1131 words
6 minutes
Setting Up Multipass on Arch Linux: Complete Guide with Security Considerations

Setting Up Multipass on Arch Linux: Complete Guide with Security Considerations#

Multipass is a powerful tool for creating and managing Ubuntu virtual machines with minimal overhead. This guide provides complete installation instructions for Arch Linux, including security considerations and best practices.

Table of Contents#

Prerequisites#

Before starting, ensure you have:

  • Sudo privileges on your Arch Linux system
  • Base development tools installed
  • At least 4GB of available RAM
  • 20GB+ of free disk space
Terminal window
# Verify prerequisites
sudo pacman -S base-devel

Installation Steps#

1. Install Required Dependencies#

Install the necessary packages for virtualization and Multipass:

Terminal window
sudo pacman -S qemu-base libvirt dnsmasq apparmor edk2-ovmf git cmake gcc

2. Set Up System Services#

Enable and start the required system services:

Terminal window
# Enable and start libvirt
sudo systemctl enable --now libvirtd.service
# Enable and start AppArmor
sudo systemctl enable --now apparmor.service
# Verify services are running
sudo systemctl status libvirtd
sudo systemctl status apparmor

3. Configure User Permissions#

Add your user to the necessary groups for virtualization access:

Terminal window
sudo usermod -a -G libvirt,kvm $USER
# Verify group membership
groups $USER
# Log out and back in for group changes to take effect

4. Configure OVMF for UEFI Support#

Set up the OVMF firmware for QEMU UEFI support:

Terminal window
# Create QEMU directory
sudo mkdir -p /usr/share/qemu
# Create symlink for OVMF firmware
sudo ln -s /usr/share/edk2/x64/OVMF.fd /usr/share/qemu/OVMF.fd
# Verify symlink
ls -l /usr/share/qemu/OVMF.fd

5. Install Multipass from AUR#

Using your preferred AUR helper (yay shown here):

Terminal window
# Using yay
yay -S canonical-multipass

Or manually build from AUR:

Terminal window
# Manual installation
git clone https://aur.archlinux.org/canonical-multipass.git
cd canonical-multipass
makepkg -si

6. Start Multipass Service#

Enable and start the Multipass daemon:

Terminal window
sudo systemctl enable --now multipassd.service
# Verify service status
sudo systemctl status multipassd

7. Verify Installation#

Test your Multipass installation:

Terminal window
# Check version
multipass version
# List instances (should be empty initially)
multipass list
# Verify available images
multipass find

Usage Examples#

Launch Ubuntu 20.04 Instance#

Basic instance creation:

Terminal window
# Launch basic instance
multipass launch 20.04 --name my-instance
# Launch with custom specifications
multipass launch 20.04 --name dev-instance \
--cpus 4 \
--memory 8G \
--disk 50G

Advanced Instance Configuration#

Terminal window
# Launch with cloud-init configuration
multipass launch 22.04 --name secure-instance \
--cpus 2 \
--memory 4G \
--disk 20G \
--cloud-init - <<EOF
#cloud-config
users:
- name: devuser
sudo: ALL=(ALL) NOPASSWD:ALL
shell: /bin/bash
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1yc2E... your-public-key
packages:
- htop
- vim
- git
- curl
runcmd:
- apt update && apt upgrade -y
- ufw enable
EOF

Managing Instances#

Terminal window
# List all instances
multipass list
# Get detailed instance information
multipass info instance-name
# Access instance shell
multipass shell instance-name
# Execute commands remotely
multipass exec instance-name -- command
# Transfer files
multipass transfer local-file instance-name:/remote/path
multipass transfer instance-name:/remote/file ./local-path
# Stop instance
multipass stop instance-name
# Start instance
multipass start instance-name
# Restart instance
multipass restart instance-name
# Delete instance
multipass delete instance-name
multipass purge # Remove deleted instances completely

Network Management#

Terminal window
# Get instance IP
multipass list
# Mount local directory
multipass mount /local/path instance-name:/mount/point
# Unmount directory
multipass umount instance-name:/mount/point

Security Considerations#

AppArmor Profiles#

Ensure AppArmor is properly configured for Multipass:

Terminal window
# Check AppArmor status
sudo aa-status | grep multipass
# Verify profiles are loaded
sudo aa-status
# If profiles are missing, reload them
sudo systemctl restart apparmor

Network Security#

Multipass uses NAT-based networking for isolation by default:

Terminal window
# Check network configuration
multipass get local.driver
# View network settings
multipass get local.bridged-network

For production environments, consider setting up dedicated network bridges:

Terminal window
# Create custom network bridge
sudo ip link add name br-multipass type bridge
sudo ip link set br-multipass up
# Configure Multipass to use custom bridge
multipass set local.bridged-network=br-multipass

Resource Limits#

Set appropriate resource limits to prevent resource exhaustion:

Terminal window
# Set global CPU limit
multipass set local.memory=8G
# Set global memory limit
multipass set local.cpus=4
# Monitor resource usage
multipass info instance-name

Access Control#

Implement proper access controls:

Terminal window
# Set restrictive permissions on Multipass data
sudo chmod 700 /var/lib/multipass
# Use SSH keys for authentication
ssh-keygen -t rsa -b 4096 -f ~/.ssh/multipass_key
# Add key to cloud-init configuration
# (as shown in advanced instance configuration above)

Firewall Configuration#

Configure host firewall rules:

Terminal window
# Allow only necessary traffic
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH if needed (be specific about source IPs)
sudo ufw allow from 192.168.1.0/24 to any port 22

Troubleshooting#

OVMF Firmware Issues#

If you encounter OVMF.fd errors:

Terminal window
# Verify OVMF installation
ls -l /usr/share/edk2/x64/OVMF.fd
# Recreate symlink if needed
sudo rm /usr/share/qemu/OVMF.fd
sudo ln -s /usr/share/edk2/x64/OVMF.fd /usr/share/qemu/OVMF.fd
# Check QEMU configuration
qemu-system-x86_64 -version

Service Connection Issues#

If multipass fails to connect:

Terminal window
# Check service status
systemctl status multipassd
# Check logs
journalctl -u multipassd -f
# Restart service
sudo systemctl restart multipassd
# Check for socket issues
sudo netstat -tlnp | grep multipass

Permission Issues#

If encountering permission errors:

Terminal window
# Verify group membership
groups | grep -E "libvirt|kvm"
# Fix KVM permissions if needed
sudo chmod 666 /dev/kvm
# Check libvirt permissions
sudo usermod -a -G libvirt $USER
# Restart libvirt if needed
sudo systemctl restart libvirtd

Instance Boot Issues#

Terminal window
# Check instance logs
multipass logs instance-name
# Try launching with different Ubuntu version
multipass find
multipass launch focal --name test-instance
# Check available disk space
df -h /var/lib/multipass

Maintenance#

Updating Multipass#

Terminal window
# Update via AUR helper
yay -Syu canonical-multipass
# Or manually update AUR package
cd canonical-multipass
git pull
makepkg -si

Backup Instance Data#

Terminal window
# Stop instance before backup
multipass stop instance-name
# Backup instance data
sudo cp -r /var/lib/multipass/data/instance-name /backup/location/
# Create compressed backup
sudo tar -czf backup-$(date +%Y%m%d).tar.gz \
-C /var/lib/multipass/data instance-name

Clean Up#

Regular maintenance commands:

Terminal window
# Remove old instances
multipass delete unused-instance
multipass purge
# Clear cache
rm -rf ~/.cache/multipass
# Clean up old images
multipass purge
# Check disk usage
du -sh /var/lib/multipass/*

Performance Monitoring#

Terminal window
# Monitor system resources
htop
# Check libvirt statistics
virsh list --all
virsh domstats
# Monitor disk usage
df -h /var/lib/multipass

Log Management#

Terminal window
# View Multipass logs
journalctl -u multipassd --since "1 hour ago"
# Set log rotation
sudo systemctl edit multipassd
# Add:
# [Service]
# StandardOutput=journal
# StandardError=journal

Advanced Configuration#

Custom Image Management#

Terminal window
# Create custom image from instance
multipass stop my-instance
multipass snapshot my-instance --name my-snapshot
# Use snapshots (when supported)
multipass restore my-instance.my-snapshot

Automation Scripts#

Create automation scripts for common tasks:

multipass-create-dev.sh
#!/bin/bash
INSTANCE_NAME="dev-$(date +%Y%m%d)"
UBUNTU_VERSION="22.04"
multipass launch $UBUNTU_VERSION \
--name $INSTANCE_NAME \
--cpus 2 \
--memory 4G \
--disk 20G \
--cloud-init dev-cloud-init.yml
echo "Development instance $INSTANCE_NAME created"
multipass shell $INSTANCE_NAME

Best Practices#

  1. Resource Management:

    • Always set appropriate CPU and memory limits
    • Monitor disk usage regularly
    • Use snapshots for important states
  2. Security:

    • Keep AppArmor enabled and configured
    • Use SSH keys instead of passwords
    • Regularly update both host and guest systems
    • Implement network segmentation when needed
  3. Maintenance:

    • Regular backups of important instances
    • Clean up unused instances and images
    • Monitor system logs for issues
    • Keep Multipass updated
  4. Development Workflow:

    • Use cloud-init for consistent instance setup
    • Implement automation scripts for repetitive tasks
    • Use version control for cloud-init configurations
    • Document instance configurations

Conclusion#

Multipass provides an excellent solution for running Ubuntu virtual machines on Arch Linux with minimal overhead. By following this guide and implementing the security considerations, you’ll have a robust virtualization environment suitable for development, testing, and production use cases.

Remember to:

  • Keep your system and Multipass updated
  • Monitor resource usage
  • Implement proper security measures
  • Maintain regular backups
  • Document your configurations

For additional support, consult the official Multipass documentation and the Arch Linux community resources.

Setting Up Multipass on Arch Linux: Complete Guide with Security Considerations
https://mranv.pages.dev/posts/multipass-arch-linux-setup/
Author
Anubhav Gain
Published at
2025-01-28
License
CC BY-NC-SA 4.0