services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

fedora updates and systemd renames
All checks were successful
Podman DDNS Image / build-and-push-ddns (push) Successful in 58s
Details

Browse Source
This commit is contained in:
Reese Wells
2025-10-30 22:51:53 -04:00
parent 6df02e8dff
commit b97f41eb70
8 changed files with 303 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
active/os_fedora/fedora-server.md
View File

@@ -561,7 +561,7 @@ dnf upgrade --refresh
reboot
# Set the releasever to the version you want to upgrade to
dnf system-upgrade download --releasever=42
dnf system-upgrade download --releasever=43
dnf system-upgrade reboot
```
@@ -666,6 +666,8 @@ mkfs.xfs /dev/mapper/vg0-docker--data
```bash
nmcli connection modify Wired\ connection\ 1 ipv6.addr-gen-mode eui64
nmcli connection modify Wired\ connection\ 1 ipv6.ip6-privacy disabled
systemctl restart NetworkManager
```
### Install and Enable Cockpit

2
active/os_fedora/fedora-software.md
View File

@@ -603,7 +603,7 @@ flatpak install org.gnome.Evolution
# Virtualization
sudo dnf group install --with-optional virtualization
sudo systemctl start libvirtd
sudo systemctl enable --now libvirtd virtnetworkd.service
```
## NVM

475
active/software_freeipa/freeipa.md Normal file
View File

@@ -0,0 +1,475 @@
# FreeIPA
- [FreeIPA](#freeipa)
- [Notes](#notes)
- [Quickstart Debugging Setup](#quickstart-debugging-setup)
- [Quickstart Production Setup](#quickstart-production-setup)
- [NFS](#nfs)
- [Tips](#tips)
- [Adding a user](#adding-a-user)
- [Adding a Smart Card Certificate](#adding-a-smart-card-certificate)
- [PIV](#piv)
- [Sources](#sources)
- [Set up PIV Auth on the Host where you Installed FreeIPA](#set-up-piv-auth-on-the-host-where-you-installed-freeipa)
- [Note for VMs](#note-for-vms)
- [Set up PIV](#set-up-piv)
- [Set up PIV on Another Host](#set-up-piv-on-another-host)
- [PIV Smart Card (Yubikey Manual) WIP](#piv-smart-card-yubikey-manual-wip)
- [PIV Smart Card (Taglio) WIP](#piv-smart-card-taglio-wip)
- [Finding devices in sysfs WIP](#finding-devices-in-sysfs-wip)
- [Finding p11 devices WIP](#finding-p11-devices-wip)
- [Arch Client WIP](#arch-client-wip)
- [Troubleshooting](#troubleshooting)
- [Changing IP address](#changing-ip-address)
An AD Server.
This guide assumes Fedora 40+.
## Notes
For yubikey manager appimage extend app not responding timeout to 60 seconds
```bash
gsettings set org.gnome.mutter check-alive-timeout 0
```
## Quickstart Debugging Setup
This sets up a freeipa server on RHEL 9 for debugging purposes. No DNS records required
and mostly for local use.
```bash
# Don't forget to install tmux
dnf install -y tmux
```
Install FreeIPA:
```bash
# Hostname needs to be an address that isn't managed by DNS (FreeIPA will check)
# We can get away with *.name.reeselink.com because "name.reeselink.com" doesn't resolve.
export HNAME="freeipa.reese.reeselink.com"
export IPS=$(hostname -I)
# Add "<ip address> freeipa.<unique_name>.reeselink.com" to the /etc/hosts
# Example: "10.3.128.130 freeipa.reese.reeselink.com" <- note, this address *cannot* already exist.
# This will allow us to access our AD server without DNS complication
for item in $IPS; do echo "$item $HNAME" >> /etc/hosts; done
# FreeIPA checks for this
hostnamectl set-hostname $HNAME --static
hostname $HNAME
# Turning off selinux isn't required, but is nice for debugging.
setenforce 0
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
# Install FreeIPA with the dns packages. We *could* use this server our DNS server if
# we wanted. This will prevent DCV from talking to our auth endpoint, however, so isn't
# recommended.
dnf install ipa-server-dns bind-dyndb-ldap -y
# IPA Server install
# Note - select defaults for almost everything except:
# 1. We want DNS, so say yes to that
# 2. We don't need to scan for additional zones
ipa-server-install --setup-dns
# Setup firewall
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=dns --permanent
firewall-cmd --reload
# Install flatpak
dnf install flatpak
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
flatpak install it.mijorus.gearlever
```
1. Download the yubikey manager at <https://www.yubico.com/support/download/yubikey-manager/>
2. Open it in Gear Lever and add to app menu
```bash
# Install pcscd
dnf install pcsc-lite opensc
# Start the pcscd server
systemctl enable --now pcscd
```
Now skip to [Get PIV Working](#piv)
## Quickstart Production Setup
<https://www.freeipa.org/page/Quick_Start_Guide>
1. Set your hostname to your server's fqdn with `hostnamectl hostname freeipa.reeselink.com`
2. If you want freeipa to manage your DNS, make sure you don't have a DNS address pointing to your domain
3. Open freeipa ports
```bash
firewall-cmd --add-service=freeipa-4
firewall-cmd --add-service=freeipa-4 --permanent
firewall-cmd --reload
```
4. Set a permanent DNS resolver
```bash
rm /etc/resolv.conf
echo "nameserver 1.1.1.1" > /etc/resolv.conf
```
5. Disable NetworkManager DNS management
```bash
vim /etc/NetworkManager/NetworkManager.conf
[main]
dns=none
```
6. Reboot
7. Ensure resolv.conf hasn't been repopulated: `cat /etc/resolv.conf`
8. Install freeipa: `dnf install -y freeipa-server freeipa-server-dns`
9. Install the server (mostly choose defaults and sane options): `ipa-server-install`
10. Authenticate as admin: `kinit admin`
Now skip to [Get PIV Working](#piv)
## NFS
<https://www.techrepublic.com/article/kerberos-authentication-with-nfsv4/>
```bash
mkdir /exports
chmod 1777 /exports
mount --bind /srv /exports/srv
```
What this does is remounts /srv to /exports/srv. Effectively, this means that
/srv can be accessed directly, or via /exports/srv and changes in one location
reflect in the other.
To make this persistent, add the mount command above to /etc/rc.d/rc.local or
some similar executed-at-boot script.
Next, edit `/etc/sysconfig/nfs` and enable the SECURE_NFS option:
```conf
SECURE_NFS="yes"
```
Then edit `/etc/exports`. The “/exports” entry has the “fsid=0” option, which
tells NFS that this is the “root” export.
```fstab
/exports gss/krb5(rw,sync,fsid=0,insecure,no_subtree_check)
/exports/srv gss/krb5(rw,sync,nohide,insecure,no_subtree_check)
```
Create the server principal for the NFS server and add it to the keytab file on
the server using kadmin (usually /etc/krb5.keytab):
```bash
kadmin.local
kadmin.local: addprinc -randkey nfs/nfsserver.domain.com
kadmin.local: ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/nfsserver.domain.com
kadmin.local: quit
```
Edit `/etc/idmapd.conf` and make sure the Nobody-User and Nobody-Group options
are correct (i.e. on Red Hat Enterprise Linux and Fedora, use the “nfsnobody”
user and group, other distributions may just use “nobody”)
```bash
systemctl restart nfs rpcidmapd
```
open TCP port 2049 for use with NFsv4
```bash
firewall-cmd --add-service=nfs
firewall-cmd --add-service=nfs --permanent
firewall-cmd --reload
```
## Tips
```bash
# Install gnome desktop on Fedora server
dnf group install gnome-desktop
systemctl enable gdm
reboot
# Install spice tools for clipboard sync
sudo dnf install spice-vdagent
reboot
```
## Adding a user
- `ipa user-add`
- `ipa passwd <user>`
- `kinit <user>`
### Adding a Smart Card Certificate
1. Login to the UI as admin
2. Navigate to your user
3. Actions -> New Certificate
4. Generate a self-signed CSR with your yubikey
5. Paste the CSR into the CSR field
6. Generate
7. Download the certificate from the user page
8. Import the certificate into slot 9a for your yubikey
9. `kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user`
## PIV
### Sources
Self signed piv cert generation
<https://developers.yubico.com/yubico-piv-tool/Actions/key_generation.html>
Explaing Yubikey key slots
<https://developers.yubico.com/PIV/Introduction/Certificate_slots.html>
Ultimate guide to creating a CA
<https://checkmk.com/linux-knowledge/creating-server-certificate>
CA Public directory
<https://nextcloud.reeseapps.com/s/twRAFeWJZKJ3Qw5>
Convert pem to der
<https://knowledge.digicert.com/solution/how-to-convert-a-certificate-into-the-appropriate-format>
Add smart card login to extended key use
<https://docs.openssl.org/master/man5/x509v3_config/#key-usage>
This should set up a CA and a signed cert for your yubikey.
<https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/configuring-idm-for-smart-card-auth_managing-smart-card-authentication#conf-idm-server-for-smart-card-auth_configuring-idm-for-smart-card-auth>
### Set up PIV Auth on the Host where you Installed FreeIPA
#### Note for VMs
"virt-manager USB redirection error: Device is in use by another application"
You won't be able to pass through a smart card without stopping pcscd on the host.
```bash
systemctl stop pcscd.socket && systemctl stop pcscd
```
#### Set up PIV
```bash
# copy the CA and run the ipa-advise script that sets up smartcard auth
cp /etc/ipa/ca.crt ca.crt
sudo -i
kinit admin
ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh
chmod +x config-server-for-smart-card-auth.sh
./config-server-for-smart-card-auth.sh ca.crt
```
Allow smart card auth in browser with these changes `/etc/httpd/conf.d/ssl.conf`
```conf
...
SSLOCSPEnable off
...
SSLProtocol all -TLSv1 -TLSv1.1 -TLSv1.3
...
```
And restart httpd:
```bash
systemctl restart httpd
```
Then user -> actions -> new certificate. Paste in the yubikey CSR. Download then upload cert to the yubikey.
Auth with smart card
```bash
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
```
Or with pam
```bash
cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem
dnf install -y sssd-tools
authselect enable-feature with-smartcard
# required: authselect enable-feature with-smartcard-required
# lock on remove: authselect enable-feature with-smartcard-lock-on-removal
# set "pam_cert_auth = True" in [pam] section of /etc/sssd/sssd.conf
systemctl restart sssd
sssctl user-checks -s gdm-smartcard "ducoterra" -a auth
```
### Set up PIV on Another Host
**NOTE**: Make sure, if you're joining with a host that already has a user with a username that
exists in your freeipa server, that **you set the UID in freeipa to match the UID on
the system**. Otherwise joining will cause all sorts of problems.
```bash
# This package is required to join a FreeIPA realm
# I think it helps collect and save the relevant data from the FreeIPA
# server when joining (server CA, NTP sync, SSH keys, etc.)
dnf install -y freeipa-client
hostnamectl set-hostname client.reese.reeselink.com
# OPTIONAL: You need to leave any existing AD realm before joining a new one
# realm leave <some-realm>
# Install pcscd
dnf install pcsc-lite opensc
# Start the pcscd server
systemctl enable --now pcscd
# Update client's dns server to use freeipa
vim /etc/resolv.conf
nameserver 192.168.122.130
# This should populate /etc/krb5.conf and /etc/sssd/sssd.conf
realm join -U admin freeipa.reese.reeselink.com -v
# With kinit
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
# With sssctl
dnf install -y sssd-tools
cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem
chmod 600 /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem
authselect enable-feature with-smartcard
# required: authselect enable-feature with-smartcard-required
# lock on remove: authselect enable-feature with-smartcard-lock-on-removal
```
IMPORTANT: set `pam_cert_auth = True` in `[pam]` section of `/etc/sssd/sssd.conf`.
```bash
systemctl restart sssd
sssctl user-checks -s gdm-smartcard "ducoterra" -a auth
```
### PIV Smart Card (Yubikey Manual) WIP
```bash
openssl req -x509 -config openssl-ca.cnf -days 3650 -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
touch index.txt
echo '01' > serial.txt
# Sign the csr generated in slot 9a on your yubikey
openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out reese-crt.pem -infiles reese-csr.pem
# Inspect
openssl x509 -in reese-crt.pem -text -noout
# Convert to microsoft format
openssl x509 -outform der -in reese-crt.pem -out reese-crt-der.cer
```
OCSP Server
<https://bhashineen.medium.com/create-your-own-ocsp-server-ffb212df8e63>
```bash
openssl req -new -nodes -out ocspSigning.csr -keyout ocspSigning.key
openssl ca -keyfile rootCA.key -cert rootCA.crt -in ocspSigning.csr -out ocspSigning.crt -config validation.conf
```
### PIV Smart Card (Taglio) WIP
<https://github.com/OpenSC/OpenSC/wiki/Using-pkcs11-tool-and-OpenSSL>
```bash
openssl genrsa -aes256 -out testkey.key 2048
openssl rsa -in testkey.key -pubout -out testkey-public.key
openssl req -new -key testkey.key -out testkey.csr
# Sign with CA
```
### Finding devices in sysfs WIP
```bash
# Try this
ls /dev/input/by-id
udevadm info --query=all --name='/dev/input/by-id/usb-Yubico_YubiKey_OTP+FIDO+CCID-event-kbd'
# Look for E: DEVPATH and put /sys in front of it
# For example:
cd /sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-3/1-3:1.0/0003:1050:0407.0004/input/input10/event6
# Or alternatively
find /sys -name 'removable'
cd /sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-3
```
### Finding p11 devices WIP
```bash
dnf install python3-pip python3-devel gcc
python3 -m venv venv
source venv/bin/activate
pip install -U pip
pip install python-pkcs11
export PKCS11_MODULE=/usr/lib64/p11-kit-proxy.so
```
## Arch Client WIP
- Install krb5: `pacman -S krb5`
- Edit /etc/krb5.conf to match your server
```conf
vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = REESELINK.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
REESELINK.COM = {
kdc = freeipa.reeselink.com:88
master_kdc = freeipa.reeselink.com:88
kpasswd_server = freeipa.reeselink.com:464
admin_server = freeipa.reeselink.com:749
default_domain = reeselink.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.reeselink.com = REESELINK.COM
reeselink.com = REESELINK.COM
freeipa.reeselink.com = REESELINK.COM
```
- Log in with your user: `kinit <user>`
- List your tickets: `klist`
## Troubleshooting
### Changing IP address
Changing the IP address of a freeipa server can break dnssec. You'll get
"servfail" looking things up. The quick way to fix this is to edit
`/etc/named/ipa-options-ext.conf` and to set `dnssec-validation no;`.

5
active/software_packer/packer.md Normal file
View File

@@ -0,0 +1,5 @@
# Packer
## Qemu Builds
<https://github.com/goffinet/packer-kvm?tab=readme-ov-file>

4
active/systemd_qemu/qemu.md → active/software_qemu/qemu.md
View File

@@ -2,7 +2,7 @@
- [QEMU](#qemu)
- [QCOW2](#qcow2)
- [Restore qcow snapshots](#restore-qcow-snapshots)
- [QCOW2 Snapshots](#qcow2-snapshots)
- [Convert qcow to bootable drive](#convert-qcow-to-bootable-drive)
- [Convert bootable drive to qcow](#convert-bootable-drive-to-qcow)
- [ISO](#iso)
@@ -17,7 +17,7 @@ VDI (VirtualBox) vdi
VHD (Hyper-V) vpc
VMDK (VMware) vmdk
### Restore qcow snapshots
### QCOW2 Snapshots
```bash
# Create a snapshot

11
active/software_virsh/dual-stack-dhcp.xml Normal file
View File

@@ -0,0 +1,11 @@
<network>
<name>dual-stack</name>
<forward mode="nat"/>
<domain name="dual-stack"/>
<ip address="192.168.100.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.100.2" end="192.168.100.254"/>
</dhcp>
</ip>
<ip family="ipv6" address="fd4d:58e7:17f6:1::1" prefix="64"/>
</network>

7
active/software_virsh/dual-stack-no-dhcp.xml Normal file
View File

@@ -0,0 +1,7 @@
<network>
<name>dual-stack-no-dhcp</name>
<forward mode="nat"/>
<domain name="dual-stack-no-dhcp"/>
<ip address="192.168.123.1" netmask="255.255.255.0"/>
<ip family="ipv6" address="fd4d:58e7:17f6:1::1" prefix="64"/>
</network>

222
active/software_virsh/virsh.md
View File

@@ -2,6 +2,19 @@
Virtual Machine Management
- [Virsh](#virsh)
- [Before you Begin](#before-you-begin)
- [Useful Virsh Commands](#useful-virsh-commands)
- [Virsh Networking](#virsh-networking)
- [Create a Virtual Network](#create-a-virtual-network)
- [Attach a New Virtual Network](#attach-a-new-virtual-network)
- [Set a Static IP](#set-a-static-ip)
- [Creating VMs](#creating-vms)
- [Create VM with No Graphics and use an Existing QCOW2 Disk](#create-vm-with-no-graphics-and-use-an-existing-qcow2-disk)
- [Create VM with Graphics using an ISO Installation Disk](#create-vm-with-graphics-using-an-iso-installation-disk)
- [Create VM using Host Device as Disk](#create-vm-using-host-device-as-disk)
- [Snapshots](#snapshots)
## Before you Begin
1. Add yourself to the `qemu` and `libvirt` groups: `usermod -aG libvirt,qemu ducoterra`
@@ -10,8 +23,9 @@ Virtual Machine Management
4. Allow group write access to images: `chmod 770 /var/lib/libvirt/images`
5. Allow group write access to iso: `chmod 770 /var/lib/libvirt/iso`
6. Tell virsh to connect to your root system rather than your user: `export LIBVIRT_DEFAULT_URI='qemu:///system'`
7. Export your editor so virsh knows what to use: `export EDITOR=vim`
## VM Details
## Useful Virsh Commands
```bash
# Show node info
@@ -22,37 +36,6 @@ osinfo-query os
# List all current machines
virsh list --all
```
## Creating VMs
If you have [an osbuild
image](/active/software_osbuild/image_builder.md#installing) you can run
```bash
sudo systemctl start osbuild-composer.socket
composer-cli compose list
composer-cli compose image --filename /var/lib/libvirt/images/fedora-42-test.qcow2 image-uuid
```
now to have a qcow2 available during install.
```bash
# `--location /path/to/image.iso` supplies a disk installer. (Remove `--import`)
# `--import` skips the installation process.
# `--graphics spice --video qxl --channel spicevmc` installs graphics
# `--console pty,target.type=virtio` adds a console connection
# For any command, use `virt-install --arg=?` to see all available options
virt-install \
--name fedora42-test \
--description "Test VM with Fedora42" \
--cpu host-model --vcpus sockets=1,cores=8,threads=2 \
--ram=8192 \
--os-variant=fedora41 \
--import --disk path=/var/lib/libvirt/images/fedora-42-test.qcow2,bus=virtio \
--network bridge:virbr0 \
--graphics none \
--console pty,target.type=virtio
# Connect to console VM
virsh console fedora42-test
@@ -78,3 +61,178 @@ virsh undefine <domain>
# Remove a VM including storage
virsh undefine <domain> --remove-all-storage
```
## Virsh Networking
### Create a Virtual Network
Creating a new network will require an XML configuration file. To see the
default network's configuration, use
```bash
virsh net-dumpxml default > virbr0.xml
```
To create a dual-stack network, use the following. (Note, I generated a unique
local ipv6 address [here](https://www.unique-local-ipv6.com/)).
```xml
<network>
<name>dual-stack</name>
<forward mode="nat"/>
<domain name="dual-stack"/>
<ip address="192.168.100.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.100.2" end="192.168.100.254"/>
</dhcp>
</ip>
<ip family="ipv6" address="fd4d:58e7:17f6:1::1" prefix="64"/>
</network>
```
I've already defined this network in `active/software_virsh/dual-stack-dhcp.xml`. Install it with
```bash
# Define and autostart the network
virsh net-define active/software_virsh/dual-stack-dhcp.xml
virsh net-start dual-stack-dhcp
virsh net-autostart dual-stack-dhcp
# List networks to ensure it created
virsh net-list --all
# Get the UUID of the created network
virsh net-uuid dual-stack-dhcp
```
### Attach a New Virtual Network
```bash
export VM_NAME=my_vm
virsh attach-interface \
--type bridge \
--source virbr1 \
--model virtio \
--config \
--live \
--domain ${VM_NAME}
```
### Set a Static IP
To set a static IP, run `virsh net-edit default` and add the following between `<dhcp>` and `</dhcp>`
```xml
<host mac='xx:xx:0x:xx:xx:1x' name='virtual_machine' ip='1xx.1xx.1xx.xx'/>
```
Then run
```bash
# `--location /path/to/image.iso` supplies a disk installer. (Remove `--import`)
# `--import` skips the installation process.
# `--graphics spice --video qxl --channel spicevmc` installs graphics
# `--console pty,target.type=virtio` adds a console connection
# For any command, use `virt-install --arg=?` to see all available options
virsh net-destroy default
virsh net-start default
virsh shutdown virtual_machine
systemctl restart libvirtd
virsh start virtual_machine
```
## Creating VMs
If you have [an osbuild
image](/active/software_osbuild/image_builder.md#installing) you can run the
following to generate a qcow2 disk image. Then you can [create a VM with an
existing qcow2
disk](#create-vm-with-no-graphics-and-use-an-existing-qcow2-disk) and skip the
installation process altogether.
```bash
sudo systemctl start osbuild-composer.socket
composer-cli compose list
composer-cli compose image --filename /var/lib/libvirt/images/fedora-42-test.qcow2 image-uuid
```
### Create VM with No Graphics and use an Existing QCOW2 Disk
```bash
# Start the default network if it isn't already
virsh net-start --network default
# `--location /path/to/image.iso` supplies a disk installer. (Remove `--import`)
# `--import` skips the installation process.
# `--graphics spice --video qxl --channel spicevmc` installs graphics
# `--console pty,target.type=virtio` adds a console connection
# For any command, use `virt-install --arg=?` to see all available options
export VM_NAME="fedora42-test"
export VM_DESCRIPTION="Test VM with Fedora42"
export VM_DISK_PATH="/var/lib/libvirt/images/fedora-42-test.qcow2"
virt-install \
--name "${VM_NAME}" \
--description "${DESCRIPTION}" \
--boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=no \
--cpu host-passthrough --vcpus sockets=1,cores=8,threads=2 \
--ram=8192 \
--os-variant=fedora41 \
--network bridge:virbr0 \
--graphics none \
--console pty,target.type=virtio \
--import --disk "path=${VM_DISK_PATH},bus=virtio"
```
### Create VM with Graphics using an ISO Installation Disk
```bash
# `--cdrom /path/to/image.iso` supplies a disk installer. (Remove `--import`)
# `--import` skips the installation process.
# `--graphics spice --video qxl --channel spicevmc` installs graphics
# `--console pty,target.type=virtio` adds a console connection
# For any command, use `virt-install --arg=?` to see all available options
export VM_NAME="fedora43-kinoite-test"
export VM_DESCRIPTION="Test VM with Fedora43 Kinoite"
export VM_DISK_PATH="/var/lib/libvirt/images/fedora-43-kinoite.qcow2"
export VM_ISO_PATH="/var/lib/libvirt/iso/Fedora-Kinoite-ostree-x86_64-43-1.6.iso"
virt-install \
--name "${VM_NAME}" \
--description "${DESCRIPTION}" \
--boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=no \
--cpu host-passthrough --vcpus sockets=1,cores=8,threads=2 \
--ram=8192 \
--os-variant=fedora41 \
--network bridge:virbr0 \
--graphics spice --video qxl --channel spicevmc \
--cdrom ${VM_ISO_PATH} \
--disk "path=${VM_DISK_PATH},size=64,bus=virtio,format=qcow2"
```
### Create VM using Host Device as Disk
```bash
# `--cdrom /path/to/image.iso` supplies a disk installer. (Remove `--import`)
# `--import` skips the installation process.
# `--graphics spice --video qxl --channel spicevmc` installs graphics
# `--console pty,target.type=virtio` adds a console connection
# `--hostdev 0x1234:0x5678` adds a block storage device
# For any command, use `virt-install --arg=?` to see all available options
export VM_NAME="usb-linux"
export VM_DESCRIPTION="Linux running 0x13fe:0x6500 as the boot drive"
virt-install \
--name "${VM_NAME}" \
--description "${DESCRIPTION}" \
--boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=no \
--import \
--cpu host-passthrough --vcpus sockets=1,cores=8,threads=2 \
--ram=8192 \
--os-variant=fedora41 \
--network bridge:virbr0 \
--graphics spice --video qxl --channel spicevmc \
--hostdev 0x13fe:0x6500,boot.order=1 \
--disk none
```
## Snapshots
See [qemu qcow2 snapshots](/active/software_qemu/qemu.md#qcow2-snapshots)