Setting Up Multipass on Arch Linux: Complete Guide with Security Considerations
Multipass is a powerful tool for creating and managing Ubuntu virtual machines with minimal overhead. This guide provides complete installation instructions for Arch Linux, including security considerations and best practices.
Table of Contents
Prerequisites
Before starting, ensure you have:
- Sudo privileges on your Arch Linux system
- Base development tools installed
- At least 4GB of available RAM
- 20GB+ of free disk space
# Verify prerequisitessudo pacman -S base-devel
Installation Steps
1. Install Required Dependencies
Install the necessary packages for virtualization and Multipass:
sudo pacman -S qemu-base libvirt dnsmasq apparmor edk2-ovmf git cmake gcc
2. Set Up System Services
Enable and start the required system services:
# Enable and start libvirtsudo systemctl enable --now libvirtd.service
# Enable and start AppArmorsudo systemctl enable --now apparmor.service
# Verify services are runningsudo systemctl status libvirtdsudo systemctl status apparmor
3. Configure User Permissions
Add your user to the necessary groups for virtualization access:
sudo usermod -a -G libvirt,kvm $USER
# Verify group membershipgroups $USER
# Log out and back in for group changes to take effect
4. Configure OVMF for UEFI Support
Set up the OVMF firmware for QEMU UEFI support:
# Create QEMU directorysudo mkdir -p /usr/share/qemu
# Create symlink for OVMF firmwaresudo ln -s /usr/share/edk2/x64/OVMF.fd /usr/share/qemu/OVMF.fd
# Verify symlinkls -l /usr/share/qemu/OVMF.fd
5. Install Multipass from AUR
Using your preferred AUR helper (yay shown here):
# Using yayyay -S canonical-multipass
Or manually build from AUR:
# Manual installationgit clone https://aur.archlinux.org/canonical-multipass.gitcd canonical-multipassmakepkg -si
6. Start Multipass Service
Enable and start the Multipass daemon:
sudo systemctl enable --now multipassd.service
# Verify service statussudo systemctl status multipassd
7. Verify Installation
Test your Multipass installation:
# Check versionmultipass version
# List instances (should be empty initially)multipass list
# Verify available imagesmultipass find
Usage Examples
Launch Ubuntu 20.04 Instance
Basic instance creation:
# Launch basic instancemultipass launch 20.04 --name my-instance
# Launch with custom specificationsmultipass launch 20.04 --name dev-instance \ --cpus 4 \ --memory 8G \ --disk 50G
Advanced Instance Configuration
# Launch with cloud-init configurationmultipass launch 22.04 --name secure-instance \ --cpus 2 \ --memory 4G \ --disk 20G \ --cloud-init - <<EOF#cloud-configusers: - name: devuser sudo: ALL=(ALL) NOPASSWD:ALL shell: /bin/bash ssh_authorized_keys: - ssh-rsa AAAAB3NzaC1yc2E... your-public-key
packages: - htop - vim - git - curl
runcmd: - apt update && apt upgrade -y - ufw enableEOF
Managing Instances
# List all instancesmultipass list
# Get detailed instance informationmultipass info instance-name
# Access instance shellmultipass shell instance-name
# Execute commands remotelymultipass exec instance-name -- command
# Transfer filesmultipass transfer local-file instance-name:/remote/pathmultipass transfer instance-name:/remote/file ./local-path
# Stop instancemultipass stop instance-name
# Start instancemultipass start instance-name
# Restart instancemultipass restart instance-name
# Delete instancemultipass delete instance-namemultipass purge # Remove deleted instances completely
Network Management
# Get instance IPmultipass list
# Mount local directorymultipass mount /local/path instance-name:/mount/point
# Unmount directorymultipass umount instance-name:/mount/point
Security Considerations
AppArmor Profiles
Ensure AppArmor is properly configured for Multipass:
# Check AppArmor statussudo aa-status | grep multipass
# Verify profiles are loadedsudo aa-status
# If profiles are missing, reload themsudo systemctl restart apparmor
Network Security
Multipass uses NAT-based networking for isolation by default:
# Check network configurationmultipass get local.driver
# View network settingsmultipass get local.bridged-network
For production environments, consider setting up dedicated network bridges:
# Create custom network bridgesudo ip link add name br-multipass type bridgesudo ip link set br-multipass up
# Configure Multipass to use custom bridgemultipass set local.bridged-network=br-multipass
Resource Limits
Set appropriate resource limits to prevent resource exhaustion:
# Set global CPU limitmultipass set local.memory=8G
# Set global memory limitmultipass set local.cpus=4
# Monitor resource usagemultipass info instance-name
Access Control
Implement proper access controls:
# Set restrictive permissions on Multipass datasudo chmod 700 /var/lib/multipass
# Use SSH keys for authenticationssh-keygen -t rsa -b 4096 -f ~/.ssh/multipass_key
# Add key to cloud-init configuration# (as shown in advanced instance configuration above)
Firewall Configuration
Configure host firewall rules:
# Allow only necessary trafficsudo ufw enablesudo ufw default deny incomingsudo ufw default allow outgoing
# Allow SSH if needed (be specific about source IPs)sudo ufw allow from 192.168.1.0/24 to any port 22
Troubleshooting
OVMF Firmware Issues
If you encounter OVMF.fd errors:
# Verify OVMF installationls -l /usr/share/edk2/x64/OVMF.fd
# Recreate symlink if neededsudo rm /usr/share/qemu/OVMF.fdsudo ln -s /usr/share/edk2/x64/OVMF.fd /usr/share/qemu/OVMF.fd
# Check QEMU configurationqemu-system-x86_64 -version
Service Connection Issues
If multipass fails to connect:
# Check service statussystemctl status multipassd
# Check logsjournalctl -u multipassd -f
# Restart servicesudo systemctl restart multipassd
# Check for socket issuessudo netstat -tlnp | grep multipass
Permission Issues
If encountering permission errors:
# Verify group membershipgroups | grep -E "libvirt|kvm"
# Fix KVM permissions if neededsudo chmod 666 /dev/kvm
# Check libvirt permissionssudo usermod -a -G libvirt $USER
# Restart libvirt if neededsudo systemctl restart libvirtd
Instance Boot Issues
# Check instance logsmultipass logs instance-name
# Try launching with different Ubuntu versionmultipass findmultipass launch focal --name test-instance
# Check available disk spacedf -h /var/lib/multipass
Maintenance
Updating Multipass
# Update via AUR helperyay -Syu canonical-multipass
# Or manually update AUR packagecd canonical-multipassgit pullmakepkg -si
Backup Instance Data
# Stop instance before backupmultipass stop instance-name
# Backup instance datasudo cp -r /var/lib/multipass/data/instance-name /backup/location/
# Create compressed backupsudo tar -czf backup-$(date +%Y%m%d).tar.gz \ -C /var/lib/multipass/data instance-name
Clean Up
Regular maintenance commands:
# Remove old instancesmultipass delete unused-instancemultipass purge
# Clear cacherm -rf ~/.cache/multipass
# Clean up old imagesmultipass purge
# Check disk usagedu -sh /var/lib/multipass/*
Performance Monitoring
# Monitor system resourceshtop
# Check libvirt statisticsvirsh list --allvirsh domstats
# Monitor disk usagedf -h /var/lib/multipass
Log Management
# View Multipass logsjournalctl -u multipassd --since "1 hour ago"
# Set log rotationsudo systemctl edit multipassd# Add:# [Service]# StandardOutput=journal# StandardError=journal
Advanced Configuration
Custom Image Management
# Create custom image from instancemultipass stop my-instancemultipass snapshot my-instance --name my-snapshot
# Use snapshots (when supported)multipass restore my-instance.my-snapshot
Automation Scripts
Create automation scripts for common tasks:
#!/bin/bashINSTANCE_NAME="dev-$(date +%Y%m%d)"UBUNTU_VERSION="22.04"
multipass launch $UBUNTU_VERSION \ --name $INSTANCE_NAME \ --cpus 2 \ --memory 4G \ --disk 20G \ --cloud-init dev-cloud-init.yml
echo "Development instance $INSTANCE_NAME created"multipass shell $INSTANCE_NAME
Best Practices
-
Resource Management:
- Always set appropriate CPU and memory limits
- Monitor disk usage regularly
- Use snapshots for important states
-
Security:
- Keep AppArmor enabled and configured
- Use SSH keys instead of passwords
- Regularly update both host and guest systems
- Implement network segmentation when needed
-
Maintenance:
- Regular backups of important instances
- Clean up unused instances and images
- Monitor system logs for issues
- Keep Multipass updated
-
Development Workflow:
- Use cloud-init for consistent instance setup
- Implement automation scripts for repetitive tasks
- Use version control for cloud-init configurations
- Document instance configurations
Conclusion
Multipass provides an excellent solution for running Ubuntu virtual machines on Arch Linux with minimal overhead. By following this guide and implementing the security considerations, you’ll have a robust virtualization environment suitable for development, testing, and production use cases.
Remember to:
- Keep your system and Multipass updated
- Monitor resource usage
- Implement proper security measures
- Maintain regular backups
- Document your configurations
For additional support, consult the official Multipass documentation and the Arch Linux community resources.