libvirt-mcp
Enables management of KVM/QEMU virtual machines on remote libvirt hosts via SSH, with tools for inspection, lifecycle management, snapshots, and cloning.
README
libvirt-mcp
A Model Context Protocol (MCP) server for managing KVM/QEMU virtual machines on remote
libvirt hosts. Talks libvirt RPC over SSH — no agent on the hypervisor, no need to
install anything on the target host beyond the standard libvirtd.
Functionally a "virt-manager for LLMs": inspect, start/stop, snapshot, clone, and delete KVM/QEMU domains through 13 MCP tools.
Tools
| Group | Tools |
|---|---|
| Inspection | list_domains, domain_info, snapshot_list, screenshot |
| Lifecycle | start_domain, shutdown_domain (ACPI + poll), reboot_domain, force_destroy_domain |
| Snapshots | snapshot_create, snapshot_revert, snapshot_delete |
| Management | clone_from_template (linked clone), delete_domain (with optional wipe_disks) |
Destructive operations (force_destroy_domain, snapshot_revert, snapshot_delete,
delete_domain) require an explicit confirm=True argument so an LLM can't fire them
by accident.
Architecture
┌──────────────┐ ┌──────────────────────┐
│ MCP client │ ── stdio (JSON-RPC) ──▶ │ libvirt-mcp │
│ Claude Code, │ │ (Docker container) │
│ Desktop, … │ │ • libvirt-python │
└──────────────┘ │ • mcp SDK │
└──────────┬───────────┘
│
│ qemu+ssh://user@host/system
│ (uses host's ~/.ssh/)
▼
┌──────────────────────┐
│ Hypervisor │
│ • libvirtd │
│ • qemu-kvm │
└──────────────────────┘
The MCP server runs inside a Docker container (so libvirt-dev headers don't need to
be installed on your machine). It bind-mounts your ~/.ssh read-only and uses standard
libvirt SSH transport, inheriting ~/.ssh/config, agent forwarding, jump hosts, etc.
Setup
1. Pull the image
The container image is published as ghcr.io/rzippert/libvirt-mcp (public — no auth
required, even though the source repo is private):
docker pull ghcr.io/rzippert/libvirt-mcp:latest
Tags published:
latest— head ofmainX.Y.ZandX.Y— from git tagsvX.Y.Z(thevprefix is dropped per Docker convention)main,sha-<short>— for traceability
2. Create your config
mkdir -p ~/.config/libvirt-mcp
cat > ~/.config/libvirt-mcp/config.toml <<'EOF'
default_profile = "primary"
[profiles.primary]
uri = "qemu+ssh://user@hypervisor.example.com/system"
description = "Primary KVM hypervisor"
EOF
$EDITOR ~/.config/libvirt-mcp/config.toml
The libvirt URI is standard. SSH keys come from your host's ~/.ssh/. Make sure you
can already connect:
ssh user@hypervisor.example.com virsh -c qemu:///system list --all
3. Wire it up to an MCP client
Claude Code
claude mcp add libvirt --scope user -- \
docker run -i --rm \
-v "$HOME/.ssh:/home/ubuntu/.ssh:ro" \
-v "$HOME/.config/libvirt-mcp/config.toml:/etc/libvirt-mcp/config.toml:ro" \
--network host \
-e LIBVIRT_MCP_CONFIG=/etc/libvirt-mcp/config.toml \
ghcr.io/rzippert/libvirt-mcp:latest
Verify with claude mcp list. Remove with claude mcp remove libvirt --scope user.
Claude Desktop
Edit claude_desktop_config.json:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"libvirt": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-v", "/Users/youruser/.ssh:/home/ubuntu/.ssh:ro",
"-v", "/Users/youruser/.config/libvirt-mcp/config.toml:/etc/libvirt-mcp/config.toml:ro",
"--network", "host",
"-e", "LIBVIRT_MCP_CONFIG=/etc/libvirt-mcp/config.toml",
"ghcr.io/rzippert/libvirt-mcp:latest"
]
}
}
}
Replace /Users/youruser with your home directory. On Windows use forward slashes or
double-escape backslashes. Restart Claude Desktop after editing.
VS Code (GitHub Copilot Chat MCP)
Create .vscode/mcp.json in your workspace (project-scoped) or add to user settings:
{
"servers": {
"libvirt": {
"type": "stdio",
"command": "docker",
"args": [
"run", "-i", "--rm",
"-v", "${userHome}/.ssh:/home/ubuntu/.ssh:ro",
"-v", "${userHome}/.config/libvirt-mcp/config.toml:/etc/libvirt-mcp/config.toml:ro",
"--network", "host",
"-e", "LIBVIRT_MCP_CONFIG=/etc/libvirt-mcp/config.toml",
"ghcr.io/rzippert/libvirt-mcp:latest"
]
}
}
}
VS Code expands ${userHome} and ${workspaceFolder}. Open the Copilot Chat panel →
MCP servers → enable libvirt.
Configuration reference
~/.config/libvirt-mcp/config.toml (or override with LIBVIRT_MCP_CONFIG):
default_profile = "primary" # used when a tool is called without `profile=`
[profiles.<name>]
uri = "qemu+ssh://user@host/system" # standard libvirt URI
description = "Free-form description for humans"
Config search order:
$LIBVIRT_MCP_CONFIGenv var~/.config/libvirt-mcp/config.toml./config.dev.toml./config.toml
Safety model
- Allow-list validation on domain names (
^[a-z0-9][a-z0-9-]{0,30}$), bridge names, and absolute paths (no..segments). - Inspection tools open read-only libvirt connections; state-changing tools open read-write connections only when invoked.
- Confirmation gates on destructive operations:
force_destroy_domain,snapshot_revert,snapshot_delete,delete_domainall requireconfirm=True. - No subprocess on the hypervisor: every operation is pure libvirt RPC (no
qemu-img, novirt-install, novirshshell-out). Disk volumes are created and deleted through libvirt's storage volume API, reusing any active dir-pool that covers the target path or transparently creating a transient one.
Development
git clone git@github.com:rzippert/libvirt-mcp.git
cd libvirt-mcp
cp config.example.toml config.dev.toml && $EDITOR config.dev.toml
docker compose build
docker compose run --rm dev bash
Inside the dev container, source on the host (bind-mounted at /workspace) shadows the
installed package via PYTHONPATH, so edits take effect immediately. Exercise tools
directly:
python -c "from libvirt_mcp.tools.readonly import list_domains; \
import json; print(json.dumps(list_domains(), indent=2))"
Project layout:
libvirt_mcp/
├── __main__.py # python -m libvirt_mcp → mcp.run() (stdio)
├── server.py # FastMCP instance
├── connections.py # config loader + connect() context manager
├── states.py # VIR_DOMAIN_* → string
└── tools/
├── readonly.py # inspection
├── lifecycle.py # start/shutdown/reboot/force_destroy
├── snapshot.py # snapshot CRUD (revert/delete gated)
└── management.py # clone_from_template, delete_domain
Publishing happens automatically via .github/workflows/publish.yml on push to main
and on v* tags (multi-arch: linux/amd64, linux/arm64).
License
GNU Affero General Public License v3.0 or later (AGPL-3.0-or-later). See LICENSE.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.