Despite the HowTo being close to 1 year it applies perfectly to this day. At the time Wheezy was Debian's Testing distribution and has since moved to Stable. Much of it can be used to setup other HVM domU such as Linux.
Important notice: I've experienced some problems with xen-hypervisor-4.1-amd64 versions 4.1.4-3+deb7u1_amd64 and 4.1.4-3_amd64 which implement some security advisory patches . As a result to have sucessful passthrough I was forced to go back to the previous working version: 4.1.4-2_amd64 which is available at http://www.xen.org/downloads/XCP/debian/repo/amd64/xen-hypervisor-4.1-amd64_4.1.2-2.1_amd64.deb. Again, do notice that this package is missing some security patches available in more recent versions.
In this HowTo I'll present the steps required to install Xen 4.1.3 using the xm toolstack on a Debian Wheezy (kernel 3.2.0-3-amd64) dom0, create a Windows 8 HVM domU config and setup VGA/PCI Passthrough for the integrated GPU, USB 2.0 controller and audio.
This HowTo assumes that the reader is comfortable with Linux and Windows operating systems namely Debian GNU/Linux and Windows 7/8 as such it doesn't cover the operating systems installation.
For easier reference the procedure will broken down in the following steps:
1) Hardware requirements
2) Install Xen on Debian Wheezy
3) Configure networking
4) Configure Xen
5) Prioritise Xen boot
6) Create and install Windows 8 HVM domU
7) Assign devices for PCI Passthrough
8) Install GPLPV drivers
9) Advices and impressions
1) Hardware requirements
For PCI passthrough both motherboard and CPU must support VT-d also know as IOMMU IO virtualization.The hardware used to write this HowTo setup is composed of:
- Intel Core i7-3770 CPU,
- Intel DQ77MK Motherboard,
- 32GB GEIL DDR3 1600 MHz,
- 200GB Maxtor SATA HDD,
- Samsung SyncMaster 940BW Monitor.
It should be noted that VT-d and VT-x have been enabled in the motherboard and that the i7-3770 integrated GPU is the computer's sole GPU.
In addition to the above setup I've also used another networked computer so I could SSH into the dom0 and perform the steps identified bellow.
2) Install Xen on Debian Wheezy
The Xen hypervisor is provided by the xen-linux-system package:$ su
# apt-get update
# apt-get install xen-linux-system
3) Configure networking
There are several ways you can provide network access to domU guest domains, the most common being setting up a network bridge which I'll be covering.To assign a static IP to the dom0 and define a network bridge named eth0, disable NetworkManager (if installed) and edit /etc/network/interfaces to contain a bridge:
# /etc/init.d/network-manager stop
# update-rc.d network-manager disable
# aptitude install bridge-utils
# vim /etc/network/interfaces
auto lo br0
iface lo inet loopback
allow-hotplug eth0
iface eth0 inet manual
iface br0 inet static
bridge_ports eth0
address 192.168.1.5
broadcast 192.168.1.255
netmask 255.255.255.0
gateway 192.168.1.254
# vim /etc/resolv.conf
domain my.domain.com
nameserver 192.168.1.254
192.168.1.5 is the IP chosen to be assigned to the host, 192.168.1.255 and 255.255.255.0 are the typical broadcast and netmask values for a 192.168.1.x network and in my case the gateway is 192.168.1.254. Replace this values according to your own network settings and desires.
4) Configure Xen
The xend daemon employs xend-config.sxp to determines the parameters that Xen should use.Personally I choose to disable dom0 ballooning, define the dom0 assignable memory and change the keyboard layout (I've changed mine to pt):
# vim /etc/xen/xend-config.sxp
(dom0-min-mem 2048)
(enable-dom0-ballooning no)
(keymap 'pt')
I've restricted the amount of memory assigned to dom0 to 2048 MB. In my case the dom0 is headless and all the hard work is to be done by the non-privileged virtual machines as such I've opted for a comfortable amount of memory to be assigned to the dom0, 2048 MB (2 GB). To this end GRUB needs to pass the appropriate command as the hypervisor boots:
# echo 'GRUB_CMDLINE_XEN="dom0_mem=2G,max:2G"' >> /etc/default/grub
# update-grub2
5) Prioritise Xen boot
By default Wheezy's GRUB lists and boots regular kernels and afterwards the Xen hypervisor.Assuming that the computer is to be running Xen all the time it advisable to change this behaviour and increase Xen's GRUB boot priority so that it's the first on the list and boots by default.
The Debian way to do this is to used dpkg-divert like so:
# dpkg-divert --divert /etc/grub.d/08_linux_xen --rename /etc/grub.d/20_linux_xen
# update-grub2
To undo this necessary:
# dpkg-divert --rename --remove /etc/grub.d/20_linux_xen
# update-grub2
6) Create and install Windows 8 HVM domU
The xm toolstack uses configuration files that define the domain meaning that we need to create a configuration file for our guest VM:# vim /etc/xen/win8-x64.cfg
kernel = 'hvmloader'
builder = 'hvm'
vcpus = '4'
memory = '4096'
disk = ['file:/srv/xen/domains/win8-x64.img,hda,w',
'file:/srv/xen/images/Windows8-ReleasePreview-32bit-English.iso,hdc:cdrom,r']
name = 'win8-x64'
vif = [ 'mac=00:16:3E:51:20:4C,bridge=br0,model=e1000' ]
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash = 'restart'
boot = 'dc'
acpi = '1'
apic = '1'
viridian = '1'
xen_platform_pci='1'
sdl = '0'
vnc = '1'
vnclisten = '0.0.0.0'
vncpasswd = ''
stdvga = '0'
usb = '1'
usbdevice = 'tablet'
Do note that a MAC address must be assigned to the virtual interface. The 00:16:3e MAC block is reserved for Xen domains, do the last three digits may be randomly filled in (hex values 0-9 and a-f only).
In this HowTo I'm using file based storage which implies using the dd command to create what will be the domU hard drive. To create a 40GB .img file:
# dd if=/dev/zero of=/srv/xen/domains/win8-x64.img bs=1M count=40960
If you're using LVM use 'phy:/dev/mapper/win8-x64,hda,w' (change according to your own target logical volume) instead of 'file:/srv/xen/domains/win8-x64.img,hda,w'.
For more on the options that the domain configuration file accepts refer to xmdomain.cfg.
There are 2 options when it comes to actually installing Windows 8 on the virtual machine. One method consists in using VNC to connect to the guest virtual machine and installing the operating system from whatever computer you have with a graphical desktop environment. In alternative, one can use VGA Passthrough for the install process altogether.
Choose one of the methods, though the VNC method is preferable as it eases troubleshooting and it's the one documented bellow. To use the VGA Passthrough method jump to step 7 of the HowTo and issue xm create win8-x64.cfg.
After defining Windows 8 domU configuration file execute it and connect through VNC to install Windows 8:
# xm create win8-x64.cfg
$ vncviewer 192.168.1.5
If running a GUI on dom0 simply vncviwer 127.0.0.1, however if running from a networked computer replace the localhost with the IP of the said networked computer (192.168.1.5 for example).
Proceed to do a Windows install, shutdown the guest VM and backup the .img for future use. To shutdown the Windows 8 HVM domU either use guest's shutdown button or issue:
# xm destroy win8-x64
xm list can be used to find out the domain Id and use it as argument for xm destroy, for example:
xm list
Name ID Mem VCPUs State Time(s)
Domain-0 0 4096 8 r----- 34476.9
win8-x64 4 4096 4 -b---- 301.0
xm destroy 4
Also comment out the cdrom line so that the virtual machine doesn't boot into the Windows installation cdrom every time it boots. For security reasons it is best to disable VNC.
# vim /etc/xen/win8-x64.cfg
kernel = 'hvmloader'
builder = 'hvm'
vcpus = '4'
memory = '4096'
disk = ['file:/srv/xen/domains/win8-x64.img,hda,w',
#'file:/srv/xen/images/Windows8-ReleasePreview-32bit-English.iso,hdc:cdrom,r']
name = 'win8-x64'
vif = [ 'mac=00:16:3E:51:20:4C,bridge=br0,model=e1000' ]
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash = 'restart'
boot = 'dc'
acpi = '1'
apic = '1'
viridian = '1'
xen_platform_pci='1'
sdl = '0'
vnc = '0'
vnclisten = '0.0.0.0'
vncpasswd = ''
stdvga = '0'
usb = '1'
usbdevice = 'tablet'
7) Assign devices for PCI Passthrough
A domU can be made aware and directly access and use PCI devices with full privileges. To accomplish that the PCI devices need to be hidden from the dom0 and not be forwarded to any other domUs.Using the xm toolstack this is achieved loading the pci_stub kernel module, identifying the PCI devices that are to be forwarded, unbinding the device from dom0 and bind it to pci_stub thus allowing it to be assigned in the domU config file.
# lspci
00:00.0 Host bridge: Intel Corporation Xeon E3-1200 v2/3rd Gen Core processor DRAM Controller (rev 09)
00:02.0 VGA compatible controller: Intel Corporation Xeon E3-1200 v2/3rd Gen Core processor Graphics Controller (rev 09)
00:14.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family USB xHCI Host Controller (rev 04)
00:16.0 Communication controller: Intel Corporation 7 Series/C210 Series Chipset Family MEI Controller #1 (rev 04)
00:16.3 Serial controller: Intel Corporation 7 Series/C210 Series Chipset Family KT Controller (rev 04)
00:19.0 Ethernet controller: Intel Corporation 82579LM Gigabit Network Connection (rev 04)
00:1a.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family USB Enhanced Host Controller #2 (rev 04)
00:1b.0 Audio device: Intel Corporation 7 Series/C210 Series Chipset Family High Definition Audio Controller (rev 04)
00:1c.0 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset Family PCI Express Root Port 1 (rev c4)
00:1c.6 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset Family PCI Express Root Port 7 (rev c4)
00:1d.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family USB Enhanced Host Controller #1 (rev 04)
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev a4)
00:1f.0 ISA bridge: Intel Corporation Q77 Express Chipset LPC Controller (rev 04)
00:1f.2 SATA controller: Intel Corporation 7 Series/C210 Series Chipset Family 6-port SATA Controller [AHCI mode] (rev 04)
00:1f.3 SMBus: Intel Corporation 7 Series/C210 Series Chipset Family SMBus Controller (rev 04)
02:00.0 Ethernet controller: Intel Corporation 82574L Gigabit Network Connection
03:03.0 FireWire (IEEE 1394): LSI Corporation FW322/323 [TrueFire] 1394a Controller (rev 70)
I'll be forwarding 00:02.0 VGA compatible controller, 00:1b.0 Audio device and 00:1d.0 USB controller. To know the exact numbering of the devices run lspci -n:
# lspci -n
00:00.0 0600: 8086:0150 (rev 09)
00:02.0 0300: 8086:0162 (rev 09)
00:14.0 0c03: 8086:1e31 (rev 04)
00:16.0 0780: 8086:1e3a (rev 04)
00:16.3 0700: 8086:1e3d (rev 04)
00:19.0 0200: 8086:1502 (rev 04)
00:1a.0 0c03: 8086:1e2d (rev 04)
00:1b.0 0403: 8086:1e20 (rev 04)
00:1c.0 0604: 8086:1e10 (rev c4)
00:1c.6 0604: 8086:1e1c (rev c4)
00:1d.0 0c03: 8086:1e26 (rev 04)
00:1e.0 0604: 8086:244e (rev a4)
00:1f.0 0601: 8086:1e47 (rev 04)
00:1f.2 0106: 8086:1e02 (rev 04)
00:1f.3 0c05: 8086:1e22 (rev 04)
02:00.0 0200: 8086:10d3
03:03.0 0c00: 11c1:5811 (rev 70)
For each PCI to be forwarded create a pci-stub Id, unbind it from the dom0 and bind to pci-stub. xm pci-list-assignable-devices is useful in confirming if the device has been added to the pool of devices that can be assigned to a guest domain.
# modprobe pci_stub
# echo "8086 1e26" > /sys/bus/pci/drivers/pci-stub/new_id
# echo "0000:00:1d.0" > /sys/bus/pci/devices/0000\:00\:1d.0/driver/unbind
# echo "0000:00:1d.0" > /sys/bus/pci/drivers/pci-stub/bind
# xm pci-list-assignable-devices
0000:00:1d.0
# echo "8086 0162" > /sys/bus/pci/drivers/pci-stub/new_id
# echo "0000:00:02.0" > /sys/bus/pci/devices/0000\:00\:02.0/driver/unbind
# echo "0000:00:02.0" > /sys/bus/pci/drivers/pci-stub/bind
# xm pci-list-assignable-devices
0000:00:02.0
0000:00:1d.0
# echo "8086 1e20" > /sys/bus/pci/drivers/pci-stub/new_id
# echo "0000:00:1b.0" > /sys/bus/pci/devices/0000\:00\:1b.0/driver/unbind
# echo "0000:00:1b.0" > /sys/bus/pci/drivers/pci-stub/bind
# xm pci-list-assignable-devices
0000:00:02.0
0000:00:1b.0
0000:00:1d.0
Do note that the devices won't be available in the dom0, that's why typical VGA Passthrough setups involve 2 or more graphics cards forwarding the more powerful to the domU alongside an USB controller and audio (I'll cover Secondary Display Adapter PCI passthrough in a future post). In this case only the CPU's integrated GPU is present so as soon has 00:02.0 VGA compatible controller is hidden for the dom0 it can't be used by it and thus the only way to be access is via another computer using SSH for example.
Update the domU's configuration file with the devices that are to be used and start the Windows 8 domU by issuing xm create win8-x64.cfg.
# vim /etc/xen/win8-x64.cfg
kernel = 'hvmloader'
builder = 'hvm'
vcpus = '4'
memory = '4096'
disk = [
'file:/srv/xen/domains/win8-x64.img,hda,w',
#'file:/srv/xen/images/Windows8-ReleasePreview-32bit-English.iso,hdc:cdrom,r'
]
name = 'win8-x64'
vif = [ ',mac=00:16:3E:51:20:4C,bridge=br0,model=e1000' ]
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash = 'restart'
boot = 'dc'
acpi = '1'
apic = '1'
viridian = '1'
xen_platform_pci='1'
sdl = '0'
vnc = '0'
vnclisten = '0.0.0.0'
vncpasswd = ''
stdvga = '0'
usb = '1'
usbdevice = 'tablet'
pci = [ '00:1d.0', '00:1b.0' , '00:02.0' ]
# xm create win8-x64.cfg
Also consider creating a script to automate loading pci-stub and unbinding/binding the PCI devices.
8) Install GPLPV drivers
Developed by James Harper, GPLPV drivers allow swapping the QEMU emulated devices for paravirtualized devices. With these new devices I/O speeds are improved as Windows will use the network and block backend drivers present in the dom0.Signed GPLPV drivers are available at http://wiki.univention.de/index.php?title=Installing-signed-GPLPV-drivers. Windows 8 32-bit can be downloaded at http://apt.univention.de/download/addons/gplpv-drivers/gplpv_Vista2008x32_signed_0.11.0.356.msi while 64-bit drivers are available at http://apt.univention.de/download/addons/gplpv-drivers/gplpv_Vista2008x64_signed_0.11.0.356.msi.