Chapter 1: Overview

	cOS Core Getting Started Guide for KVM	Next

	Note: This document is also available in other formats
A PDF version of this document along with all current and older documentation in PDF format can be found at https://my.clavister.com. It is also available as a single HTML page.

Note: This document is also available in other formats

A PDF version of this document along with all current and older documentation in PDF format can be found at https://my.clavister.com.

It is also available as a single HTML page.

cOS Core with KVM

By using the open source Kernel-based Virtual Machine (KVM) software, it is possible to have a single computer running multiple, virtual Clavister NetWall Firewalls with each virtual firewall running a separate copy of the cOS Core software. This technique is referred to as virtualization and each virtual firewall can be said to be running in its own virtual machine.

Supported Hardware Platform Architectures

The supported hardware platforms for cOS Core running under KVM are:

32 bit x86.
64 bit x86 (only cOS Core version 14.00.01 and later).
ARMv8 (only cOS Core version 14.00.00 and later).

For x86 platforms, the 32 bit version should be used only if resource usage must be kept to a minimum. Otherwise, the 64 bit version is recommended, particularly where maximum performance is required. Some cOS Core features may also not be available in the 32 bit version.

The choice of virtual machine image is discussed further in an article in the Clavister Knowledge Base at the following link:

https://kb.clavister.com/336143546

Support for Apple M1 Platforms

It should be noted that ARM support includes the ability to run the cOS Core KVM distribution for ARM under QEMU on the Apple M1 platform. Specifics for Apple setup are not included in this publication but are discussed in an article in the Clavister Knowledge Base at the following link:

https://kb.clavister.com/342066805

KVM Runs Under Linux With QEMU

KVM itself is not a hypervisor but provides an infrastructure for creating virtual machines. It is the Quick EMUlator (QEMU) that provides the hypervisor functions under the Linux operation system and this is also required when using KVM to create cOS Core virtual machines. The combination is known as QEMU-KVM and is distributed as a single package so that the two can be installed together.

	Important: A virtual host should run only cOS Core as a guest
	To provide maximum security, the virtual host should be running cOS Core as the only guest. This defends against security attacks against vulnerable hardware, where local data in a processor might be read by other software sharing the same processor. The attacks known as "Spectre" and "Meltdown" are examples of this.

Downloading Files

The cOS Core installation files for cOS Core can be downloaded from the MyClavister section of the Clavister website at https://www.clavister.com. KVM files and further information can be found at http://www.linux-kvm.org.

Referencing KVM Documentation

This guide describes the steps involved when installing cOS Core with KVM on the supported platforms as well as covering many of the issues that may be encountered with cOS Core running in a KVM virtual environment.

The guide tries to deal specifically with the subject of cOS Core running under KVM and, unless relevant, does not detail the installation of KVM itself or issues which are related only to KVM. Pure KVM subjects are best explained by other, KVM specific, documentation.

x86 Server Hardware Requirements

A server using the Intel x86 architecture must satisfy the following criteria for running cOS Core under KVM:

The hardware architecture must be 64-bit x86.
It must support virtualization using Intel VT-x or AMD-V architectures.
Intel processors must be from either the Intel Core (or later) workstation or Intel server family of products.
It must support a ratio of 1-to-1 for threads to defined virtual CPUs.
It must support at least one core per virtual CPU.

x86 Hardware Driver Requirements

The following additional hardware driver requirements for x86 servers should be noted:

If used, the IXGBE (Intel 10 Gigabit network) driver should be version 3.21.2 or later.
Also note that if used, the IXGBE driver should be recompiled with the LRO (Large Packet Receive) feature disabled. Information about how to do this can be found in the README file included with the driver distribution.
If used, the IGB (Intel Network) driver should be version 5.2.5 or later.

Supported ARM Architecture

cOS Core is capable of running under KVM on the ARMv8-A architecture. The following ARMv8-A cloud deployments are supported:

Telco Systems Hawkeyetech HK-6010 NXP LS1046A CPU
Ennea Lenovo ThinkSystem HR350A - Ampere eMAG 8180 CPU
AWS Graviton
AWS Graviton 2
NXP LS1043A
NXP LS2088A
NanoPi R2S (Rockchip RL3328)

Supported Linux Distributions

KVM with QEMU will run under the Linux operating system and will require one of the following Linux distributions:

Ubuntu version 13.04 or later.
openSUSE version 12.2 or later.
Centos version 6.4 or later.
Red Hat Enterprise Linux 6.4 or later.

Other Linux distributions might be used successfully but have not been tested by Clavister with cOS Core. The installation of Linux will not be discussed further in this guide. It is assumed the administrator is familiar with basic Linux networking.

Supported KVM Distributions

cOS Core can run under the latest distribution of KVM. These distributions also include QEMU. The QEMU release (or later) that must be used for cOS Core to function properly:

Other distributions might be used successfully but have not been tested by Clavister. The installation of QEMU with KVM will not be discussed further in this guide and the administrator should refer to the software's own documentation. The QEMU/KVM binaries for a particular Linux distribution can normally be installed from the repositories of the distribution.

Note that the SeaBIOS version used with KVM for guest x86 operating systems should be version 1.7.4 or later.

Additional Linux Software

The following should also be installed on the base Linux system along with KVM:

The libvirt virtualization API must be installed under Linux. This is needed for the libvirt daemon (libvirtd) and the virsh command.
The vhost-net enhancement for networking is required. This moves packets between cOS Core and the host system using the Linux kernel instead of QEMU and provides a significant performance boost to throughput. The Clavister setup script described later will terminate with an error message if this is not installed.
Either bridge-utils or Open vSwitch must be installed to provide networking functions. It is not possible to install both. If the virtual machine will be part of an HA cluster, then Open vSwitch must be installed.

If a high availability (HA) cluster is to be set up, Open vSwitch must be installed. HA will not function with bridge-utils and this must be removed. HA setup is discussed further in Chapter 7, High Availability Setup.

Software Tools for Management

The following are the software requirements for management:

KVM virtual machine management software must be installed under Linux. This guide assumes that the Virtual Machine Manager (virt-manager) software is installed.
Optionally use a VNC client on a separate computer to access the Linux environment. This guide assumes UltraVNC Viewer is used but other clients may be suitable.

The installation of these software tools will not be discussed further in this guide. The administrator should refer to the tool's own documentation for guidance.

cOS Core Management

Not only can cOS Core run in its own virtual machine under KVM, the external management computer that is used to administer cOS Core can also run under the same KVM installation. Alternatively, it can be on a separate, external computer. To perform management tasks across a network, the management computer may access cOS Core through its Web Interface or via an SSH console. The proprietary tool InCenter may also be used for remote management from a Windows based client.