writes can be enabled with -W to improve performance.
This is only recommended for preallocated devices like host devices or other
raw block devices. Out of order write does not work in combination with
creating compressed images.
num_coroutines specifies how many coroutines work in parallel during
the convert process (defaults to 8).
If the option backing_file is specified, then the image will record
only the differences from backing_file. No size needs to be specified in
this case. backing_file will never be modified unless you use the
commit monitor command (or qemu-img commit).
If a relative path name is given, the backing file is looked up relative to the directory containing filename.
Note that a given backing file will be opened to check that it is valid. Use
the -u option to enable unsafe backing file mode, which means that the
image will be created even if the associated backing file cannot be opened. A
matching backing file must be created or additional options be used to make the
backing file specification valid when you want to use an image created this
way.
The size can also be specified using the size option with -o,
it doesn't need to be specified separately in this case.
The data is by default read and written using blocks of 512 bytes but can be modified by specifying block_size. If count=blocks is specified dd will stop reading input after reading blocks input blocks.
The size syntax is similar to dd(1)'s size syntax.
If a disk image has a backing file chain, information about each disk image in
the chain can be recursively enumerated by using the option --backing-chain.
For instance, if you have an image chain like:
base.qcow2 <- snap1.qcow2 <- snap2.qcow2
To enumerate information about each disk image in the above chain, starting from top to base, do:
qemu-img info --backing-chain snap2.qcow2
The command can output in the format ofmt which is either human or
json. The JSON output is an object of QAPI type ImageInfo; with
--backing-chain, it is an array of ImageInfo objects.
--output=human reports the following information (for every image in the
chain):
no if the image is dirty and will have to be
auto-repaired the next time it is opened in qemu.
ImageInfoSpecific* QAPI
object (e.g. ImageInfoSpecificQCow2 for qcow2 images).
Two option formats are possible. The default format (human)
only dumps known-nonzero areas of the file. Known-zero parts of the
file are omitted altogether, and likewise for parts that are not allocated
throughout the chain. qemu-img output will identify a file
from where the data can be read, and the offset in the file. Each line
will include four fields, the first three of which are hexadecimal
numbers. For example the first line of:
Offset Length Mapped to File
0 0x20000 0x50000 /tmp/overlay.qcow2
0x100000 0x10000 0x95380000 /tmp/backing.qcow2
means that 0x20000 (131072) bytes starting at offset 0 in the image are
available in /tmp/overlay.qcow2 (opened in raw format) starting
at offset 0x50000 (327680). Data that is compressed, encrypted, or
otherwise not available in raw format will cause an error if human
format is in use. Note that file names can include newlines, thus it is
not safe to parse this output format in scripts.
The alternative format json will return an array of dictionaries
in JSON format. It will include similar information in
the start, length, offset fields;
it will also include other more specific information:
data;
if false, the sectors are either unallocated or stored as optimized
all-zero clusters);
zero);
depth; for example, a depth of 2 refers to the backing file
of the backing file of filename.
In JSON format, the offset field is optional; it is absent in
cases where human format would omit the entry or exit with an error.
If data is false and the offset field is present, the
corresponding sectors in the file are not yet in use, but they are
preallocated.
For more information, consult include/block/block.h in QEMU's
source code.
human or json. The JSON output is an object of QAPI type
BlockMeasureInfo.
If the size N is given then act as if creating a new empty image file using qemu-img create. If filename is given then act as if converting an existing image file using qemu-img convert. The format of the new file is given by output_fmt while the format of an existing file is given by fmt.
A snapshot in an existing image can be specified using snapshot_param.
The following fields are reported:
required size: 524288
fully allocated size: 1074069504
The required size is the file size of the new image. It may be smaller
than the virtual disk size if the image format supports compact representation.
The fully allocated size is the file size of the new image once data has
been written to all sectors. This is the maximum size that the image file can
occupy with the exception of internal snapshots, dirty bitmaps, vmstate data,
and other advanced image format features.
qcow2 and
qed support changing the backing file.
The backing file is changed to backing_file and (if the image format of filename supports this) the backing file format is changed to backing_fmt. If backing_file is specified as “” (the empty string), then the image is rebased onto no backing file (i.e. it will exist independently of any backing file).
If a relative path name is given, the backing file is looked up relative to the directory containing filename.
cache specifies the cache mode to be used for filename, whereas src_cache specifies the cache mode for reading backing files.
There are two different modes in which rebase can operate:
In order to achieve this, any clusters that differ between backing_file and the old backing file of filename are merged into filename before actually changing the backing file.
Note that the safe mode is an expensive operation, comparable to converting
an image. It only works if the old backing file still exists.
-u is specified. In this mode, only the
backing file name and format of filename is changed without any checks
on the file contents. The user must take care of specifying the correct new
backing file, or the guest-visible content of the image will be corrupted.
This mode is useful for renaming or moving the backing file to somewhere else. It can be used without an accessible old backing file, i.e. you can use it to fix an image whose backing file has already been moved/renamed.
You can use rebase to perform a “diff” operation on two
disk images. This can be useful when you have copied or cloned
a guest, and you want to get back to a thin image on top of a
template or base image.
Say that base.img has been cloned as modified.img by
copying it, and that the modified.img guest has run so there
are now some changes compared to base.img. To construct a thin
image called diff.qcow2 that contains just the differences, do:
qemu-img create -f qcow2 -b modified.img diff.qcow2
qemu-img rebase -b base.img diff.qcow2
At this point, modified.img can be discarded, since
base.img + diff.qcow2 contains the same information.
Before using this command to shrink a disk image, you MUST use file system and partitioning tools inside the VM to reduce allocated file systems and partition sizes accordingly. Failure to do so will result in data loss!
When shrinking images, the --shrink option must be given. This informs
qemu-img that the user acknowledges all loss of data beyond the truncated
image's end.
After using this command to grow a disk image, you must use file system and partitioning tools inside the VM to actually begin using the new space on the device.
When growing an image, the --preallocation option may be used to specify
how the additional image area should be allocated on the host. See the format
description in the NOTES section which values are allowed. Using this
option may result in slightly more data being allocated than necessary.
qemu-nbd Invocationqemu-nbd [OPTION]... filename qemu-nbd -L [OPTION]... qemu-nbd -d dev
Export a QEMU disk image using the NBD protocol.
Other uses:
filename is a disk image filename, or a set of block driver options if --image-opts is specified.
dev is an NBD device.
qemu(1) manual page for full details of the properties
supported. The common object types that it makes sense to define are the
secret object, which is used to supply passwords and/or encryption
keys, and the tls-creds object, which is used to supply TLS
credentials for the qemu-nbd server or client.
format=' option should be set.
-drive cache=... option for allowed values.
Use -trace help to print a list of names of trace points.
Start a server listening on port 10809 that exposes only the guest-visible contents of a qcow2 file, with no TLS encryption, and with the default export name (an empty string). The command is one-shot, and will block until the first successful client disconnects:
qemu-nbd -f qcow2 file.qcow2
Start a long-running server listening with encryption on port 10810, and whitelist clients with a specific X.509 certificate to connect to a 1 megabyte subset of a raw file, using the export name 'subset':
qemu-nbd \
--object tls-creds-x509,id=tls0,endpoint=server,dir=/path/to/qemutls \
--object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,\
O=Example Org,,L=London,,ST=London,,C=GB' \
--tls-creds tls0 --tls-authz auth0 \
-t -x subset -p 10810 \
--image-opts driver=raw,offset=1M,size=1M,file.driver=file,file.filename=file.raw
Serve a read-only copy of just the first MBR partition of a guest image over a Unix socket with as many as 5 simultaneous readers, with a persistent process forked as a daemon:
qemu-nbd --fork --persistent --shared=5 --socket=/path/to/sock \ --partition=1 --read-only --format=qcow2 file.qcow2
Expose the guest-visible contents of a qcow2 file via a block device
/dev/nbd0 (and possibly creating /dev/nbd0p1 and friends for
partitions found within), then disconnect the device when done.
Access to bind qemu-nbd to an /dev/nbd device generally requires root
privileges, and may also require the execution of modprobe nbd
to enable the kernel NBD client module. CAUTION: Do not use
this method to mount filesystems from an untrusted guest image - a
malicious guest may have prepared the image to attempt to trigger
kernel bugs in partition probing or file system mounting.
qemu-nbd -c /dev/nbd0 -f qcow2 file.qcow2 qemu-nbd -d /dev/nbd0
Query a remote server to see details about what export(s) it is serving on port 10809, and authenticating via PSK:
qemu-nbd \ --object tls-creds-psk,id=tls0,dir=/tmp/keys,username=eblake,endpoint=client \ --tls-creds tls0 -L -b remote.example.com
QEMU block driver reference manual
QEMU supports many image file formats that can be used with VMs as well as with
any of the tools (like qemu-img). This includes the preferred formats
raw and qcow2 as well as formats that are supported for compatibility with
older QEMU versions or other hypervisors.
Depending on the image format, different options can be passed to
qemu-img create and qemu-img convert using the -o option.
This section describes each format and the options that are supported for it.
qemu-img info to know the real size used by the
image or ls -ls on Unix/Linux.
Supported options:
preallocationoff, falloc, full).
falloc mode preallocates space for image by calling posix_fallocate().
full mode preallocates space for image by writing zeros to underlying
storage.
Supported options:
compatcompat=0.10 uses the
traditional image format that can be read by any QEMU since 0.10.
compat=1.1 enables image format extensions that only QEMU 1.1 and
newer understand (this is the default). Amongst others, this includes
zero clusters, which allow efficient copy-on-read for sparse images.
backing_filebacking_fmtencryptionencrypt.format=aes
encrypt.formatluks, it requests that the qcow2 payload (not
qcow2 header) be encrypted using the LUKS format. The passphrase to
use to unlock the LUKS key slot is given by the encrypt.key-secret
parameter. LUKS encryption parameters can be tuned with the other
encrypt.* parameters.
If this is set to aes, the image is encrypted with 128-bit AES-CBC.
The encryption key is given by the encrypt.key-secret parameter.
This encryption format is considered to be flawed by modern cryptography
standards, suffering from a number of design problems:
The use of this is no longer supported in system emulators. Support only
remains in the command line utilities, for the purposes of data liberation
and interoperability with old versions of QEMU. The luks format
should be used instead.
encrypt.key-secretsecret object that contains the passphrase
(encrypt.format=luks) or encryption key (encrypt.format=aes).
encrypt.cipher-algaes-256. Only used when encrypt.format=luks.
encrypt.cipher-modexts.
Only used when encrypt.format=luks.
encrypt.ivgen-algplain64. Only used when encrypt.format=luks.
encrypt.ivgen-hash-algsha256. Only used when encrypt.format=luks.
encrypt.hash-algsha256. Only used when encrypt.format=luks.
encrypt.iter-time2000. Only used when encrypt.format=luks.
cluster_sizepreallocationoff, metadata, falloc,
full). An image with preallocated metadata is initially larger but can
improve performance when the image needs to grow. falloc and full
preallocations are like the same options of raw format, but sets up
metadata also.
lazy_refcountson, reference count updates are postponed with
the goal of avoiding metadata I/O and improving performance. This is
particularly interesting with cache=writethrough which doesn't batch
metadata updates. The tradeoff is that after a host crash, the reference count
tables must be rebuilt, i.e. on the next open an (automatic) qemu-img
check -r all is required, which may take some time.
This option can only be enabled if compat=1.1 is specified.
nocowon, it will turn off COW of the file. It's only
valid on btrfs, no effect on other file systems.
Btrfs has low performance when hosting a VM image file, even more when the guest on the VM also using btrfs as file system. Turning off COW is a way to mitigate this bad performance. Generally there are two ways to turn off COW on btrfs: a) Disable it by mounting with nodatacow, then all newly created files will be NOCOW. b) For an empty file, add the NOCOW file attribute. That's what this option does.
Note: this option is only valid to new or empty files. If there is an existing
file which is COW and has data blocks already, it couldn't be changed to NOCOW
by setting nocow=on. One can issue lsattr filename to check if
the NOCOW flag is set or not (Capital 'C' is NOCOW flag).
When converting QED images to qcow2, you might want to consider using the
lazy_refcounts=on option to get a more QED-like behaviour.
Supported options:
backing_filebacking_fmtcluster_sizetable_sizeSupported options:
backing_fileencryptionencrypt.format=aes
encrypt.formataes, the image is encrypted with 128-bit AES-CBC.
The encryption key is given by the encrypt.key-secret parameter.
This encryption format is considered to be flawed by modern cryptography
standards, suffering from a number of design problems enumerated previously
against the qcow2 image format.
The use of this is no longer supported in system emulators. Support only remains in the command line utilities, for the purposes of data liberation and interoperability with old versions of QEMU.
Users requiring native encryption should use the qcow2 format
instead with encrypt.format=luks.
encrypt.key-secretsecret object that contains the encryption
key (encrypt.format=aes).
Supported options:
key-secretsecret object that contains the passphrase.
cipher-algaes-256.
cipher-modexts.
ivgen-algplain64.
ivgen-hash-algsha256.
hash-algsha256.
iter-time2000.
staticon, the image is created with metadata
preallocation.
Supported options:
backing_filecompat6hwversionsubformatmonolithicSparse (default),
monolithicFlat,
twoGbMaxExtentSparse,
twoGbMaxExtentFlat and
streamOptimized.
subformatdynamic (default) and fixed.
subformatdynamic (default) and fixed.
block_state_zeroon (default)
or off. When set to off, new blocks will be created as
PAYLOAD_BLOCK_NOT_PRESENT, which means parsers are free to return
arbitrary data for those blocks. Do not set to off when using
qemu-img convert with subformat=dynamic.
block_sizelog_sizeMore disk image file formats are supported in a read-only mode.
growing type.
In addition to disk image files, QEMU can directly access host devices. We describe here the usage for QEMU version >= 0.8.3.
On Linux, you can directly use the host device filename instead of a disk image filename provided you have enough privileges to access it. For example, use /dev/cdrom to access to the CDROM.
CDFloppyHard disksCDCurrently there is no specific code to handle removable media, so it
is better to use the change or eject monitor commands to
change or eject media.
Hard disksWARNING: unless you know what you do, it is better to only make READ-ONLY accesses to the hard disk otherwise you may corrupt your host data (use the -snapshot command line so that the modifications are written in a temporary file).
/dev/cdrom is an alias to the first CDROM.
Currently there is no specific code to handle removable media, so it
is better to use the change or eject monitor commands to
change or eject media.
QEMU can automatically create a virtual FAT disk image from a directory tree. In order to use it, just type:
qemu-system-i386 linux.img -hdb fat:/my_directory
Then you access access to all the files in the /my_directory directory without having to copy them in a disk image or to export them via SAMBA or NFS. The default access is read-only.
Floppies can be emulated with the :floppy: option:
qemu-system-i386 linux.img -fda fat:floppy:/my_directory
A read/write support is available for testing (beta stage) with the
:rw: option:
qemu-system-i386 linux.img -fda fat:floppy:rw:/my_directory
What you should never do:
QEMU can access directly to block device exported using the Network Block Device protocol.
qemu-system-i386 linux.img -hdb nbd://my_nbd_server.mydomain.org:1024/
If the NBD server is located on the same host, you can use an unix socket instead of an inet socket:
qemu-system-i386 linux.img -hdb nbd+unix://?socket=/tmp/my_socket
In this case, the block device must be exported using qemu-nbd:
qemu-nbd --socket=/tmp/my_socket my_disk.qcow2
The use of qemu-nbd allows sharing of a disk between several guests:
qemu-nbd --socket=/tmp/my_socket --share=2 my_disk.qcow2
and then you can use it with two guests:
qemu-system-i386 linux1.img -hdb nbd+unix://?socket=/tmp/my_socket qemu-system-i386 linux2.img -hdb nbd+unix://?socket=/tmp/my_socket
If the nbd-server uses named exports (supported since NBD 2.9.18, or with QEMU's own embedded NBD server), you must specify an export name in the URI:
qemu-system-i386 -cdrom nbd://localhost/debian-500-ppc-netinst qemu-system-i386 -cdrom nbd://localhost/openSUSE-11.1-ppc-netinst
The URI syntax for NBD is supported since QEMU 1.3. An alternative syntax is also available. Here are some example of the older syntax:
qemu-system-i386 linux.img -hdb nbd:my_nbd_server.mydomain.org:1024 qemu-system-i386 linux2.img -hdb nbd:unix:/tmp/my_socket qemu-system-i386 -cdrom nbd:localhost:10809:exportname=debian-500-ppc-netinst
Sheepdog is a distributed storage system for QEMU. It provides highly available block level storage volumes that can be attached to QEMU-based virtual machines.
You can create a Sheepdog disk image with the command:
qemu-img create sheepdog:///image size
where image is the Sheepdog image name and size is its size.
To import the existing filename to Sheepdog, you can use a convert command.
qemu-img convert filename sheepdog:///image
You can boot from the Sheepdog disk image with the command:
qemu-system-i386 sheepdog:///image
You can also create a snapshot of the Sheepdog image like qcow2.
qemu-img snapshot -c tag sheepdog:///image
where tag is a tag name of the newly created snapshot.
To boot from the Sheepdog snapshot, specify the tag name of the snapshot.
qemu-system-i386 sheepdog:///image#tag
You can create a cloned image from the existing snapshot.
qemu-img create -b sheepdog:///base#tag sheepdog:///image
where base is an image name of the source snapshot and tag is its tag name.
You can use an unix socket instead of an inet socket:
qemu-system-i386 sheepdog+unix:///image?socket=path
If the Sheepdog daemon doesn't run on the local host, you need to specify one of the Sheepdog servers to connect to.
qemu-img create sheepdog://hostname:port/image size qemu-system-i386 sheepdog://hostname:port/image
iSCSI is a popular protocol used to access SCSI devices across a computer network.
There are two different ways iSCSI devices can be used by QEMU.
The first method is to mount the iSCSI LUN on the host, and make it appear as any other ordinary SCSI device on the host and then to access this device as a /dev/sd device from QEMU. How to do this differs between host OSes.
The second method involves using the iSCSI initiator that is built into QEMU. This provides a mechanism that works the same way regardless of which host OS you are running QEMU on. This section will describe this second method of using iSCSI together with QEMU.
In QEMU, iSCSI devices are described using special iSCSI URLs
URL syntax: iscsi://[<username>[%<password>]@]<host>[:<port>]/<target-iqn-name>/<lun>
Username and password are optional and only used if your target is set up using CHAP authentication for access control. Alternatively the username and password can also be set via environment variables to have these not show up in the process list
export LIBISCSI_CHAP_USERNAME=<username> export LIBISCSI_CHAP_PASSWORD=<password> iscsi://<host>/<target-iqn-name>/<lun>
Various session related parameters can be set via special options, either in a configuration file provided via '-readconfig' or directly on the command line.
If the initiator-name is not specified qemu will use a default name of 'iqn.2008-11.org.linux-kvm[:<uuid>'] where <uuid> is the UUID of the virtual machine. If the UUID is not specified qemu will use 'iqn.2008-11.org.linux-kvm[:<name>'] where <name> is the name of the virtual machine.
Setting a specific initiator name to use when logging in to the target -iscsi initiator-name=iqn.qemu.test:my-initiator
Controlling which type of header digest to negotiate with the target -iscsi header-digest=CRC32C|CRC32C-NONE|NONE-CRC32C|NONE
These can also be set via a configuration file
[iscsi] user = "CHAP username" password = "CHAP password" initiator-name = "iqn.qemu.test:my-initiator" # header digest is one of CRC32C|CRC32C-NONE|NONE-CRC32C|NONE header-digest = "CRC32C"
Setting the target name allows different options for different targets
[iscsi "iqn.target.name"] user = "CHAP username" password = "CHAP password" initiator-name = "iqn.qemu.test:my-initiator" # header digest is one of CRC32C|CRC32C-NONE|NONE-CRC32C|NONE header-digest = "CRC32C"
Howto use a configuration file to set iSCSI configuration options:
cat >iscsi.conf <<EOF
[iscsi]
user = "me"
password = "my password"
initiator-name = "iqn.qemu.test:my-initiator"
header-digest = "CRC32C"
EOF
qemu-system-i386 -drive file=iscsi://127.0.0.1/iqn.qemu.test/1 \
-readconfig iscsi.conf
How to set up a simple iSCSI target on loopback and access it via QEMU:
This example shows how to set up an iSCSI target with one CDROM and one DISK
using the Linux STGT software target. This target is available on Red Hat based
systems as the package 'scsi-target-utils'.
tgtd --iscsi portal=127.0.0.1:3260
tgtadm --lld iscsi --op new --mode target --tid 1 -T iqn.qemu.test
tgtadm --lld iscsi --mode logicalunit --op new --tid 1 --lun 1 \
-b /IMAGES/disk.img --device-type=disk
tgtadm --lld iscsi --mode logicalunit --op new --tid 1 --lun 2 \
-b /IMAGES/cd.iso --device-type=cd
tgtadm --lld iscsi --op bind --mode target --tid 1 -I ALL
qemu-system-i386 -iscsi initiator-name=iqn.qemu.test:my-initiator \
-boot d -drive file=iscsi://127.0.0.1/iqn.qemu.test/1 \
-cdrom iscsi://127.0.0.1/iqn.qemu.test/2
GlusterFS is a user space distributed file system.
You can boot from the GlusterFS disk image with the command:
URI:
qemu-system-x86_64 -drive file=gluster[+type]://[host[:port]]/volume/path
[?socket=...][,file.debug=9][,file.logfile=...]
JSON:
qemu-system-x86_64 'json:{"driver":"qcow2",
"file":{"driver":"gluster",
"volume":"testvol","path":"a.img","debug":9,"logfile":"...",
"server":[{"type":"tcp","host":"...","port":"..."},
{"type":"unix","socket":"..."}]}}'
gluster is the protocol.
type specifies the transport type used to connect to gluster management daemon (glusterd). Valid transport types are tcp and unix. In the URI form, if a transport type isn't specified, then tcp type is assumed.
host specifies the server where the volume file specification for the given volume resides. This can be either a hostname or an ipv4 address. If transport type is unix, then host field should not be specified. Instead socket field needs to be populated with the path to unix domain socket.
port is the port number on which glusterd is listening. This is optional and if not specified, it defaults to port 24007. If the transport type is unix, then port should not be specified.
volume is the name of the gluster volume which contains the disk image.
path is the path to the actual disk image that resides on gluster volume.
debug is the logging level of the gluster protocol driver. Debug levels are 0-9, with 9 being the most verbose, and 0 representing no debugging output. The default level is 4. The current logging levels defined in the gluster source are 0 - None, 1 - Emergency, 2 - Alert, 3 - Critical, 4 - Error, 5 - Warning, 6 - Notice, 7 - Info, 8 - Debug, 9 - Trace
logfile is a commandline option to mention log file path which helps in logging to the specified file and also help in persisting the gfapi logs. The default is stderr.
You can create a GlusterFS disk image with the command:
qemu-img create gluster://host/volume/path size
Examples
qemu-system-x86_64 -drive file=gluster://1.2.3.4/testvol/a.img
qemu-system-x86_64 -drive file=gluster+tcp://1.2.3.4/testvol/a.img
qemu-system-x86_64 -drive file=gluster+tcp://1.2.3.4:24007/testvol/dir/a.img
qemu-system-x86_64 -drive file=gluster+tcp://[1:2:3:4:5:6:7:8]/testvol/dir/a.img
qemu-system-x86_64 -drive file=gluster+tcp://[1:2:3:4:5:6:7:8]:24007/testvol/dir/a.img
qemu-system-x86_64 -drive file=gluster+tcp://server.domain.com:24007/testvol/dir/a.img
qemu-system-x86_64 -drive file=gluster+unix:///testvol/dir/a.img?socket=/tmp/glusterd.socket
qemu-system-x86_64 -drive file=gluster+rdma://1.2.3.4:24007/testvol/a.img
qemu-system-x86_64 -drive file=gluster://1.2.3.4/testvol/a.img,file.debug=9,file.logfile=/var/log/qemu-gluster.log
qemu-system-x86_64 'json:{"driver":"qcow2",
"file":{"driver":"gluster",
"volume":"testvol","path":"a.img",
"debug":9,"logfile":"/var/log/qemu-gluster.log",
"server":[{"type":"tcp","host":"1.2.3.4","port":24007},
{"type":"unix","socket":"/var/run/glusterd.socket"}]}}'
qemu-system-x86_64 -drive driver=qcow2,file.driver=gluster,file.volume=testvol,file.path=/path/a.img,
file.debug=9,file.logfile=/var/log/qemu-gluster.log,
file.server.0.type=tcp,file.server.0.host=1.2.3.4,file.server.0.port=24007,
file.server.1.type=unix,file.server.1.socket=/var/run/glusterd.socket
You can access disk images located on a remote ssh server by using the ssh protocol:
qemu-system-x86_64 -drive file=ssh://[user@]server[:port]/path[?host_key_check=host_key_check]
Alternative syntax using properties:
qemu-system-x86_64 -drive file.driver=ssh[,file.user=user],file.host=server[,file.port=port],file.path=path[,file.host_key_check=host_key_check]
ssh is the protocol.
user is the remote user. If not specified, then the local username is tried.
server specifies the remote ssh server. Any ssh server can be used, but it must implement the sftp-server protocol. Most Unix/Linux systems should work without requiring any extra configuration.
port is the port number on which sshd is listening. By default the standard ssh port (22) is used.
path is the path to the disk image.
The optional host_key_check parameter controls how the remote
host's key is checked. The default is yes which means to use
the local .ssh/known_hosts file. Setting this to no
turns off known-hosts checking. Or you can check that the host key
matches a specific fingerprint:
host_key_check=md5:78:45:8e:14:57:4f:d5:45:83:0a:0e:f3:49:82:c9:c8
(sha1: can also be used as a prefix, but note that OpenSSH
tools only use MD5 to print fingerprints).
Currently authentication must be done using ssh-agent. Other authentication methods may be supported in future.
Note: Many ssh servers do not support an fsync-style operation.
The ssh driver cannot guarantee that disk flush requests are
obeyed, and this causes a risk of disk corruption if the remote
server or network goes down during writes. The driver will
print a warning when fsync is not supported:
warning: ssh server ssh.example.com:22 does not support fsync
With sufficiently new versions of libssh and OpenSSH, fsync is
supported.
NVM Express (NVMe) storage controllers can be accessed directly by a userspace
driver in QEMU. This bypasses the host kernel file system and block layers
while retaining QEMU block layer functionalities, such as block jobs, I/O
throttling, image formats, etc. Disk I/O performance is typically higher than
with -drive file=/dev/sda using either thread pool or linux-aio.
The controller will be exclusively used by the QEMU process once started. To be able to share storage between multiple VMs and other applications on the host, please use the file based protocols.
Before starting QEMU, bind the host NVMe controller to the host vfio-pci driver. For example:
# modprobe vfio-pci # lspci -n -s 0000:06:0d.0 06:0d.0 0401: 1102:0002 (rev 08) # echo 0000:06:0d.0 > /sys/bus/pci/devices/0000:06:0d.0/driver/unbind # echo 1102 0002 > /sys/bus/pci/drivers/vfio-pci/new_id # qemu-system-x86_64 -drive file=nvme://host:bus:slot.func/namespace
Alternative syntax using properties:
qemu-system-x86_64 -drive file.driver=nvme,file.device=host:bus:slot.func,file.namespace=namespace
host:bus:slot.func is the NVMe controller's PCI device address on the host.
namespace is the NVMe namespace number, starting from 1.
By default, QEMU tries to protect image files from unexpected concurrent access, as long as it's supported by the block protocol driver and host operating system. If multiple QEMU processes (including QEMU emulators and utilities) try to open the same image with conflicting accessing modes, all but the first one will get an error.
This feature is currently supported by the file protocol on Linux with the Open File Descriptor (OFD) locking API, and can be configured to fall back to POSIX locking if the POSIX host doesn't support Linux OFD locking.
To explicitly enable image locking, specify "locking=on" in the file protocol driver options. If OFD locking is not possible, a warning will be printed and the POSIX locking API will be used. In this case there is a risk that the lock will get silently lost when doing hot plugging and block jobs, due to the shortcomings of the POSIX locking API.
QEMU transparently handles lock handover during shared storage migration. For shared virtual disk images between multiple VMs, the "share-rw" device option should be used.
By default, the guest has exclusive write access to its disk image. If the
guest can safely share the disk image with other writers the -device
...,share-rw=on parameter can be used. This is only safe if the guest is
running software, such as a cluster file system, that coordinates disk accesses
to avoid corruption.
Note that share-rw=on only declares the guest's ability to share the disk. Some QEMU features, such as image file formats, require exclusive write access to the disk image and this is unaffected by the share-rw=on option.
Alternatively, locking can be fully disabled by "locking=off" block device option. In the command line, the option is usually in the form of "file.locking=off" as the protocol driver is normally placed as a "file" child under a format driver. For example:
-blockdev driver=qcow2,file.filename=/path/to/image,file.locking=off,file.driver=file
To check if image locking is active, check the output of the "lslocks" command on host and see if there are locks held by the QEMU process on the image file. More than one byte could be locked by the QEMU instance, each byte of which reflects a particular permission that is acquired or protected by the running block driver.
QEMU can simulate several network cards (e.g. PCI or ISA cards on the PC target) and can connect them to a network backend on the host or an emulated hub. The various host network backends can either be used to connect the NIC of the guest to a real network (e.g. by using a TAP devices or the non-privileged user mode network stack), or to other guest instances running in another QEMU process (e.g. by using the socket host network backend).
This is the standard way to connect QEMU to a real network. QEMU adds
a virtual network device on your host (called tapN), and you
can then configure it as if it was a real ethernet card.
As an example, you can download the linux-test-xxx.tar.gz
archive and copy the script qemu-ifup in /etc and
configure properly sudo so that the command ifconfig
contained in qemu-ifup can be executed as root. You must verify
that your host kernel supports the TAP network interfaces: the
device /dev/net/tun must be present.
See sec_invocation to have examples of command lines using the TAP network interfaces.
There is a virtual ethernet driver for Windows 2000/XP systems, called TAP-Win32. But it is not included in standard QEMU for Windows, so you will need to get it separately. It is part of OpenVPN package, so download OpenVPN from : https://openvpn.net/.
By using the option -net user (default configuration if no -net option is specified), QEMU uses a completely user mode network stack (you don't need root privilege to use the virtual network). The virtual network configuration is the following:
guest (10.0.2.15) <------> Firewall/DHCP server <-----> Internet
| (10.0.2.2)
|
----> DNS server (10.0.2.3)
|
----> SMB server (10.0.2.4)
The QEMU VM behaves as if it was behind a firewall which blocks all incoming connections. You can use a DHCP client to automatically configure the network in the QEMU VM. The DHCP server assign addresses to the hosts starting from 10.0.2.15.
In order to check that the user mode network is working, you can ping the address 10.0.2.2 and verify that you got an address in the range 10.0.2.x from the QEMU virtual DHCP server.
Note that ICMP traffic in general does not work with user mode networking.
ping, aka. ICMP echo, to the local router (10.0.2.2) shall work,
however. If you're using QEMU on Linux >= 3.0, it can use unprivileged ICMP
ping sockets to allow ping to the Internet. The host admin has to set
the ping_group_range in order to grant access to those sockets. To allow ping
for GID 100 (usually users group):
echo 100 100 > /proc/sys/net/ipv4/ping_group_range
When using the built-in TFTP server, the router is also the TFTP server.
When using the '-netdev user,hostfwd=...' option, TCP or UDP connections can be redirected from the host to the guest. It allows for example to redirect X11, telnet or SSH connections.
QEMU can simulate several hubs. A hub can be thought of as a virtual connection between several network devices. These devices can be for example QEMU virtual ethernet cards or virtual Host ethernet devices (TAP devices). You can connect guest NICs or host network backends to such a hub using the -netdev hubport or -nic hubport options. The legacy -net option also connects the given device to the emulated hub with ID 0 (i.e. the default hub) unless you specify a netdev with -net nic,netdev=xxx here.
Using the -netdev socket (or -nic socket or -net socket) option, it is possible to create emulated networks that span several QEMU instances. See the description of the -netdev socket option in the Invocation chapter to have a basic example.
On Linux hosts, a shared memory device is available. The basic syntax is:
qemu-system-x86_64 -device ivshmem-plain,memdev=hostmem
where hostmem names a host memory backend. For a POSIX shared memory backend, use something like
-object memory-backend-file,size=1M,share,mem-path=/dev/shm/ivshmem,id=hostmem
If desired, interrupts can be sent between guest VMs accessing the same shared memory region. Interrupt support requires using a shared memory server and using a chardev socket to connect to it. The code for the shared memory server is qemu.git/contrib/ivshmem-server. An example syntax when using the shared memory server is:
# First start the ivshmem server once and for all
ivshmem-server -p pidfile -S path -m shm-name -l shm-size -n vectors
# Then start your qemu instances with matching arguments
qemu-system-x86_64 -device ivshmem-doorbell,vectors=vectors,chardev=id
-chardev socket,path=path,id=id
When using the server, the guest will be assigned a VM ID (>=0) that allows guests using the same server to communicate via interrupts. Guests can read their VM ID from a device register (see ivshmem-spec.txt).
With device property master=on, the guest will copy the shared memory on migration to the destination host. With master=off, the guest will not be able to migrate with the device attached. In the latter case, the device should be detached and then reattached after migration using the PCI hotplug support.
At most one of the devices sharing the same memory can be master. The master must complete migration before you plug back the other devices.
Instead of specifying the <shm size> using POSIX shm, you may specify a memory backend that has hugepage support:
qemu-system-x86_64 -object memory-backend-file,size=1G,mem-path=/dev/hugepages/my-shmem-file,share,id=mb1
-device ivshmem-plain,memdev=mb1
ivshmem-server also supports hugepages mount points with the -m memory path argument.
This section explains how to launch a Linux kernel inside QEMU without having to make a full bootable image. It is very useful for fast Linux kernel testing.
The syntax is:
qemu-system-i386 -kernel arch/i386/boot/bzImage -hda root-2.4.20.img -append "root=/dev/hda"
Use -kernel to provide the Linux kernel image and -append to give the kernel command line arguments. The -initrd option can be used to provide an INITRD image.
When using the direct Linux boot, a disk image for the first hard disk hda is required because its boot sector is used to launch the Linux kernel.
If you do not need graphical output, you can disable it and redirect the virtual serial port and the QEMU monitor to the console with the -nographic option. The typical command line is:
qemu-system-i386 -kernel arch/i386/boot/bzImage -hda root-2.4.20.img \
-append "root=/dev/hda console=ttyS0" -nographic
Use <Ctrl-a c> to switch between the serial console and the monitor (see pcsys_keys).
QEMU can emulate a PCI UHCI, OHCI, EHCI or XHCI USB controller. You can plug virtual USB devices or real host USB devices (only works with certain host operating systems). QEMU will automatically create and connect virtual USB hubs as necessary to connect multiple USB devices.
USB devices can be connected with the -device usb-... command line
option or the device_add monitor command. Available devices are:
usb-mouseusb-tabletusb-storage,drive=drive_idusb-uasusb-botusb-mtp,rootdir=dirusb-host,hostbus=bus,hostaddr=addrusb-host,vendorid=vendor,productid=productusb-wacom-tablettablet
above but it can be used with the tslib library because in addition to touch
coordinates it reports touch pressure.
usb-kbdusb-serial,chardev=idusb-braille,chardev=idusb-net[,netdev=id]-netdev ...,id=id.
For instance, user-mode networking can be used with
qemu-system-i386 [...] -netdev user,id=net0 -device usb-net,netdev=net0
usb-ccidusb-audiousb-bt-dongle-bt hci,vlan=0).
Note that the syntax for the -device usb-bt-dongle option is not as
useful yet as it was with the legacy -usbdevice option. So to
configure an USB bluetooth device, you might need to use
"-usbdevice bt[:hci-type]" instead. This configures a
bluetooth dongle whose type is specified in the same format as with
the -bt hci option, see allowed HCI types. If
no type is given, the HCI logic corresponds to -bt hci,vlan=0.
This USB device implements the USB Transport Layer of HCI. Example
usage:
qemu-system-i386 [...OPTIONS...] -usbdevice bt:hci,vlan=3 -bt device:keyboard,vlan=3
WARNING: this is an experimental feature. QEMU will slow down when using it. USB devices requiring real time streaming (i.e. USB Video Cameras) are not supported yet.
ls /proc/bus/usb
001 devices drivers
chown -R myuid /proc/bus/usb
info usbhost
Device 1.2, speed 480 Mb/s
Class 00: USB device 1234:5678, USB DISK
You should see the list of the devices you can use (Never try to use hubs, it won't work).
device_add usb-host,vendorid=0x1234,productid=0x5678
Normally the guest OS should report that a new USB device is plugged. You can use the option -device usb-host,... to do the same.
When relaunching QEMU, you may have to unplug and plug again the USB device to make it work again (this is a bug).
The VNC server capability provides access to the graphical console of the guest VM across the network. This has a number of security considerations depending on the deployment scenarios.
The simplest VNC server setup does not include any form of authentication. For this setup it is recommended to restrict it to listen on a UNIX domain socket only. For example
qemu-system-i386 [...OPTIONS...] -vnc unix:/home/joebloggs/.qemu-myvm-vnc
This ensures that only users on local box with read/write access to that path can access the VNC server. To securely access the VNC server from a remote machine, a combination of netcat+ssh can be used to provide a secure tunnel.
The VNC protocol has limited support for password based authentication. Since
the protocol limits passwords to 8 characters it should not be considered
to provide high security. The password can be fairly easily brute-forced by
a client making repeat connections. For this reason, a VNC server using password
authentication should be restricted to only listen on the loopback interface
or UNIX domain sockets. Password authentication is not supported when operating
in FIPS 140-2 compliance mode as it requires the use of the DES cipher. Password
authentication is requested with the password option, and then once QEMU
is running the password is set with the monitor. Until the monitor is used to
set the password all clients will be rejected.
qemu-system-i386 [...OPTIONS...] -vnc :1,password -monitor stdio (qemu) change vnc password Password: ******** (qemu)
The QEMU VNC server also implements the VeNCrypt extension allowing use of TLS for encryption of the session, and x509 certificates for authentication. The use of x509 certificates is strongly recommended, because TLS on its own is susceptible to man-in-the-middle attacks. Basic x509 certificate support provides a secure session, but no authentication. This allows any client to connect, and provides an encrypted session.
qemu-system-i386 [...OPTIONS...] \ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=no \ -vnc :1,tls-creds=tls0 -monitor stdio
In the above example /etc/pki/qemu should contain at least three files,
ca-cert.pem, server-cert.pem and server-key.pem. Unprivileged
users will want to use a private directory, for example $HOME/.pki/qemu.
NB the server-key.pem file should be protected with file mode 0600 to
only be readable by the user owning it.
Certificates can also provide a means to authenticate the client connecting.
The server will request that the client provide a certificate, which it will
then validate against the CA certificate. This is a good choice if deploying
in an environment with a private internal certificate authority. It uses the
same syntax as previously, but with verify-peer set to yes
instead.
qemu-system-i386 [...OPTIONS...] \ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \ -vnc :1,tls-creds=tls0 -monitor stdio
Finally, the previous method can be combined with VNC password authentication to provide two layers of authentication for clients.
qemu-system-i386 [...OPTIONS...] \ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \ -vnc :1,tls-creds=tls0,password -monitor stdio (qemu) change vnc password Password: ******** (qemu)
The SASL authentication method is a VNC extension, that provides an easily extendable, pluggable authentication method. This allows for integration with a wide range of authentication mechanisms, such as PAM, GSSAPI/Kerberos, LDAP, SQL databases, one-time keys and more. The strength of the authentication depends on the exact mechanism configured. If the chosen mechanism also provides a SSF layer, then it will encrypt the datastream as well.
Refer to the later docs on how to choose the exact SASL mechanism used for authentication, but assuming use of one supporting SSF, then QEMU can be launched with:
qemu-system-i386 [...OPTIONS...] -vnc :1,sasl -monitor stdio
If the desired SASL authentication mechanism does not supported SSF layers, then it is strongly advised to run it in combination with TLS and x509 certificates. This provides securely encrypted data stream, avoiding risk of compromising of the security credentials. This can be enabled, by combining the 'sasl' option with the aforementioned TLS + x509 options:
qemu-system-i386 [...OPTIONS...] \ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \ -vnc :1,tls-creds=tls0,sasl -monitor stdio
The following documentation assumes use of the Cyrus SASL implementation on a Linux host, but the principles should apply to any other SASL implementation or host. When SASL is enabled, the mechanism configuration will be loaded from system default SASL service config /etc/sasl2/qemu.conf. If running QEMU as an unprivileged user, an environment variable SASL_CONF_PATH can be used to make it search alternate locations for the service config file.
If the TLS option is enabled for VNC, then it will provide session encryption, otherwise the SASL mechanism will have to provide encryption. In the latter case the list of possible plugins that can be used is drastically reduced. In fact only the GSSAPI SASL mechanism provides an acceptable level of security by modern standards. Previous versions of QEMU referred to the DIGEST-MD5 mechanism, however, it has multiple serious flaws described in detail in RFC 6331 and thus should never be used any more. The SCRAM-SHA-1 mechanism provides a simple username/password auth facility similar to DIGEST-MD5, but does not support session encryption, so can only be used in combination with TLS.
When not using TLS the recommended configuration is
mech_list: gssapi keytab: /etc/qemu/krb5.tab
This says to use the 'GSSAPI' mechanism with the Kerberos v5 protocol, with the server principal stored in /etc/qemu/krb5.tab. For this to work the administrator of your KDC must generate a Kerberos principal for the server, with a name of 'qemu/somehost.example.com@EXAMPLE.COM' replacing 'somehost.example.com' with the fully qualified host name of the machine running QEMU, and 'EXAMPLE.COM' with the Kerberos Realm.
When using TLS, if username+password authentication is desired, then a reasonable configuration is
mech_list: scram-sha-1 sasldb_path: /etc/qemu/passwd.db
The saslpasswd2 program can be used to populate the passwd.db
file with accounts.
Other SASL configurations will be left as an exercise for the reader. Note that all mechanisms, except GSSAPI, should be combined with use of TLS to ensure a secure data channel.
Almost all network services in QEMU have the ability to use TLS for session data encryption, along with x509 certificates for simple client authentication. What follows is a description of how to generate certificates suitable for usage with QEMU, and applies to the VNC server, character devices with the TCP backend, NBD server and client, and migration server and client.
At a high level, QEMU requires certificates and private keys to be provided in PEM format. Aside from the core fields, the certificates should include various extension data sets, including v3 basic constraints data, key purpose, key usage and subject alt name.
The GnuTLS package includes a command called certtool which can
be used to easily generate certificates and keys in the required format
with expected data present. Alternatively a certificate management
service may be used.
At a minimum it is necessary to setup a certificate authority, and issue certificates to each server. If using x509 certificates for authentication, then each client will also need to be issued a certificate.
Assuming that the QEMU network services will only ever be exposed to clients on a private intranet, there is no need to use a commercial certificate authority to create certificates. A self-signed CA is sufficient, and in fact likely to be more secure since it removes the ability of malicious 3rd parties to trick the CA into mis-issuing certs for impersonating your services. The only likely exception where a commercial CA might be desirable is if enabling the VNC websockets server and exposing it directly to remote browser clients. In such a case it might be useful to use a commercial CA to avoid needing to install custom CA certs in the web browsers.
The recommendation is for the server to keep its certificates in either
/etc/pki/qemu or for unprivileged users in $HOME/.pki/qemu.
This step only needs to be performed once per organization / organizational unit. First the CA needs a private key. This key must be kept VERY secret and secure. If this key is compromised the entire trust chain of the certificates issued with it is lost.
# certtool --generate-privkey > ca-key.pem
To generate a self-signed certificate requires one core piece of information,
the name of the organization. A template file ca.info should be
populated with the desired data to avoid having to deal with interactive
prompts from certtool:
# cat > ca.info <<EOF
cn = Name of your organization
ca
cert_signing_key
EOF
# certtool --generate-self-signed \
--load-privkey ca-key.pem
--template ca.info \
--outfile ca-cert.pem
The ca keyword in the template sets the v3 basic constraints extension
to indicate this certificate is for a CA, while cert_signing_key sets
the key usage extension to indicate this will be used for signing other keys.
The generated ca-cert.pem file should be copied to all servers and
clients wishing to utilize TLS support in the VNC server. The ca-key.pem
must not be disclosed/copied anywhere except the host responsible for issuing
certificates.
Each server (or host) needs to be issued with a key and certificate. When connecting the certificate is sent to the client which validates it against the CA certificate. The core pieces of information for a server certificate are the hostnames and/or IP addresses that will be used by clients when connecting. The hostname / IP address that the client specifies when connecting will be validated against the hostname(s) and IP address(es) recorded in the server certificate, and if no match is found the client will close the connection.
Thus it is recommended that the server certificate include both the fully qualified
and unqualified hostnames. If the server will have permanently assigned IP address(es),
and clients are likely to use them when connecting, they may also be included in the
certificate. Both IPv4 and IPv6 addresses are supported. Historically certificates
only included 1 hostname in the CN field, however, usage of this field for
validation is now deprecated. Instead modern TLS clients will validate against the
Subject Alt Name extension data, which allows for multiple entries. In the future
usage of the CN field may be discontinued entirely, so providing SAN
extension data is strongly recommended.
On the host holding the CA, create template files containing the information for each server, and use it to issue server certificates.
# cat > server-hostNNN.info <<EOF
organization = Name of your organization
cn = hostNNN.foo.example.com
dns_name = hostNNN
dns_name = hostNNN.foo.example.com
ip_address = 10.0.1.87
ip_address = 192.8.0.92
ip_address = 2620:0:cafe::87
ip_address = 2001:24::92
tls_www_server
encryption_key
signing_key
EOF
# certtool --generate-privkey > server-hostNNN-key.pem
# certtool --generate-certificate \
--load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem \
--load-privkey server-hostNNN-key.pem \
--template server-hostNNN.info \
--outfile server-hostNNN-cert.pem
The dns_name and ip_address fields in the template are setting
the subject alt name extension data. The tls_www_server keyword is the
key purpose extension to indicate this certificate is intended for usage in
a web server. Although QEMU network services are not in fact HTTP servers
(except for VNC websockets), setting this key purpose is still recommended.
The encryption_key and signing_key keyword is the key usage
extension to indicate this certificate is intended for usage in the data
session.
The server-hostNNN-key.pem and server-hostNNN-cert.pem files
should now be securely copied to the server for which they were generated,
and renamed to server-key.pem and server-cert.pem when added
to the /etc/pki/qemu directory on the target host. The server-key.pem
file is security sensitive and should be kept protected with file mode 0600
to prevent disclosure.
The QEMU x509 TLS credential setup defaults to enabling client verification using certificates, providing a simple authentication mechanism. If this default is used, each client also needs to be issued a certificate. The client certificate contains enough metadata to uniquely identify the client with the scope of the certificate authority. The client certificate would typically include fields for organization, state, city, building, etc.
Once again on the host holding the CA, create template files containing the information for each client, and use it to issue client certificates.
# cat > client-hostNNN.info <<EOF
country = GB
state = London
locality = City Of London
organization = Name of your organization
cn = hostNNN.foo.example.com
tls_www_client
encryption_key
signing_key
EOF
# certtool --generate-privkey > client-hostNNN-key.pem
# certtool --generate-certificate \
--load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem \
--load-privkey client-hostNNN-key.pem \
--template client-hostNNN.info \
--outfile client-hostNNN-cert.pem
The subject alt name extension data is not required for clients, so the
the dns_name and ip_address fields are not included.
The tls_www_client keyword is the key purpose extension to indicate
this certificate is intended for usage in a web client. Although QEMU
network clients are not in fact HTTP clients, setting this key purpose is
still recommended. The encryption_key and signing_key keyword
is the key usage extension to indicate this certificate is intended for
usage in the data session.
The client-hostNNN-key.pem and client-hostNNN-cert.pem files
should now be securely copied to the client for which they were generated,
and renamed to client-key.pem and client-cert.pem when added
to the /etc/pki/qemu directory on the target host. The client-key.pem
file is security sensitive and should be kept protected with file mode 0600
to prevent disclosure.
If a single host is going to be using TLS in both a client and server role, it is possible to create a single certificate to cover both roles. This would be quite common for the migration and NBD services, where a QEMU process will be started by accepting a TLS protected incoming migration, and later itself be migrated out to another host. To generate a single certificate, simply include the template data from both the client and server instructions in one.
# cat > both-hostNNN.info <<EOF
country = GB
state = London
locality = City Of London
organization = Name of your organization
cn = hostNNN.foo.example.com
dns_name = hostNNN
dns_name = hostNNN.foo.example.com
ip_address = 10.0.1.87
ip_address = 192.8.0.92
ip_address = 2620:0:cafe::87
ip_address = 2001:24::92
tls_www_server
tls_www_client
encryption_key
signing_key
EOF
# certtool --generate-privkey > both-hostNNN-key.pem
# certtool --generate-certificate \
--load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem \
--load-privkey both-hostNNN-key.pem \
--template both-hostNNN.info \
--outfile both-hostNNN-cert.pem
When copying the PEM files to the target host, save them twice,
once as server-cert.pem and server-key.pem, and
again as client-cert.pem and client-key.pem.
QEMU has a standard mechanism for loading x509 credentials that will be
used for network services and clients. It requires specifying the
tls-creds-x509 class name to the --object command line
argument for the system emulators. Each set of credentials loaded should
be given a unique string identifier via the id parameter. A single
set of TLS credentials can be used for multiple network backends, so VNC,
migration, NBD, character devices can all share the same credentials. Note,
however, that credentials for use in a client endpoint must be loaded
separately from those used in a server endpoint.
When specifying the object, the dir parameters specifies which
directory contains the credential files. This directory is expected to
contain files with the names mentioned previously, ca-cert.pem,
server-key.pem, server-cert.pem, client-key.pem
and client-cert.pem as appropriate. It is also possible to
include a set of pre-generated Diffie-Hellman (DH) parameters in a file
dh-params.pem, which can be created using the
certtool --generate-dh-params command. If omitted, QEMU will
dynamically generate DH parameters when loading the credentials.
The endpoint parameter indicates whether the credentials will
be used for a network client or server, and determines which PEM
files are loaded.
The verify parameter determines whether x509 certificate
validation should be performed. This defaults to enabled, meaning
clients will always validate the server hostname against the
certificate subject alt name fields and/or CN field. It also
means that servers will request that clients provide a certificate
and validate them. Verification should never be turned off for
client endpoints, however, it may be turned off for server endpoints
if an alternative mechanism is used to authenticate clients. For
example, the VNC server can use SASL to authenticate clients
instead.
To load server credentials with client certificate validation enabled
$QEMU -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server
while to load client credentials use
$QEMU -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=client
Network services which support TLS will all have a tls-creds
parameter which expects the ID of the TLS credentials object. For
example with VNC:
$QEMU -vnc 0.0.0.0:0,tls-creds=tls0
Instead of using certificates, you may also use TLS Pre-Shared Keys (TLS-PSK). This can be simpler to set up than certificates but is less scalable.
Use the GnuTLS psktool program to generate a keys.psk
file containing one or more usernames and random keys:
mkdir -m 0700 /tmp/keys psktool -u rich -p /tmp/keys/keys.psk
TLS-enabled servers such as qemu-nbd can use this directory like so:
qemu-nbd \ -t -x / \ --object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \ --tls-creds tls0 \ image.qcow2
When connecting from a qemu-based client you must specify the
directory containing keys.psk and an optional username
(defaults to “qemu”):
qemu-img info \ --object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rich,endpoint=client \ --image-opts \ file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
QEMU has a primitive support to work with gdb, so that you can do 'Ctrl-C' while the virtual machine is running and inspect its state.
In order to use gdb, launch QEMU with the '-s' option. It will wait for a gdb connection:
qemu-system-i386 -s -kernel arch/i386/boot/bzImage -hda root-2.4.20.img \
-append "root=/dev/hda"
Connected to host network interface: tun0
Waiting gdb connection on port 1234
Then launch gdb on the 'vmlinux' executable:
> gdb vmlinux
In gdb, connect to QEMU:
(gdb) target remote localhost:1234
Then you can use gdb normally. For example, type 'c' to launch the kernel:
(gdb) c
Here are some useful tips in order to use gdb on system code:
info reg to display all the CPU registers.
x/10i $eip to display the code at the PC position.
set architecture i8086 to dump 16 bit code. Then use
x/10i $cs*16+$eip to dump the code at the PC position.
Advanced debugging options:
The default single stepping behavior is step with the IRQs and timer service routines off. It is set this way because when gdb executes a single step it expects to advance beyond the current instruction. With the IRQs and timer service routines on, a single step might jump into the one of the interrupt or exception vectors instead of executing the current instruction. This means you may hit the same breakpoint a number of times before executing the instruction gdb wants to have executed. Because there are rare circumstances where you want to single step into an interrupt vector the behavior can be controlled from GDB. There are three commands you can query and set the single step behavior:
maintenance packet qqemu.sstepbits (gdb) maintenance packet qqemu.sstepbits
sending: "qqemu.sstepbits"
received: "ENABLE=1,NOIRQ=2,NOTIMER=4"
maintenance packet qqemu.sstep (gdb) maintenance packet qqemu.sstep
sending: "qqemu.sstep"
received: "0x7"
maintenance packet Qqemu.sstep=HEX_VALUE (gdb) maintenance packet Qqemu.sstep=0x5
sending: "qemu.sstep=0x5"
received: "OK"
To have access to SVGA graphic modes under X11, use the vesa or
the cirrus X11 driver. For optimal performances, use 16 bit
color depth in the guest and the host OS.
When using a 2.6 guest Linux kernel, you should add the option
clock=pit on the kernel command line because the 2.6 Linux
kernels make very strict real time clock checks by default that QEMU
cannot simulate exactly.
When using a 2.6 guest Linux kernel, verify that the 4G/4G patch is not activated because QEMU is slower with this patch. The QEMU Accelerator Module is also much slower in this case. Earlier Fedora Core 3 Linux kernel (< 2.6.9-1.724_FC3) were known to incorporate this patch by default. Newer kernels don't have it.
If you have a slow host, using Windows 95 is better as it gives the best speed. Windows 2000 is also a good choice.
QEMU emulates a Cirrus Logic GD5446 Video card. All Windows versions starting from Windows 95 should recognize and use this graphic card. For optimal performances, use 16 bit color depth in the guest and the host OS.
If you are using Windows XP as guest OS and if you want to use high resolution modes which the Cirrus Logic BIOS does not support (i.e. >= 1280x1024x16), then you should use the VESA VBE virtual graphic card (option -std-vga).
Windows 9x does not correctly use the CPU HLT instruction. The result is that it takes host CPU cycles even when idle. You can install the utility from https://web.archive.org/web/20060212132151/http://www.user.cityline.ru/~maxamn/amnhltm.zip to solve this problem. Note that no such tool is needed for NT, 2000 or XP.
Windows 2000 has a bug which gives a disk full problem during its installation. When installing it, use the -win2k-hack QEMU option to enable a specific workaround. After Windows 2000 is installed, you no longer need this option (this option slows down the IDE transfers).
Windows 2000 cannot automatically shutdown in QEMU although Windows 98 can. It comes from the fact that Windows 2000 does not automatically use the APM driver provided by the BIOS.
In order to correct that, do the following (thanks to Struan Bartlett): go to the Control Panel => Add/Remove Hardware & Next => Add/Troubleshoot a device => Add a new device & Next => No, select the hardware from a list & Next => NT Apm/Legacy Support & Next => Next (again) a few times. Now the driver is installed and Windows 2000 now correctly instructs QEMU to shutdown at the appropriate moment.
See sec_invocation about the help of the option '-netdev user,smb=...'.
Some releases of Windows XP install correctly but give a security error when booting:
A problem is preventing Windows from accurately checking the license for this computer. Error code: 0x800703e6.
The workaround is to install a service pack for XP after a boot in safe mode. Then reboot, and the problem should go away. Since there is no network while in safe mode, its recommended to download the full installation of SP1 or SP2 and transfer that via an ISO or using the vvfat block device ("-hdb fat:directory_which_holds_the_SP").
DOS does not correctly use the CPU HLT instruction. The result is that it takes host CPU cycles even when idle. You can install the utility from https://web.archive.org/web/20051222085335/http://www.vmware.com/software/dosidle210.zip to solve this problem.
QEMU is a generic emulator and it emulates many non PC machines. Most of the options are similar to the PC emulator. The differences are mentioned in the following sections.
Use the executable qemu-system-ppc to simulate a complete PREP or PowerMac PowerPC system.
QEMU emulates the following PowerMac peripherals:
QEMU emulates the following PREP peripherals:
QEMU uses the Open Hack'Ware Open Firmware Compatible BIOS available at http://perso.magic.fr/l_indien/OpenHackWare/index.htm.
Since version 0.9.1, QEMU uses OpenBIOS https://www.openbios.org/ for the g3beige and mac99 PowerMac machines. OpenBIOS is a free (GPL v2) portable firmware implementation. The goal is to implement a 100% IEEE 1275-1994 (referred to as Open Firmware) compliant firmware.
The following options are specific to the PowerPC emulation:
qemu-system-ppc -prom-env 'auto-boot?=false' \
-prom-env 'boot-device=hd:2,\yaboot' \
-prom-env 'boot-args=conf=hd:2,\yaboot.conf'
These variables are not used by Open Hack'Ware.
More information is available at http://perso.magic.fr/l_indien/qemu-ppc/.
Use the executable qemu-system-sparc to simulate the following Sun4m architecture machines:
The emulation is somewhat complete. SMP up to 16 CPUs is supported, but Linux limits the number of usable CPUs to 4.
QEMU emulates the following sun4m peripherals:
The number of peripherals is fixed in the architecture. Maximum memory size depends on the machine type, for SS-5 it is 256MB and for others 2047MB.
Since version 0.8.2, QEMU uses OpenBIOS https://www.openbios.org/. OpenBIOS is a free (GPL v2) portable firmware implementation. The goal is to implement a 100% IEEE 1275-1994 (referred to as Open Firmware) compliant firmware.
A sample Linux 2.6 series kernel and ram disk image are available on the QEMU web site. There are still issues with NetBSD and OpenBSD, but most kernel versions work. Please note that currently older Solaris kernels don't work probably due to interface issues between OpenBIOS and Solaris.
The following options are specific to the Sparc32 emulation:
qemu-system-sparc -prom-env 'auto-boot?=false' \
-prom-env 'boot-device=sd(0,2,0):d' -prom-env 'boot-args=linux single'
Use the executable qemu-system-sparc64 to simulate a Sun4u (UltraSPARC PC-like machine), Sun4v (T1 PC-like machine), or generic Niagara (T1) machine. The Sun4u emulator is mostly complete, being able to run Linux, NetBSD and OpenBSD in headless (-nographic) mode. The Sun4v emulator is still a work in progress.
The Niagara T1 emulator makes use of firmware and OS binaries supplied in the S10image/ directory of the OpenSPARC T1 project http://download.oracle.com/technetwork/systems/opensparc/OpenSPARCT1_Arch.1.5.tar.bz2 and is able to boot the disk.s10hw2 Solaris image.
qemu-system-sparc64 -M niagara -L /path-to/S10image/ \
-nographic -m 256 \
-drive if=pflash,readonly=on,file=/S10image/disk.s10hw2
QEMU emulates the following peripherals:
The following options are specific to the Sparc64 emulation:
qemu-system-sparc64 -prom-env 'auto-boot?=false'
Four executables cover simulation of 32 and 64-bit MIPS systems in both endian options, qemu-system-mips, qemu-system-mipsel qemu-system-mips64 and qemu-system-mips64el. Five different machine types are emulated:
The generic emulation is supported by Debian 'Etch' and is able to install Debian into a virtual disk image. The following devices are emulated:
The Malta emulation supports the following devices:
The Boston board emulation supports the following devices:
The ACER Pica emulation supports:
The MIPS Magnum R4000 emulation supports:
The Fulong 2E emulation supports:
The mipssim pseudo board emulation provides an environment similar to what the proprietary MIPS emulator uses for running Linux. It supports:
Executable qemu-system-mipsel also covers simulation of 32-bit nanoMIPS system in little endian mode:
Example of qemu-system-mipsel usage for nanoMIPS is shown below:
Download <disk_image_file> from https://mipsdistros.mips.com/LinuxDistro/nanomips/buildroot/index.html.
Download <kernel_image_file> from https://mipsdistros.mips.com/LinuxDistro/nanomips/kernels/v4.15.18-432-gb2eb9a8b07a1-20180627102142/index.html.
Start system emulation of Malta board with nanoMIPS I7200 CPU:
qemu-system-mipsel -cpu I7200 -kernel<kernel_image_file>\ -M malta -serial stdio -m<memory_size>-hda<disk_image_file>\ -append "mem=256m@0x0 rw console=ttyS0 vga=cirrus vesa=0x111 root=/dev/sda"
Use the executable qemu-system-arm to simulate a ARM machine. The ARM Integrator/CP board is emulated with the following devices:
The ARM Versatile baseboard is emulated with the following devices:
Several variants of the ARM RealView baseboard are emulated, including the EB, PB-A8 and PBX-A9. Due to interactions with the bootloader, only certain Linux kernel configurations work out of the box on these boards.
Kernels for the PB-A8 board should have CONFIG_REALVIEW_HIGH_PHYS_OFFSET enabled in the kernel, and expect 512M RAM. Kernels for The PBX-A9 board should have CONFIG_SPARSEMEM enabled, CONFIG_REALVIEW_HIGH_PHYS_OFFSET disabled and expect 1024M RAM.
The following devices are emulated:
The XScale-based clamshell PDA models ("Spitz", "Akita", "Borzoi" and "Terrier") emulation includes the following peripherals:
The Palm Tungsten|E PDA (codename "Cheetah") emulation includes the following elements:
Nokia N800 and N810 internet tablets (known also as RX-34 and RX-44 / 48) emulation supports the following elements:
The Luminary Micro Stellaris LM3S811EVB emulation includes the following devices:
The Luminary Micro Stellaris LM3S6965EVB emulation includes the following devices:
The Freecom MusicPal internet radio emulation includes the following elements:
The Siemens SX1 models v1 and v2 (default) basic emulation. The emulation includes the following elements:
A Linux 2.6 test image is available on the QEMU web site. More information is available in the QEMU mailing-list archive.
The following options are specific to the ARM emulation:
On ARM this implements the "Angel" interface.
Note that this allows guest direct access to the host filesystem, so should only be used with trusted guest OS.
Use the executable qemu-system-m68k to simulate a ColdFire machine. The emulator is able to boot a uClinux kernel.
The M5208EVB emulation includes the following devices:
The AN5206 emulation includes the following devices:
The following options are specific to the ColdFire emulation:
On M68K this implements the "ColdFire GDB" interface used by libgloss.
Note that this allows guest direct access to the host filesystem, so should only be used with trusted guest OS.
Two executables cover simulation of both Xtensa endian options, qemu-system-xtensa and qemu-system-xtensaeb. Two different machine types are emulated:
The sim pseudo board emulation provides an environment similar to one provided by the proprietary Tensilica ISS. It supports:
The Avnet LX60/LX110/LX200 emulation supports:
The following options are specific to the Xtensa emulation:
Xtensa semihosting provides basic file IO calls, such as open/read/write/seek/select. Tensilica baremetal libc for ISS and linux platform "sim" use this interface.
Note that this allows guest direct access to the host filesystem, so should only be used with trusted guest OS.
qemu-ga [OPTIONS]
The QEMU Guest Agent is a daemon intended to be run within virtual machines. It allows the hypervisor host to perform various operations in the guest, such as:
qemu-ga will read a system configuration file on startup (located at /usr/local/share/examples/qemu/qemu-ga.conf by default), then parse remaining configuration options on the command line. For the same key, the last option wins, but the lists accumulate (see below for configuration file format).
The syntax of the qemu-ga.conf configuration file follows the Desktop Entry Specification, here is a quick summary: it consists of groups of key-value pairs, interspersed with comments.
# qemu-ga configuration sample [general] daemonize = 0 pidfile = /var/run/qemu-ga.pid verbose = 0 method = virtio-serial path = /dev/virtio-ports/org.qemu.guest_agent.0 statedir = /var/run
The list of keys follows the command line options:
The following OS are supported in user space emulation:
QEMU user space emulation has the following notable features:
SIGALRM), as well as synthesize signals from
virtual CPU exceptions (for example SIGFPE when the program
executes a division by zero).
QEMU relies on the host kernel to emulate most signal system
calls, for example to emulate the signal mask. On Linux, QEMU
supports both normal and real-time signals.
clone syscall and create a real
host thread (with a separate virtual CPU) for each emulated thread.
Note that not all targets currently emulate atomic operations correctly.
x86 and ARM use a global lock in order to preserve their semantics.
QEMU was conceived so that ultimately it can emulate itself. Although it is not very useful, it is an important test to show the power of the emulator.
In order to launch a Linux process, QEMU needs the process executable itself and all the target (x86) dynamic libraries used by it.
qemu-i386 -L / /bin/ls
-L / tells that the x86 dynamic linker must be searched with a
/ prefix.
qemu-i386 -L / qemu-i386 -L / /bin/ls
LD_LIBRARY_PATH is not set:
unset LD_LIBRARY_PATH
Then you can launch the precompiled ls x86 executable:
qemu-i386 tests/i386/ls
You can look at scripts/qemu-binfmt-conf.sh so that
QEMU is automatically launched by the Linux kernel when you try to
launch x86 executables. It requires the binfmt_misc module in the
Linux kernel.
qemu-i386 /usr/local/qemu-i386/bin/qemu-i386 \
/usr/local/qemu-i386/bin/ls-i386
qemu-i386 /usr/local/qemu-i386/bin/ls-i386
${HOME}/.wine directory is saved to ${HOME}/.wine.org.
qemu-i386 /usr/local/qemu-i386/wine/bin/wine \
/usr/local/qemu-i386/wine/c/Program\ Files/putty.exe
qemu-i386 [-h] [-d] [-L path] [-s size] [-cpu model] [-g port] [-B offset] [-R size] program [arguments...]
Debug options:
Environment variables:
qemu-arm is also capable of running ARM "Angel" semihosted ELF binaries (as implemented by the arm-elf and arm-eabi Newlib/GDB configurations), and arm-uclinux bFLT format binaries.
qemu-m68k is capable of running semihosted binaries using the BDM (m5xxx-ram-hosted.ld) or m68k-sim (sim.ld) syscall interfaces, and coldfire uClinux bFLT format binaries.
The binary format is detected automatically.
qemu-i386 TODO. qemu-x86_64 TODO.
qemu-mips executes 32-bit big endian MIPS binaries (MIPS O32 ABI).
qemu-mipsel executes 32-bit little endian MIPS binaries (MIPS O32 ABI).
qemu-mips64 executes 64-bit big endian MIPS binaries (MIPS N64 ABI).
qemu-mips64el executes 64-bit little endian MIPS binaries (MIPS N64 ABI).
qemu-mipsn32 executes 32-bit big endian MIPS binaries (MIPS N32 ABI).
qemu-mipsn32el executes 32-bit little endian MIPS binaries (MIPS N32 ABI).
qemu-ppc64abi32 TODO. qemu-ppc64 TODO. qemu-ppc TODO.
qemu-sh4eb TODO. qemu-sh4 TODO.
qemu-sparc can execute Sparc32 binaries (Sparc32 CPU, 32 bit ABI).
qemu-sparc32plus can execute Sparc32 and SPARC32PLUS binaries (Sparc64 CPU, 32 bit ABI).
qemu-sparc64 can execute some Sparc64 (Sparc64 CPU, 64 bit ABI) and SPARC32PLUS binaries (Sparc64 CPU, 32 bit ABI).
In order to launch a BSD process, QEMU needs the process executable itself and all the target dynamic libraries used by it.
qemu-sparc64 /bin/ls
qemu-sparc64 [-h] [-d] [-L path] [-s size] [-bsd type] program [arguments...]
Debug options:
On x86_64 hosts, the default set of CPU features enabled by the KVM accelerator require the host to be running Linux v4.5 or newer.
The OpteronG[345] CPU models require KVM support for RDTSCP, which was added with Linux 4.5 which is supported by the major distros. And even if RHEL7 has kernel 3.10, KVM there has the required functionality there to make it close to a 4.5 or newer kernel.
This chapter explains the security requirements that QEMU is designed to meet and principles for securely deploying QEMU.
QEMU supports many different use cases, some of which have stricter security requirements than others. The community has agreed on the overall security requirements that users may depend on. These requirements define what is considered supported from a security perspective.
The virtualization use case covers cloud and virtual private server (VPS) hosting, as well as traditional data center and desktop virtualization. These use cases rely on hardware virtualization extensions to execute guest code safely on the physical CPU at close-to-native speed.
The following entities are untrusted, meaning that they may be buggy or malicious:
Bugs affecting these entities are evaluated on whether they can cause damage in real-world use cases and treated as security bugs if this is the case.
The non-virtualization use case covers emulation using the Tiny Code Generator (TCG). In principle the TCG and device emulation code used in conjunction with the non-virtualization use case should meet the same security requirements as the virtualization use case. However, for historical reasons much of the non-virtualization use case code was not written with these security requirements in mind.
Bugs affecting the non-virtualization use case are not considered security bugs at this time. Users with non-virtualization use cases must not rely on QEMU to provide guest isolation or any security guarantees.
This section describes the design principles that ensure the security requirements are met.
Guest isolation is the confinement of guest code to the virtual machine. When guest code gains control of execution on the host this is called escaping the virtual machine. Isolation also includes resource limits such as throttling of CPU, memory, disk, or network. Guests must be unable to exceed their resource limits.
QEMU presents an attack surface to the guest in the form of emulated devices. The guest must not be able to gain control of QEMU. Bugs in emulated devices could allow malicious guests to gain code execution in QEMU. At this point the guest has escaped the virtual machine and is able to act in the context of the QEMU process on the host.
Guests often interact with other guests and share resources with them. A malicious guest must not gain control of other guests or access their data. Disk image files and network traffic must be protected from other guests unless explicitly shared between them by the user.
The principle of least privilege states that each component only has access to the privileges necessary for its function. In the case of QEMU this means that each process only has access to resources belonging to the guest.
The QEMU process should not have access to any resources that are inaccessible to the guest. This way the guest does not gain anything by escaping into the QEMU process since it already has access to those same resources from within the guest.
Following the principle of least privilege immediately fulfills guest isolation
requirements. For example, guest A only has access to its own disk image file
a.img and not guest B's disk image file b.img.
In reality certain resources are inaccessible to the guest but must be available to QEMU to perform its function. For example, host system calls are necessary for QEMU but are not exposed to guests. A guest that escapes into the QEMU process can then begin invoking host system calls.
New features must be designed to follow the principle of least privilege. Should this not be possible for technical reasons, the security risk must be clearly documented so users are aware of the trade-off of enabling the feature.
Several isolation mechanisms are available to realize this architecture of guest isolation and the principle of least privilege. With the exception of Linux seccomp, these mechanisms are all deployed by management tools that launch QEMU, such as libvirt. They are also platform-specific so they are only described briefly for Linux here.
The fundamental isolation mechanism is that QEMU processes must run as
unprivileged users. Sometimes it seems more convenient to launch QEMU as
root to give it access to host devices (e.g. /dev/net/tun) but this poses a
huge security risk. File descriptor passing can be used to give an otherwise
unprivileged QEMU process access to host devices without running QEMU as root.
It is also possible to launch QEMU as a non-root user and configure UNIX groups
for access to /dev/kvm, /dev/net/tun, and other device nodes.
Some Linux distros already ship with UNIX groups for these devices by default.
There are aspects of QEMU that can have security implications which users & management applications must be aware of.
The monitor console (whether used with QMP or HMP) provides an interface to dynamically control many aspects of QEMU's runtime operation. Many of the commands exposed will instruct QEMU to access content on the host file system and/or trigger spawning of external processes.
For example, the migrate command allows for the spawning of arbitrary
processes for the purpose of tunnelling the migration data stream. The
blockdev-add command instructs QEMU to open arbitrary files, exposing
their content to the guest as a virtual disk.
Unless QEMU is otherwise confined using technologies such as SELinux, AppArmor, or Linux namespaces, the monitor console should be considered to have privileges equivalent to those of the user account QEMU is running under.
It is further important to consider the security of the character device backend over which the monitor console is exposed. It needs to have protection against malicious third parties which might try to make unauthorized connections, or perform man-in-the-middle attacks. Many of the character device backends do not satisfy this requirement and so must not be used for the monitor console.
The general recommendation is that the monitor console should be exposed over a UNIX domain socket backend to the local host only. Use of the TCP based character device backend is inappropriate unless configured to use both TLS encryption and authorization control policy on client connections.
In summary, the monitor console is considered a privileged control interface to QEMU and as such should only be made accessible to a trusted management application or user.
QEMU x86 target features:
Current QEMU limitations:
Current QEMU limitations:
Current QEMU limitations:
In system mode emulation, it's possible to create a VM in a paused state using the -S command line option. In this state the machine is completely initialized according to command line options and ready to execute VM code but VCPU threads are not executing any code. The VM state in this paused state depends on the way QEMU was started. It could be in:
This paused state is typically used by users to query machine state and/or additionally configure the machine (by hotplugging devices) in runtime before allowing VM code to run.
However, at the -S pause point, it's impossible to configure options that affect initial VM creation (like: -smp/-m/-numa ...) or cold plug devices. The experimental –preconfig command line option allows pausing QEMU before the initial VM creation, in a “preconfig” state, where additional queries and configuration can be performed via QMP before moving on to the resulting configuration startup. In the preconfig state, QEMU only allows a limited set of commands over the QMP monitor, where the commands do not depend on an initialized machine, including but not limited to:
In general features are intended to be supported indefinitely once introduced into QEMU. In the event that a feature needs to be removed, it will be listed in this appendix. The feature will remain functional for 2 releases prior to actual removal. Deprecated features may also generate warnings on the console when QEMU starts up, or if activated via a monitor command, however, this is not a mandatory requirement.
Prior to the 2.10.0 release there was no official policy on how long features would be deprecated prior to their removal, nor any documented list of which features were deprecated. Thus any features deprecated prior to 2.10.0 will be treated as if they were first deprecated in the 2.10.0 release.
What follows is a list of all features currently marked as deprecated.
The enforce-config-section parameter is replaced by the -global migration.send-configuration=on|off option.
The “-no-kvm” argument is now a synonym for setting “-machine accel=tcg”.
The “-usbdevice DEV” argument is now a synonym for setting the “-device usb-DEV” argument instead. The deprecated syntax would automatically enable USB support on the machine type. If using the new syntax, USB support must be explicitly enabled via the “-machine usb=on” argument.
The 'file' driver for drives is no longer appropriate for character or host devices and will only accept regular files (S_IFREG). The correct driver for these file types is 'host_cdrom' or 'host_device' as appropriate.
The name parameter of the -net option is a synonym for the id parameter, which should now be used instead.
CPU topology properties should describe whole machine topology including possible CPUs.
However, historically it was possible to start QEMU with an incorrect topology where n <= sockets * cores * threads < maxcpus, which could lead to an incorrect topology enumeration by the guest. Support for invalid topologies will be removed, the user must ensure topologies described with -smp include all possible cpus, i.e. sockets * cores * threads = maxcpus.
The acl option to the -vnc argument has been replaced
by the tls-authz and sasl-authz options.
The “-audiodev” argument is now the preferred way to specify audio backend settings instead of environment variables. To ease migration to the new format, the “-audiodev-help” option can be used to convert the current values of the environment variables to “-audiodev” options.
The pretty=on|off switch has no effect for HMP monitors, but is
silently ignored. Using the switch with HMP monitors will become an
error in the future.
The -realtime mlock=on|off argument has been replaced by the
-overcommit mem-lock=on|off argument.
The “-virtfs_synth” argument is now deprecated. Please use “-fsdev synth” and “-device virtio-9p-...” instead.
The parameter mem of -numa node is used to assign a part of guest RAM to a NUMA node. But when using it, it's impossible to manage specified RAM chunk on the host side (like bind it to a host node, setting bind policy, ...), so guest end-ups with the fake NUMA configuration with suboptiomal performance. However since 2014 there is an alternative way to assign RAM to a NUMA node using parameter memdev, which does the same as mem and adds means to actualy manage node RAM on the host side. Use parameter memdev with memory-backend-ram backend as an replacement for parameter mem to achieve the same fake NUMA effect or a properly configured memory-backend-file backend to actually benefit from NUMA configuration. In future new machine versions will not accept the option but it will still work with old machine types. User can check QAPI schema to see if the legacy option is supported by looking at MachineInfo::numa-mem-supported property.
Splitting RAM by default between NUMA nodes has the same issues as mem parameter described above with the difference that the role of the user plays QEMU using implicit generic or board specific splitting rule. Use memdev with memory-backend-ram backend or mem (if it's supported by used machine type) to define mapping explictly instead.
Currently if guest RAM allocation from file pointed by mem-path fails, QEMU falls back to allocating from RAM, which might result in unpredictable behavior since the backing file specified by the user is ignored. In the future, users will be responsible for making sure the backing storage specified with -mem-path can actually provide the guest RAM configured with -m and QEMU will fail to start up if RAM allocation is unsuccessful.
QEMU 4.1 introduced support for the -bios option in QEMU for RISC-V for the RISC-V virt machine and sifive_u machine.
QEMU 4.1 has no changes to the default behaviour to avoid breakages. This default will change in a future QEMU release, so please prepare now. All users of the virt or sifive_u machine must change their command line usage.
QEMU 4.1 has three options, please migrate to one of these three: 1. “-bios none“ - This is the current default behavior if no -bios option is included. QEMU will not automatically load any firmware. It is up to the user to load all the images they need. 2. “-bios default“ - In a future QEMU release this will become the default behaviour if no -bios option is specified. This option will load the default OpenSBI firmware automatically. The firmware is included with the QEMU release and no user interaction is required. All a user needs to do is specify the kernel they want to boot with the -kernel option 3. “-bios <file>“ - Tells QEMU to load the specified file as the firmwrae.
"autoload" parameter is now ignored. All bitmaps are automatically loaded from qcow2 images.
The “status” field of the “BlockDirtyInfo” structure, returned by the query-block command is deprecated. Two new boolean fields, “recording” and “busy” effectively replace it.
The “query-cpus” command is replaced by the “query-cpus-fast” command.
The “arch” output member of the “query-cpus-fast” command is replaced by the “target” output member.
Use “device_add” for hotplugging vCPUs instead of “cpu-add”. See documentation of “query-hotpluggable-cpus” for additional details.
The “query-events” command has been superseded by the more powerful and accurate “query-qmp-schema” command.
Character devices creating sockets in client mode should not specify the 'wait' field, which is only applicable to sockets in server mode
The [hub_id name] parameter tuple of the 'hostfwd_add' and 'hostfwd_remove' HMP commands has been replaced by netdev_id.
Use “device_add” for hotplugging vCPUs instead of “cpu-add”. See documentation of “query-hotpluggable-cpus” for additional details.
The “acl_show”, “acl_reset”, “acl_policy”, “acl_add”, and “acl_remove” commands are deprecated with no replacement. Authorization for VNC should be performed using the pluggable QAuthZ objects.
The RISC-V ISA privledge specification version 1.09.1 has been deprecated. QEMU supports both the newer version 1.10.0 and the ratified version 1.11.0, these should be used instead of the 1.09.1 version.
The RISC-V cpus with the ISA version in the CPU name have been depcreated. The four CPUs are: “rv32gcsu-v1.9.1“, “rv32gcsu-v1.10.0“, “rv64gcsu-v1.9.1“ and “rv64gcsu-v1.10.0“. Instead the version can be specified via the CPU “priv_spec“ option when using the “rv32“ or “rv64“ CPUs.
The RISC-V no MMU cpus have been depcreated. The two CPUs: “rv32imacu-nommu“ and “rv64imacu-nommu“ should no longer be used. Instead the MMU status can be specified via the CPU “mmu“ option when using the “rv32“ or “rv64“ CPUs.
The bluetooth subsystem is unmaintained since many years and likely bitrotten quite a bit. It will be removed without replacement unless some users speaks up at the qemu-devel@nongnu.org mailing list with information about their usecases.
These machine types are very old and likely can not be used for live migration from old QEMU versions anymore. A newer machine type should be used instead.
This machine type uses an unmaintained firmware, broken in lots of ways, and unable to start post-2004 operating systems. 40p machine type should be used instead.
The version specific Spike machines have been deprecated in favour of the generic “spike“ machine. If you need to specify an older version of the RISC-V spec you can use the “-cpu rv64gcsu,priv_spec=v1.9.1“ command line argument.
In order to prevent QEMU from automatically opening an image's backing chain, use “"backing": null” instead.
Options for “rbd” should be specified according to its runtime options, like other block drivers. Legacy parsing of keyvalue pair encoded filenames is useful to open images with the old format for backing files; These image files should be updated to use the current format.
Example of legacy encoding:
json:{"file.driver":"rbd", "file.filename":"rbd:rbd/name"}
The above, converted to the current supported format:
json:{"file.driver":"rbd", "file.pool":"rbd", "file.image":"name"}
The “qemu-nbd –partition $digit” code (also spelled -P)
can only handle MBR partitions, and has never correctly handled
logical partitions beyond partition 5. If you know the offset and
length of the partition (perhaps by using sfdisk within the
guest), you can achieve the effect of exporting just that subset of
the disk by use of the --image-opts option with a raw
blockdev using the offset and size parameters layered on
top of any other existing blockdev. For example, if partition 1 is
100MiB long starting at 1MiB, the old command:
qemu-nbd -t -P 1 -f qcow2 file.qcow2
can be rewritten as:
qemu-nbd -t --image-opts driver=raw,offset=1M,size=100M,file.driver=qcow2,file.backing.driver=file,file.backing.filename=file.qcow2
Alternatively, the nbdkit project provides a more powerful
partition filter on top of its nbd plugin, which can be used to select
an arbitrary MBR or GPT partition on top of any other full-image NBD
export. Using this to rewrite the above example results in:
qemu-nbd -t -k /tmp/sock -f qcow2 file.qcow2 &
nbdkit -f --filter=partition nbd socket=/tmp/sock partition=1
Note that if you are exposing the export via /dev/nbd0, it is easier to just export the entire image and then mount only /dev/nbd0p1 than it is to reinvoke qemu-nbd -c /dev/nbd0 limited to just a subset of the image.
In the future, QEMU will require Python 3 to be available at build time. Support for Python 2 in scripts shipped with QEMU is deprecated.
Previous versions of QEMU never changed existing CPU models in ways that introduced additional host software or hardware requirements to the VM. This allowed management software to safely change the machine type of an existing VM without introducing new requirements ("runnability guarantee"). This prevented CPU models from being updated to include CPU vulnerability mitigations, leaving guests vulnerable in the default configuration.
The CPU model runnability guarantee won't apply anymore to existing CPU models. Management software that needs runnability guarantees must resolve the CPU model aliases using te “alias-of” field returned by the “query-cpu-definitions” QMP command.
QEMU aims to support building and executing on multiple host OS platforms. This appendix outlines which platforms are the major build targets. These platforms are used as the basis for deciding upon the minimum required versions of 3rd party software QEMU depends on. The supported platforms are the targets for automated testing performed by the project when patches are submitted for review, and tested before and after merge.
If a platform is not listed here, it does not imply that QEMU won't work. If an unlisted platform has comparable software versions to a listed platform, there is every expectation that it will work. Bug reports are welcome for problems encountered on unlisted platforms unless they are clearly older vintage than what is described here.
Note that when considering software versions shipped in distros as support targets, QEMU considers only the version number, and assumes the features in that distro match the upstream release with the same version. In other words, if a distro backports extra features to the software in their distro, QEMU upstream code will not add explicit support for those backports, unless the feature is auto-detectable in a manner that works for the upstream releases too.
The Repology site https://repology.org is a useful resource to identify currently shipped versions of software in various operating systems, though it does not cover all distros listed below.
For distributions with frequent, short-lifetime releases, the project will aim to support all versions that are not end of life by their respective vendors. For the purposes of identifying supported software versions, the project will look at Fedora, Ubuntu, and openSUSE distros. Other short- lifetime distros will be assumed to ship similar software versions.
For distributions with long-lifetime releases, the project will aim to support the most recent major version at all times. Support for the previous major version will be dropped 2 years after the new major version is released. For the purposes of identifying supported software versions, the project will look at RHEL, Debian, Ubuntu LTS, and SLES distros. Other long-lifetime distros will be assumed to ship similar software versions.
The project supports building with current versions of the MinGW toolchain, hosted on Linux.
The project supports building with the two most recent versions of macOS, with the current homebrew package set available.
The project aims to support the all the versions which are not end of life.
The project aims to support the most recent major version at all times. Support for the previous major version will be dropped 2 years after the new major version is released.
The project aims to support the all the versions which are not end of life.
QEMU is a trademark of Fabrice Bellard.
QEMU is released under the GNU General Public License, version 2. Parts of QEMU have specific licenses, see file LICENSE.
This is the main index. Should we combine all keywords in one index? TODO
This index could be used for command line options and monitor functions.
--preconfig: sec_invocation--trace: qemu_img_invocation--trace: qemu_nbd_invocation-accel: sec_invocation-acpitable: sec_invocation-add-fd: sec_invocation-alt-grab: sec_invocation-append: sec_invocation-audio-help: sec_invocation-audiodev: sec_invocation-bios: sec_invocation-blockdev: sec_invocation-boot: sec_invocation-bt: sec_invocation-cdrom: sec_invocation-chardev: sec_invocation-chroot: sec_invocation-cpu: sec_invocation-ctrl-grab: sec_invocation-curses: sec_invocation-D: sec_invocation-d: sec_invocation-daemonize: sec_invocation-debugcon: sec_invocation-device: sec_invocation-dfilter: sec_invocation-display: sec_invocation-drive: sec_invocation-dtb: sec_invocation-dump-vmstate: sec_invocation-echr: sec_invocation-enable-fips: sec_invocation-enable-kvm: sec_invocation-enable-sync-profile: sec_invocation-fda: sec_invocation-fdb: sec_invocation-fsdev: sec_invocation-full-screen: sec_invocation-fw_cfg: sec_invocation-g: sec_invocation-gdb: sec_invocation-global: sec_invocation-h: sec_invocation-hda: sec_invocation-hdb: sec_invocation-hdc: sec_invocation-hdd: sec_invocation-icount: sec_invocation-incoming: sec_invocation-initrd: sec_invocation-iscsi: sec_invocation-k: sec_invocation-kernel: sec_invocation-L: sec_invocation-loadvm: sec_invocation-m: sec_invocation-machine: sec_invocation-mem-path: sec_invocation-mem-prealloc: sec_invocation-mon: sec_invocation-monitor: sec_invocation-msg: sec_invocation-mtdblock: sec_invocation-name: sec_invocation-net: sec_invocation-netdev: sec_invocation-nic: sec_invocation-no-acpi: sec_invocation-no-fd-bootchk: sec_invocation-no-hpet: sec_invocation-no-quit: sec_invocation-no-reboot: sec_invocation-no-shutdown: sec_invocation-no-user-config: sec_invocation-nodefaults: sec_invocation-nographic: sec_invocation-numa: sec_invocation-object: sec_invocation-old-param (ARM): sec_invocation-only-migratable: sec_invocation-option-rom: sec_invocation-overcommit: sec_invocation-parallel: sec_invocation-pflash: sec_invocation-pidfile: sec_invocation-portrait: sec_invocation-prom-env: sec_invocation-qmp: sec_invocation-qmp-pretty: sec_invocation-readconfig: sec_invocation-realtime: sec_invocation-rotate: sec_invocation-rtc: sec_invocation-runas: sec_invocation-S: sec_invocation-s: sec_invocation-sandbox: sec_invocation-sd: sec_invocation-sdl: sec_invocation-seed: sec_invocation-semihosting: sec_invocation-semihosting-config: sec_invocation-serial: sec_invocation-set: sec_invocation-show-cursor: sec_invocation-singlestep: sec_invocation-smbios: sec_invocation-smp: sec_invocation-snapshot: sec_invocation-soundhw: sec_invocation-spice: sec_invocation-tb-size: sec_invocation-tpmdev: sec_invocation-trace: sec_invocation-usb: sec_invocation-usbdevice: sec_invocation-uuid: sec_invocation-version: sec_invocation-vga: sec_invocation-virtfs: sec_invocation-virtfs_synth: sec_invocation-vnc: sec_invocation-watchdog: sec_invocation-watchdog-action: sec_invocation-win2k-hack: sec_invocation-writeconfig: sec_invocation-xen-attach: sec_invocation-xen-domid: sec_invocation-xen-domid-restrict: sec_invocationacl_add: pcsys_monitoracl_policy: pcsys_monitoracl_remove: pcsys_monitoracl_reset: pcsys_monitoracl_show: pcsys_monitorannounce_self: pcsys_monitorballoon: pcsys_monitorblock_job_cancel: pcsys_monitorblock_job_complete: pcsys_monitorblock_job_pause: pcsys_monitorblock_job_resume: pcsys_monitorblock_job_set_speed: pcsys_monitorblock_passwd: pcsys_monitorblock_resize: pcsys_monitorblock_set_io_throttle: pcsys_monitorblock_stream: pcsys_monitorboot_set: pcsys_monitorchange: pcsys_monitorchardev-add: pcsys_monitorchardev-change: pcsys_monitorchardev-remove: pcsys_monitorchardev-send-break: pcsys_monitorclient_migrate_info: pcsys_monitorclosefd: pcsys_monitorcommit: pcsys_monitorcont: pcsys_monitorcpu: pcsys_monitorcpu-add: pcsys_monitordelvm: pcsys_monitordevice_add: pcsys_monitordevice_del: pcsys_monitordrive_add: pcsys_monitordrive_backup: pcsys_monitordrive_del: pcsys_monitordrive_mirror: pcsys_monitordump-guest-memory: pcsys_monitordump-skeys: pcsys_monitoreject: pcsys_monitorexit_preconfig: pcsys_monitorexpire_password: pcsys_monitorgdbserver: pcsys_monitorgetfd: pcsys_monitorgpa2hpa: pcsys_monitorgpa2hva: pcsys_monitorgva2gpa: pcsys_monitorhelp: pcsys_monitorhostfwd_add: pcsys_monitorhostfwd_remove: pcsys_monitori: pcsys_monitorinfo: pcsys_monitorinfo balloon: pcsys_monitorinfo block: pcsys_monitorinfo block-jobs: pcsys_monitorinfo blockstats: pcsys_monitorinfo capture: pcsys_monitorinfo chardev: pcsys_monitorinfo cmma: pcsys_monitorinfo cpus: pcsys_monitorinfo cpustats: pcsys_monitorinfo dump: pcsys_monitorinfo history: pcsys_monitorinfo hotpluggable-cpus: pcsys_monitorinfo ioapic: pcsys_monitorinfo iothreads: pcsys_monitorinfo irq: pcsys_monitorinfo jit: pcsys_monitorinfo kvm: pcsys_monitorinfo lapic: pcsys_monitorinfo mem: pcsys_monitorinfo memdev: pcsys_monitorinfo memory-devices: pcsys_monitorinfo memory_size_summary: pcsys_monitorinfo mice: pcsys_monitorinfo migrate: pcsys_monitorinfo migrate_cache_size: pcsys_monitorinfo migrate_capabilities: pcsys_monitorinfo migrate_parameters: pcsys_monitorinfo mtree: pcsys_monitorinfo name: pcsys_monitorinfo network: pcsys_monitorinfo numa: pcsys_monitorinfo opcount: pcsys_monitorinfo pci: pcsys_monitorinfo pic: pcsys_monitorinfo profile: pcsys_monitorinfo qdm: pcsys_monitorinfo qom-tree: pcsys_monitorinfo qtree: pcsys_monitorinfo ramblock: pcsys_monitorinfo rdma: pcsys_monitorinfo registers: pcsys_monitorinfo rocker: pcsys_monitorinfo rocker-of-dpa-flows: pcsys_monitorinfo rocker-of-dpa-groups: pcsys_monitorinfo rocker-ports: pcsys_monitorinfo roms: pcsys_monitorinfo sev: pcsys_monitorinfo skeys: pcsys_monitorinfo snapshots: pcsys_monitorinfo spice: pcsys_monitorinfo status: pcsys_monitorinfo sync-profile: pcsys_monitorinfo tlb: pcsys_monitorinfo tpm: pcsys_monitorinfo trace-events: pcsys_monitorinfo usb: pcsys_monitorinfo usbhost: pcsys_monitorinfo usernet: pcsys_monitorinfo uuid: pcsys_monitorinfo version: pcsys_monitorinfo vm-generation-id: pcsys_monitorinfo vnc: pcsys_monitorloadvm: pcsys_monitorlog: pcsys_monitorlogfile: pcsys_monitormce (x86): pcsys_monitormemsave: pcsys_monitormigrate: pcsys_monitormigrate_cancel: pcsys_monitormigrate_continue: pcsys_monitormigrate_incoming: pcsys_monitormigrate_pause: pcsys_monitormigrate_recover: pcsys_monitormigrate_set_cache_size: pcsys_monitormigrate_set_capability: pcsys_monitormigrate_set_downtime: pcsys_monitormigrate_set_parameter: pcsys_monitormigrate_set_speed: pcsys_monitormigrate_start_postcopy: pcsys_monitormigration_mode: pcsys_monitormouse_button: pcsys_monitormouse_move: pcsys_monitormouse_set: pcsys_monitornbd_server_add: pcsys_monitornbd_server_remove: pcsys_monitornbd_server_start: pcsys_monitornbd_server_stop: pcsys_monitornetdev_add: pcsys_monitornetdev_del: pcsys_monitornmi: pcsys_monitoro: pcsys_monitorobject_add: pcsys_monitorobject_del: pcsys_monitorpcie_aer_inject_error: pcsys_monitorpmemsave: pcsys_monitorprint: pcsys_monitorqemu-io: pcsys_monitorquit: pcsys_monitorringbuf_read: pcsys_monitorringbuf_write: pcsys_monitorsavevm: pcsys_monitorscreendump: pcsys_monitorsendkey: pcsys_monitorset_link: pcsys_monitorset_password: pcsys_monitorsinglestep: pcsys_monitorsnapshot_blkdev: pcsys_monitorsnapshot_blkdev_internal: pcsys_monitorsnapshot_delete_blkdev_internal: pcsys_monitorstop: pcsys_monitorstopcapture: pcsys_monitorsum: pcsys_monitorsync-profile: pcsys_monitorsystem_powerdown: pcsys_monitorsystem_reset: pcsys_monitorsystem_wakeup: pcsys_monitortrace-event: pcsys_monitortrace-file: pcsys_monitorwatchdog_action: pcsys_monitorwavcapture: pcsys_monitorx: pcsys_monitorx_colo_lost_heartbeat: pcsys_monitorxp: pcsys_monitorThis is a list of all keystrokes which have a special function in system emulation.
Ctrl-a b: mux_keysCtrl-a c: mux_keysCtrl-a Ctrl-a: mux_keysCtrl-a h: mux_keysCtrl-a s: mux_keysCtrl-a t: mux_keysCtrl-a x: mux_keysCtrl-Alt: pcsys_keysCtrl-Alt-+: pcsys_keysCtrl-Alt--: pcsys_keysCtrl-Alt-f: pcsys_keysCtrl-Alt-n: pcsys_keysCtrl-Alt-u: pcsys_keysCtrl-Down: pcsys_keysCtrl-PageDown: pcsys_keysCtrl-PageUp: pcsys_keysCtrl-Up: pcsys_keysThis index could be used for qdev device names and options.