Setting Up Multipass on Arch Linux: Complete Guide with Security Considerations

Multipass is a powerful tool for creating and managing Ubuntu virtual machines with minimal overhead. This guide provides complete installation instructions for Arch Linux, including security considerations and best practices.

Open Table of Contents

Prerequisites
Installation Steps
Usage Examples
Security Considerations
Troubleshooting
Maintenance
Advanced Configuration
- Custom Image Management
- Automation Scripts
Best Practices
Conclusion

Prerequisites

Before starting, ensure you have:

Sudo privileges on your Arch Linux system
Base development tools installed
At least 4GB of available RAM
20GB+ of free disk space

# Verify prerequisites
sudo pacman -S base-devel

Installation Steps

1. Install Required Dependencies

Install the necessary packages for virtualization and Multipass:

sudo pacman -S qemu-base libvirt dnsmasq apparmor edk2-ovmf git cmake gcc

2. Set Up System Services

Enable and start the required system services:

# Enable and start libvirt
sudo systemctl enable --now libvirtd.service

# Enable and start AppArmor
sudo systemctl enable --now apparmor.service

# Verify services are running
sudo systemctl status libvirtd
sudo systemctl status apparmor

3. Configure User Permissions

Add your user to the necessary groups for virtualization access:

sudo usermod -a -G libvirt,kvm $USER

# Verify group membership
groups $USER

# Log out and back in for group changes to take effect

4. Configure OVMF for UEFI Support

Set up the OVMF firmware for QEMU UEFI support:

# Create QEMU directory
sudo mkdir -p /usr/share/qemu

# Create symlink for OVMF firmware
sudo ln -s /usr/share/edk2/x64/OVMF.fd /usr/share/qemu/OVMF.fd

# Verify symlink
ls -l /usr/share/qemu/OVMF.fd

5. Install Multipass from AUR

Using your preferred AUR helper (yay shown here):

# Using yay
yay -S canonical-multipass

Or manually build from AUR:

# Manual installation
git clone https://aur.archlinux.org/canonical-multipass.git
cd canonical-multipass
makepkg -si

6. Start Multipass Service

Enable and start the Multipass daemon:

sudo systemctl enable --now multipassd.service

# Verify service status
sudo systemctl status multipassd

7. Verify Installation

Test your Multipass installation:

# Check version
multipass version

# List instances (should be empty initially)
multipass list

# Verify available images
multipass find

Usage Examples

Launch Ubuntu 20.04 Instance

Basic instance creation:

# Launch basic instance
multipass launch 20.04 --name my-instance

# Launch with custom specifications
multipass launch 20.04 --name dev-instance \
  --cpus 4 \
  --memory 8G \
  --disk 50G

Advanced Instance Configuration

# Launch with cloud-init configuration
multipass launch 22.04 --name secure-instance \
  --cpus 2 \
  --memory 4G \
  --disk 20G \
  --cloud-init - <<EOF
#cloud-config
users:
  - name: devuser
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - ssh-rsa AAAAB3NzaC1yc2E... your-public-key

packages:
  - htop
  - vim
  - git
  - curl

runcmd:
  - apt update && apt upgrade -y
  - ufw enable
EOF

Managing Instances

# List all instances
multipass list

# Get detailed instance information
multipass info instance-name

# Access instance shell
multipass shell instance-name

# Execute commands remotely
multipass exec instance-name -- command

# Transfer files
multipass transfer local-file instance-name:/remote/path
multipass transfer instance-name:/remote/file ./local-path

# Stop instance
multipass stop instance-name

# Start instance
multipass start instance-name

# Restart instance
multipass restart instance-name

# Delete instance
multipass delete instance-name
multipass purge  # Remove deleted instances completely

Network Management

# Get instance IP
multipass list

# Mount local directory
multipass mount /local/path instance-name:/mount/point

# Unmount directory
multipass umount instance-name:/mount/point

Security Considerations

AppArmor Profiles

Ensure AppArmor is properly configured for Multipass:

# Check AppArmor status
sudo aa-status | grep multipass

# Verify profiles are loaded
sudo aa-status

# If profiles are missing, reload them
sudo systemctl restart apparmor

Network Security

Multipass uses NAT-based networking for isolation by default:

# Check network configuration
multipass get local.driver

# View network settings
multipass get local.bridged-network

For production environments, consider setting up dedicated network bridges:

# Create custom network bridge
sudo ip link add name br-multipass type bridge
sudo ip link set br-multipass up

# Configure Multipass to use custom bridge
multipass set local.bridged-network=br-multipass

Resource Limits

Set appropriate resource limits to prevent resource exhaustion:

# Set global CPU limit
multipass set local.memory=8G

# Set global memory limit
multipass set local.cpus=4

# Monitor resource usage
multipass info instance-name

Access Control

Implement proper access controls:

# Set restrictive permissions on Multipass data
sudo chmod 700 /var/lib/multipass

# Use SSH keys for authentication
ssh-keygen -t rsa -b 4096 -f ~/.ssh/multipass_key

# Add key to cloud-init configuration
# (as shown in advanced instance configuration above)

Firewall Configuration

Configure host firewall rules:

# Allow only necessary traffic
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH if needed (be specific about source IPs)
sudo ufw allow from 192.168.1.0/24 to any port 22

Troubleshooting

OVMF Firmware Issues

If you encounter OVMF.fd errors:

# Verify OVMF installation
ls -l /usr/share/edk2/x64/OVMF.fd

# Recreate symlink if needed
sudo rm /usr/share/qemu/OVMF.fd
sudo ln -s /usr/share/edk2/x64/OVMF.fd /usr/share/qemu/OVMF.fd

# Check QEMU configuration
qemu-system-x86_64 -version

Service Connection Issues

If multipass fails to connect:

# Check service status
systemctl status multipassd

# Check logs
journalctl -u multipassd -f

# Restart service
sudo systemctl restart multipassd

# Check for socket issues
sudo netstat -tlnp | grep multipass

Permission Issues

If encountering permission errors:

# Verify group membership
groups | grep -E "libvirt|kvm"

# Fix KVM permissions if needed
sudo chmod 666 /dev/kvm

# Check libvirt permissions
sudo usermod -a -G libvirt $USER

# Restart libvirt if needed
sudo systemctl restart libvirtd

Instance Boot Issues

# Check instance logs
multipass logs instance-name

# Try launching with different Ubuntu version
multipass find
multipass launch focal --name test-instance

# Check available disk space
df -h /var/lib/multipass

Maintenance

Updating Multipass

# Update via AUR helper
yay -Syu canonical-multipass

# Or manually update AUR package
cd canonical-multipass
git pull
makepkg -si

Backup Instance Data

# Stop instance before backup
multipass stop instance-name

# Backup instance data
sudo cp -r /var/lib/multipass/data/instance-name /backup/location/

# Create compressed backup
sudo tar -czf backup-$(date +%Y%m%d).tar.gz \
  -C /var/lib/multipass/data instance-name

Clean Up

Regular maintenance commands:

# Remove old instances
multipass delete unused-instance
multipass purge

# Clear cache
rm -rf ~/.cache/multipass

# Clean up old images
multipass purge

# Check disk usage
du -sh /var/lib/multipass/*

Performance Monitoring

# Monitor system resources
htop

# Check libvirt statistics
virsh list --all
virsh domstats

# Monitor disk usage
df -h /var/lib/multipass

Log Management

# View Multipass logs
journalctl -u multipassd --since "1 hour ago"

# Set log rotation
sudo systemctl edit multipassd
# Add:
# [Service]
# StandardOutput=journal
# StandardError=journal

Advanced Configuration

Custom Image Management

# Create custom image from instance
multipass stop my-instance
multipass snapshot my-instance --name my-snapshot

# Use snapshots (when supported)
multipass restore my-instance.my-snapshot

Automation Scripts

Create automation scripts for common tasks:

#!/bin/bash
# multipass-create-dev.sh

INSTANCE_NAME="dev-$(date +%Y%m%d)"
UBUNTU_VERSION="22.04"

multipass launch $UBUNTU_VERSION \
  --name $INSTANCE_NAME \
  --cpus 2 \
  --memory 4G \
  --disk 20G \
  --cloud-init dev-cloud-init.yml

echo "Development instance $INSTANCE_NAME created"
multipass shell $INSTANCE_NAME

Best Practices

Resource Management:
- Always set appropriate CPU and memory limits
- Monitor disk usage regularly
- Use snapshots for important states
Security:
- Keep AppArmor enabled and configured
- Use SSH keys instead of passwords
- Regularly update both host and guest systems
- Implement network segmentation when needed
Maintenance:
- Regular backups of important instances
- Clean up unused instances and images
- Monitor system logs for issues
- Keep Multipass updated
Development Workflow:
- Use cloud-init for consistent instance setup
- Implement automation scripts for repetitive tasks
- Use version control for cloud-init configurations
- Document instance configurations

Conclusion

Multipass provides an excellent solution for running Ubuntu virtual machines on Arch Linux with minimal overhead. By following this guide and implementing the security considerations, you’ll have a robust virtualization environment suitable for development, testing, and production use cases.

Remember to:

Keep your system and Multipass updated
Monitor resource usage
Implement proper security measures
Maintain regular backups
Document your configurations

For additional support, consult the official Multipass documentation and the Arch Linux community resources.