The Operator’s KVM Bible

~ Tom's IT Cafe

When the enterprise behind one of the widespread hypervisors was acquired:
many sysadmins decided to move on.

  • Most of them chose a Linux-based open-source alternative.
  • Many of them migrated to the Microsoft ecosystem.
  • They chased the same workflow, the same features they had before.

Only a very few operators dared to rework their processes and architecture.

KVM (Kernel-based Virtual Machines) is part of the Linux kernel.
It is a stable and fast hypervisor.

  • A carefully configured host OS for KVM can reduce the attack surface compared to feature-heavy hypervisors.
  • The libvirt API enables secure automation and configuration management.
  • KVM can host Linux, Windows and BSD virtual machines as well.
  • It ships an ecosystem of mature tools for the operators in charge.

KVM is not a downgrade. It’s a sideways step.

Install On Debian Linux

The KVM hypervisor can run on nearly all Linux distributions.
The process to prepare the system and install it is similar across them.

Check the documentation of your distribution for the differences.

Pre-Checks

  • In the BIOS/EFI verify that the virtualization is supported and enabled.
  • Verify that your CPU has virtualization capabilities.
    lscpu |grep -i virtualization

Installation

KVM is part of the Linux kernel, the necessary modules can be installed directly from the Debian repository.

sudo apt install -y qemu-kvm qemu-utils libvirt-daemon-system \
     libvirt-clients virtinst

Post-Checks

After the installation the libvirtd is enabled and it is running:

systemctl status libvirtd

Verify if every tool was installed perfectly.

qemu-system-x86_64 --version
virsh --version
lsmod |grep kvm

Configure The System

To manage KVM with non-root users they must be a member of the libvirt group.

sudo usermod -aG libvirt $USER

Configure the default libvirt system resource for the users.

echo "export LIBVIRT_DEFAULT_URI='qemu:///system'" >> $HOME/.bashrc
source .bashrc

The default network will allow the virtual machines to connect to the internet from behind a NAT.

sudo virsh net-list
sudo virsh net-start default
sudo virsh net-autostart default

NAT is great for isolated virtual machines.

If you want to reach the VMs via SSH, or allow them to use LAN resources, you need a network bridge.

Bridge Network

  • Creating a bridge network allows the virtual machines to connect directly to the LAN.
  • The VMs will be reachable on the local network.
  • They can use the resources on the LAN.

This example assumes ifupdown is in use.

The bridge-utils package provides the legacy brctl tool for managing bridges.

sudo apt install bridge-utils

Create the bridge interface:

sudo brctl addbr bridge0

For persistent configuration add its config to /etc/network/interfaces:

auto lo
iface lo inet loopback

auto <your physical NIC interface>
iface <your physical NIC interface> inet manual

auto bridge0
iface bridge0 inet static
    address <your IP>
    netmask <your netmask>
    gateway <your gateway>
    bridge_ports <your physical NIC interface>
    bridge_stp off
    bridge_fd 0
    bridge_maxwait 0

Be careful when modifying remote servers – you can lock yourself out.

After modifying /etc/network/interfaces, restart networking or reboot the host.

Storage Pools

The default storage pool for KVM is in /var/lib/libvirt/images.
When you prepare the architecture, it is recommended to mount it separately from a dedicated filesystem.

The virsh command is the cockpit of the KVM operator.
You can administer the storage pools with it.

virsh pool-list --all
virsh pool-info default

Virtual Image Formats

KVM supports multiple image formats.

Most SMBs use either the raw or qcow2.

Raw

  • raw is a fast and reliable image format.
  • It is just a storage container – there is no metadata or snapshot functionality.
  • For snapshots LVM or other tools are recommended.
  • The images use their entire size on the disk (no thin-provisioning).

Qcow2

  • qcow2 is an enterprise ready image format as well.
  • qcow2 introduces a small performance overhead compared to raw.
  • The qcow2 supports internal and external snapshotting.
  • The images are thin-provisioned.

For heavy IO virtual machines raw format is recommended (e.g. database servers).
If the virtual machine is a general server the qcow2 format is adequate.

Install Virtual Machines

virt-install is the operator’s main tool to install virtual machines.

The most basic installation is parameterized like this:

virt-install \
  --name debian-image \
  --memory 4096 \
  --vcpus 4 \
  --disk size=20,path=/var/lib/libvirt/images/debian-image.qcow2,format=qcow2 \
  --cdrom /var/lib/libvirt/images/debian-13.3.0-amd64-netinst.iso \
  --os-variant debian13 \
  --network bridge=bridge0 \
  --graphics spice

The /var/lib/libvirt/images/debian-13.3.0-amd64-netinst.iso must be downloaded in advance.

Clone Virtual Machines

The virt-clone tool can clone existing virtual machines.

virt-clone \
    --original debian-image \
    --name debian-clone \
    --file /var/lib/libvirt/images/debian-clone.qcow2

Basic Virtual Machine Operations

The cockpit of the operator is the virsh for the basic administration.

Start

virsh start debian-clone

Shutdown

If the qemu-ga is running, the command shuts down the virtual machine gracefully.

virsh shutdown debian-clone

Destroy

Destroying a virtual machine powers it off without graceful shutdown.

virsh destroy debian-clone

List

virsh list [--all | --autostart | --with-snapshot | --without-snapshot ]

Autostart

If you want a virtual machine to start at the host boot, then autostart it.

virsh autostart debian-clone

Undefine

Undefining a virtual machine removes it from the system, and optionally removes its disks.

virsh undefine debian-clone [--remove-all-storage]

Resize Virtual Machines

One image doesn’t fit for all purposes.
The operators have to reconfigure the virtual machine after cloning the image.

The qemu-img tool can resize disk images that don’t contain snapshots.

Shrinking disk images is not safe without careful partition and filesystem reduction first.

To increase the size by 10G:

sudo qemu-img resize /var/lib/libvirt/images/debian-image.qcow2 +10G

To set a new disk size:

sudo qemu-img resize /var/lib/libvirt/images/debian-image.qcow2 60G

Running virtual machines can be resized with the virsh tool:

sudo virsh blockresize debian-image /var/lib/libvirt/images/debian-image.qcow2 60G

Don’t forget to expand the partitions and the filesystem after these operations.

Take Snapshots

Virtual machines with qcow2 storage support internal and external snapshots.

  • Internal snapshots created inside the qcow2 image.
  • External snapshots generate an additional qcow2 file.

Create an external disk snapshot:

virsh snapshot-create-as debian-clone clean-state --description "Clean state snapshot" --disk-only

Create an internal snapshot:

virsh snapshot-create-as debian-clone clean-state --description "Clean state snapshot" --atomic

List:

virsh snapshot-list debian-clone

Info:

virsh snapshot-info debian-clone clean-state

Revert:

virsh snapshot-revert debian-clone clean-state

Delete:

virsh snapshot-delete debian-clone clean-state

Backup Strategy

Snapshots are not backups.

  • Internal qcow2 snapshots increase image complexity.
  • External snapshots depend on a chain of files.
  • A corrupted base image breaks all dependent snapshots.
  • Snapshots live on the same storage pool by default.

They are recovery points.
They are not disaster recovery.

What Must Be Backed Up

A KVM virtual machine consists of:

  • The disk image (e.g. /var/lib/libvirt/images/debian-image.qcow2)
  • The VM definition (libvirt XML configuration)

Export the VM definition:

virsh dumpxml debian-image > debian-image.xml

Store it with your backups.

Cold Backup (Recommended For Simplicity)

The safest method:

  1. Shut down the virtual machine.
  2. Copy the disk image.
  3. Backup the XML definition.
virsh shutdown debian-image
cp /var/lib/libvirt/images/debian-image.qcow2 /backup/location/

Simple. Predictable. Restorable.

Hot Backup (Advanced)

For running production systems:

  • Use storage-level snapshots (LVM, ZFS, Ceph, SAN).
  • Or create an external snapshot, back up the base image, then merge.

Hot backups require planning and testing.

Restore Procedure

A backup is valid only if it can be restored.

To restore:

virsh define debian-image.xml
virsh start debian-image

Test restore procedures regularly.

Operator Rule

  • Never rely on qcow2 internal snapshots as backups.
  • Never keep backups on the same filesystem as the storage pool.
  • Always test restore workflows.

If you cannot restore it, you do not have a backup.

Final Thoughts

KVM is not a product you adopt.
It is a system you operate.

It will not protect you from poor architecture.
It will not fix weak processes.
It will not replace operational discipline.

But if you design carefully,
automate deliberately,
and back up responsibly,

it will run for years without asking for attention.

The difference is not the hypervisor.

It is the operator behind it.

Leave a comment