Last Updated on September 22, 2020 by Jan Bachelor
In case you would like to set up a direct access to a component (e.g. a network card, HDMI port on your Qotom, etc.) for a VM, you would need to set up PCI passthrough. Below, we will set it up for a network card.
- Your VM is already created (so that you can tell its ID, e.g. 1020.
- CPU that supports it (all modern CPUs have it)
Disadvantages: This is an experimental feature. If you plan to share the physical network port with another VM, then do no use this option.
Advantages: Provides a bit more performance. On top of that, it should protect you from Spectre and Meltdown type of vulnerabilities.
1. Firstly, verify your CPU supports hostap (virtualization). Note that this only applies to Intel CPUs (AMDs do not reveal it). Go to Datacenter -> proxmox (your node) -> right click and run Shell . Run this command:
[shell]dmesg | grep ecap[/shell]
If one of the outputs for ecap contains an ‘f’ (hexadecimal), then all is good.
2. Run the ‘lspci’ command to determine which PCI device number (e.g. 01,02,03) you want to set up PCI(-E) passthrough for. For QOTOM that comes with multiple network ports, the port number should correspond with the label on the device. You can use the ‘grep’ command with it to narrow t down.
3. Edit /etc/default/grub – modify the line there to this (Intel CPUs):
- Then run ‘update-grub’ to reload the config.
4. Then in /etc/modules, add the following lines at the end of the file:
5. Now, we will need to specify for which VM will the settings apply.
- Edit the .conf file for the respective VM that you want to set up passthrough for (as outputted by the ‘lspci’ command). While it is possible to direct edit the /etc/pve/qemu-server/<yourVM_ID>.conf file, in order to ensure no syntax errors, it is best to use the command made for it:
[shell]qm set VMID -hostpci3 01:00.0[/shell]
6. Run the following command to refresh the initramfs:
[shell]update-initramfs -u -k all[/shell]
7. Reboot your Proxmox host (remember to gracefully shut down any VMs and containers running – manual way is always better).
TO BE ADDED:
- VERIFICATION STEPS
- PREVENTATIVE MEASURE TO ENSURE PROXMOX CANNOT USE THE DEVICE (BLACKLISTING)