Raspberry Pi often used in 24/7 projects. In this mode, the issue of cooling becomes critical. One of the most common options is PoE HAT with built-in fan. At first glance, it may seem that it is enough to connect the HAT and everything will work automatically. But in practice, nuances sometimes arise, as it happened to me.

I bought Waveshare PoE M.2 HAT+. I connected it according to the instructions, but I noticed that the fan worked constantly at maximum speed. Of course, this behavior is unexpected and I started looking for a reason to eliminate it.

Kernel parameters

The PoE HAT fan does not run “directly” from voltage. He is guided kernel parameters and a special driver that reacts to the temperature of the processor and changes the revolutions. These parameters are configured in the Raspberry Pi configuration file /boot/firmware/config.txt

The following block of settings must be added to this file:

# Fan settings
dtparam=cooling_fan=on
dtparam=fan_temp0=55000,fan_temp0_hyst=2000,fan_temp0_speed=80
dtparam=fan_temp1=60000,fan_temp1_hyst=2000,fan_temp1_speed=140
dtparam=fan_temp2=65000,fan_temp2_hyst=2000,fan_temp2_speed=200
dtparam=fan_temp3=70000,fan_temp3_hyst=2000,fan_temp3_speed=255

I will describe this block in more detail using the example of the first line:

• dtparam=cooling_fan=on – enables the hardware fan driver on the Raspberry Pi 5.
• from_temp0=55000 – threshold in milli-degrees °C (55,000 = 55 °C). When this temperature is reached, the fan will turn on.
• from_temp0_hyst=2000 – hysteresis (2 °C). This means that the fan will only turn off when the temperature drops below 53 °C.
• fan_temp0_speed=80 – speed of rotation at this threshold. Values ​​range 0–255 (where 255 = maximum revolutions). 80 ≈ low speed, effectively “quiet cooling”.

After applying these changes, I rebooted Raspberry Pi, but no changes occurred, the fan continued to run at maximum speed. I was forced to look for other reasons to solve the problem – constant maximum fan speed.

Fault diagnosis

Since the entered parameters did not affect the behavior of the fan, I decided to look at all possible parameters that could theoretically be responsible for the temperature and fan speed. To do this, I ran three commands in sequence.

cat /sys/class/hwmon/*/fan1_input
13863

Shows the number of pulses per secondfan.fan1_input – standard sensor in Linux hardware monitoring (humon). Usually, the values ​​here fluctuate depending on the PWM signal (that is, what speed is set via fan_tempX_speed or target_pwm).

/vcgencmd measure_temp
temp=27.9'C

Utility vcgencmd reads CPU temperature (via GPU firmware). Means the ARM core is currently at 27.9 °C. This is the “official” way to see the temperature of the Raspberry Pi, and it is this data that the cooling system uses.

cat /sys/class/hwmon/hwmon0/temp1_input
27050

The same CPU sensor, but accessible through an interface Linux humon. temp1_input gives the temperature in millidegrees Celsius. 27050 = 27,050 m°C = 27.05 °C. This is a more “raw” way of accessing temperature that type utilities use sensors or monitoring systems (Zabbix, Prometheus, lm-sensors).

Since every parameter gave me data, it means that the sensors are active and working. I started looking for a hardware problem. First I turned off and unplugged the Raspberry Pi, unplugged the PCI Express cable, and completely unplugged the PoE HAT board. I saw that one of the pins on the Raspberry Pi fan connector was bent, and this became a big problem, because the connector itself is very small, and even the needle size scale seems quite large. So that you understand the scale of the thumbnail, I took this photo with a macro lens.

As you can see in the photo, the contact was pressed to the bottom and slightly deformed. I was able to lift it with a needle only to a vertical position, but the contact itself remained bent. In order for it to enter the connector correctly, I had to use a needle to widen the hole for it. After connecting, the Raspberry Pi started, and the fan began to receive signals about the number of revolutions depending on the temperature.

By now executing the command to check the number of fan pulses cat /sys/class/hwmon/*/fan1_input i got the value 3447 which is three times less than the previous value. This way I overcame the problem and now my fan is controlled correctly depending on the CPU temperature.

The main conclusion is as follows: for stable and quiet operation of PoE HAT on Raspberry Pi it is necessary not only to correctly adjust the parameters in config.txt, but also make sure the integrity of the connector and pins. My example clearly shows that this should not be neglected, and if a problem has already occurred, it is not easy to solve it, because the connector elements are so small that it will be either impossible or very difficult to physically align them, and for this a needle or tweezers will be quite large tools.

Raspberry Pi 5 in combination with PoE/M.2 HAT opens the possibility to use fast NVMe SSD drives. This significantly increases the speed of the system, makes it more reliable compared to traditional ones microSD-cards and allows you to store significantly larger volumes of data. In this article, I’ll show you how to completely migrate your system from SD to NVMe while keeping all your partitions and settings.

System preparation

First of all, you should make sure that the system is updated and the bootloader is up to date EEPROM supports work with NVMe. To do this, it is enough to update the packages in the terminal, update the bootloader firmware and reboot Raspberry Pi. After that, you can check with the team lsblk, whether the system sees a new SSD. If the output shows the device nvme0n1, then everything is ready for the next step.

apt update
apt upgrade -V

In the list, I saw that rpi-eeprom has a new version, so updating the system will not be useless.

After the update, it is advisable to reboot Raspberry Pi, and already after rebooting, you need to check whether NVMe SSD determined by the system:

lsblk

The device should appear in the list nvme0n1

NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
mmcblk0     179:0    0 117.1G  0 disk 
├─mmcblk0p1 179:1    0   512M  0 part /boot/firmware
└─mmcblk0p2 179:2    0 116.6G  0 part /
nvme0n1     259:0    0 238.5G  0 disk

You can close the terminal and go to the data copy GUI

SD card cloning

Cloning is done very simply – in Raspberry Pi OS there is a built-in utility SD Card Copier. It is in the menu “Accessories» and allows you to transfer the system from the card to another medium with one click.

When the program is launched, you need to specify the source SD card, and the target is SSD. I recommend checking the box that will create a new one UUID for partitions to avoid conflicts. After pressing «Start» the copying process will begin, which may take several minutes depending on the speed of the card and disk. In my case it looks like this:

• In the field Copy From Device you need to select an SD card from the list (mmcblk0)

• In the field Copy To Device must be selected from the NVMe SSD list (nvme0n1).
• Check the box Use new partition UUIDs – to avoid ID conflicts.

Start the copying process by clicking on the button Start.

The user will receive a warning that all data will be deleted from the NVMe drive.

You have to agree and then the copying process will begin.

The process may take several minutes (depending on the speed of the SD and SSD).

Now that the memory card is cloned, you can proceed to the boot priority settings.

Setting the download order

When the system is copied, you need to configure the boot so that Raspberry Pi started with NVMe. This is done through raspi-config. In the menu “Advanced Options” there is a clause “Boot Order», where it is enough to choose to download first from NVMe, then from USB and only then from SD. This setting is not written to the card or SSD, but to the built-in EEPROM board itself, so after that the Pi will always check for NVMe first. See screenshots.

sudo raspi-config

A window will open “Raspberry Pi Software Configuration Tool (raspi-config)” in which to select the following menu sections:

Advanced Options

Boot Order

NVMe/USB (Boot from NVMe before trying USB and then SD Card)

After selecting this option, the user will receive a message about the selected priority.

After that, you can exit the settings menu by clicking on the “Finish“. To apply the changes, the system will ask to reboot now. You can postpone the reboot to another time, but it is better to do it right away.

Checking the system operation

Since the reboot happened almost instantly, there are doubts about what exactly is being used NVMe no, but it’s better to check. Turn off Raspberry Pi, remove the SD card, leave only the SSD and turn on the device again. If everything is done correctly, the system will boot from the new medium. This can be verified by the team lsblk or mount, where the root section / should be displayed on nvme0n1p2.

mount | grep ' / '
/dev/nvme0n1p2 on / type ext4 (rw,noatime)

Here the root partition (/) onnvme0n1p2 which indicates that the download occurs precisely from NVMe. Now you can remove the memory card and work with the new NVMe drive.

After completing all the steps Raspberry Pi will work faster and more stable, because SSD copes with intensive reading and writing operations better than conventional ones microSD. In addition, a reserve of free space will appear, allowing you to store more data and run heavier applications.

Conclusions

Going from an SD card to an NVMe SSD for the Raspberry Pi is a simple but very noticeable upgrade. The system starts working much faster: programs open without delays, logs and databases do not create “bottlenecks”, and the loading of the Pi itself is reduced several times. In addition to performance, the reliability factor is also important – SSDs are much more resistant to wear and tear, while SD cards can fail after prolonged use.

Using the built-in utility SD Card Copier makes the migration process as easy as possible, even for beginners: all partitions are transferred automatically, UUIDs are updated, and the size of the root partition is adapted to the volume of the new media. Setting the boot order via EEPROM ensures that the Raspberry Pi will always choose NVMe as the primary drive.

In conclusion, replacing microSD with NVMe SSD is a step that doesn’t require complicated settings, but it makes a big difference to the Raspberry Pi experience. If you have a PoE/M.2 HAT and a compatible NVMe drive, we recommend doing this upgrade immediately after initial system setup.

I purchased a PoE M.2 HAT+ adapter from Waveshare for my Raspberry Pi 5, which allows not only to power the board via Ethernet, but also to connect an NVMe M.2 storage drive. This opens up new possibilities for using the Raspberry Pi as a mini-server, NAS or high-performance storage system.

To fully exploit this potential, I chose a compact and energy-efficient 256 GB Samsung MZ9L4256HCJQ-00BD1 SSD. In this review, I will share my experience connecting, configuring and testing this drive in conjunction with the Raspberry Pi 5. In particular, we will look at the design, main characteristics, operation of the PCIe 3.0 x1 interface, and check the real-world speed performance with the PCIe 3.0 x4 interface.

Compactness and design

The Samsung MZ9L4256HCJQ-00BD1 model is made in the M.2 2230 form factor, which means a length of only 30 mm (unlike the more common 2280, which is 80 mm). This format is often used in ultra-compact devices – tablets, mini PCs, and now in the Raspberry Pi 5 thanks to available adapters. Due to the limited area, 2230 format drives have certain design limitations:

• They are produced by only a few companies (Samsung, Kioxia, Western Digital, Sabrent, and a few others).
• The most common volumes are 256 GB and 512 GB, which are considered optimal in terms of price/capacity.

• Models of 1 TB or more exist, but their price is significantly higher than that of 2280 format counterparts due to high layout density and lower demand.

Despite its compact size, the NVMe SSD MZ9L4256HCJQ-00BD1 retains all the advantages of a full-fledged drive: high speed, low power consumption and stable operation. The 2230 form factor is ideal for use with the Raspberry Pi 5 in projects where compactness and reliability are important.

To better imagine its dimensions, I compared the drive with a 1 euro coin. This clearly demonstrates the density of components achieved in this form factor.

Key Features

This SSD is intended for computer and laptop manufacturers, i.e. it is an OEM product and unfortunately I could not find a public page on Samsung’s consumer sites, so I got its specification from the seller:

• Series – PM9B1
• Memory capacity – 256 GB
• Flash memory type – TLC
• Form factor – M.2
• M2 size – M.2 2230
• Connection interface – PCI Express 4.0 x4
• Read speed – 3300 Mb/s
• Write speed – 1250 Mb/s

Connecting to Raspberry Pi 5

Connecting the SSD to the Raspberry Pi 5 via the Waveshare POE M.2 HAT+ was not easy. I encountered a problem – the lack of a drive fixing screw in the kit with the SSD and in the kit with the PoE HAT itself. Because of this, I spent time searching for it, but in the end I found the right one and fixed the SSD.

Each screw hole had a special protective sticker that was easily removed with a clerical knife and tweezers.

The SSD must be inserted at an angle until it stops and secured with a screw, this is how the connected solution will look.

After connecting, we proceed to the next stage – configuration and speed testing.

Device identification

When turning on the Raspberry Pi, the drive was correctly identified by the Disk utility as PM9B1 NVMe Samsung 256GB (46304039)

By default, the Raspberry Pi uses the PCIe 2.0 interface. To determine this, you need to run the following command, where the devices will be filtered by the keyword PCIe. Among the results, the following line is important, which accurately indicates the base value of PCI Express 2.0. Despite the speed limit of 5 Gigabits per second, it is still higher than any modern MicroSD memory card.

dmesg | grep PCIe
[0.505851] pci 0001:01:00.0: 4.000 Gb/s available PCIe bandwidth, limited by 5.0 GT/s PCIe x1 link at 0001:00:00.0 (capable of 63.012 Gb/s with 16.0 GT/s PCIe x4 link)

PCIe 3.0 Settings

The hardware parameters are written in the configuration file, which is read every time the operating system boots. It is this file that we will edit:

sudo nano /boot/firmware/config.txt

In the configuration, look for the dtparam parameter, which is responsible for the PCIe version of the pciex1_gen interface, and change its value to pciex1_gen=3. If there is no such parameter, simply add it:

dtparam=pciex1_gen=3

Save this file, and reboot the Raspberry Pi so that the changes are applied, and check the result again:

dmesg | grep PCIe
[0.401861] pci 0001:01:00.0: 7.876 Gb/s available PCIe bandwidth, limited by 8.0 GT/s PCIe x1 link at 0001:00:00.0 (capable of 63.012 Gb/s with 16.0 GT/s PCIe x4 link)

This entry indicates that after rebooting, the new settings were applied, and now the Raspberry Pi will work with the drive faster.

Speed Testing

Once again, the Samsung SSD supports PCIe Gen 4.0 x4, which provides very high speeds. However, the Raspberry Pi 5 limits its capabilities to PCIe 3.0 x1, as described in the previous section. To understand how much this affects the speed, I conducted a comparative test: first I tested the SSD on my PC with PCIe 3.0 x4, and then on the Raspberry Pi 5, already with a PCIe 3.0 x1 interface.

The testing was carried out using the KDiskMark utility. This program is an alternative version of CrystalDiskMark only for Linux operating systems. You can install KDiskMark by running the following commands:

echo 'deb http://download.opensuse.org/repositories/home:/kimi:/kdiskmark/Raspbian_12/ /' | sudo tee /etc/apt/sources.list.d/home:kimi:kdiskmark.list
curl -fsSL https://download.opensuse.org/repositories/home:kimi:kdiskmark/Raspbian_12/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/home_kimi_kdiskmark.gpg > /dev/null
sudo apt update
sudo apt install kdiskmark

After installing the program, you can run it with the command

kdiskmark

In the interface, you will need to select the disk that was recognized, in my case it is /media/ostrich/NVME and you also need to select the Settings menu in the program settings and select NVMe SSD to optimize the test specifically for NVMe disks. I left the other parameters at default. To start the test, click the “All” button and wait for the results to complete!

I decided to conduct a similar test only on my PC. I connected the SSD to an Asus Prime A520M-K motherboard, which also supports PCIe 3.0 but with an x4 index, which means 4 lanes instead of one.

Unfortunately, I don’t have the opportunity to fully test the full potential of this drive, but the difference is very noticeable.

Conclusions

The Samsung MZ9L4256HCJQ-00BD1 is a reliable and fast SSD that is perfect for expanding the capabilities of the Raspberry Pi 5. Its main advantages are stable operation, good energy efficiency and read/write speed, which makes the most of the potential of the PCIe 3.0 x1 interface on the Raspberry Pi. With such a drive, you can create a file server, storage system or even run databases with minimal latency. If you do not need maximum speeds of more than 1 GB/s, this combination is an ideal solution for your money.

Raspberry Pi 5 has become a real breakthrough in the world of single-board computers. Updated hardware, a more powerful processor, PCIe support via FPC cable – all this opens up new horizons for enthusiasts. However, one key detail is still missing, namely the official POE HAT from the Raspberry Pi Foundation for the fifth generation.

Although the official release is already “on the way”, according to rumors, many users do not want to wait. They want compactness, convenience and powering the Raspberry Pi without unnecessary cables and a separate 220 V outlet. This is where the Waveshare POE M.2 HAT+ comes into play. It is an unofficial, but extremely practical solution for PoE power supply and simultaneous expansion using M.2 drives.

Waveshare POE M.2 HAT+ is a solution for those who do not want to wait for the official release of POE for Raspberry Pi 5

Raspberry Pi 5 Power Supply

Raspberry Pi 5 is sold as a separate board without a power supply included. Users are offered the original 27W USB-C PowerSupply EU power supply. At the first stage, I bought this power supply, because other manufacturers offered devices that were almost the same in price and power, so there was no point in looking for something else.

27W USB-C PowerSupply EU device – box

27W USB-C PowerSupply EU – logo

27W USB-C PowerSupply EU – specification

This power supply supports the following modes:

• 5.1V, 5A;
• 9V, 3A;
• 12V, 2.25A;
• 15V, 1.8A

If we consider the option of connecting Raspberry Pi 5 via Waveshare POE M.2 HAT+ using as a source my UniFi USW-Lite-8-PoE switch which supports the 802.3at standard and supplies an input voltage of 48 volts, then the power characteristics will be as follows.

• Input voltage = ~48V DC
• Power = up to 25.5 W
• Current approximately = 0.5 – 0.6 A

Package

I made an order in an online store in Ukraine, so the seller’s sticker was already stuck on the box. However, the original Waveshare inscription was visible through this sticker. The model code was also indicated: SKU: 28411. Since the Waveshare brand is Chinese, it is logical that this board was also made in China.

All elements are packed in individual bags, namely:

• PoE M.2 HAT+ x1
• Metal heatsink x1
• 16P-Cable-40mm x1
• Thermal tape (3PCS) x1
• Screws pack x1

I suggest considering each component separately, for this I took a photo

Waveshare POE M.2 HAT back

Waveshare POE M.2 HAT face

Waveshare POE M.2 HAT Metal heatsink

Waveshare POE M.2 HAT 16P-Cable-40mm

Waveshare POE M.2 HAT Thermal tape

Waveshare POE M.2 HAT Screws pack

Connecting POE M.2 HAT+

The connection process has its own sequence, and consists of several simple steps:

Applying thermal tape

The kit includes three square thermal tapes, they are in a protective film that must be removed before sticking. Stick the largest square on the processor, and the other two on the Wi-Fi / Bluetooth chip and the memory chip.

• Processor
• Wi-Fi / Bluetooth
• Memory

Fixing the metal heatsink

The heatsink has two diagonal fasteners, it is easily fixed on the Raspberry Pi board. The springs will cushion this radiator. After fixing on the back of the board we will see two harpoon-like fasteners. This will indicate the successful installation of the radiator

POE M.2 HAT+ Mounting

This board is attached to the Raspberry Pi using 4 racks, which are screwed in from the bottom and top with screws.

Interesting fact: the kit includes 5 racks and 10 screws, perhaps the extra ones are considered as spare.

Connecting the cooler power cable

We tighten the 4 racks from below with screws.

We connect the board via the GPO contacts. We need to be careful with the wire to the cooler so that it is placed compactly and does not interfere with the components.

We twist the racks from the top

Thus, our board is installed and connected, the only thing left is to connect the PCI cable.

Connecting the PCI cable

The cable has two sides, so it is important not to confuse the direction and position of the connection

16P-Cable-40mm socket

16P-Cable-40mm socket rpi

16P-Cable-40mm plugged

Testing

As a power source, I will use the Ubiquiti UniFi Switch Lite 8 PoE (USW-Lite-8-PoE) switch. This switch has 4 PoE+ ports with a total power of no more than 60 watts, and no more than 30 watts per port. I connected the Raspberry Pi 5 to the first port. Literally a second later, the boot began, and the cooler started spinning, which indicates that both the cooler and the PCI cable are connected correctly.

The two network port LEDs are lit, indicating PoE+ power and data transmission.

Of course, I was curious to know what the real consumption of the Raspberry Pi 5 was? To do this, I looked at these values ​​in the Ubiquiti – UniFi Network controller, in the Ports section and by selecting the Stats tab.

Ok, 5 watts compared to the 6 watts of the previous model seems a bit low, but there are a few features, namely, here’s what reduced consumption:

• SSD not connected via PCI
• USB flash drive not connected
• Raspberry Pi almost idle

When the load increases or additional devices are connected, consumption will certainly increase.

Conclusions

Waveshare POE M.2 HAT+ is not just a replacement for the official PoE HAT, but a more functional option that combines three features at once:

• PoE power supply without a separate unit.
• M.2 storage for server projects.
• Active cooling is necessary when working with a heavy load.

Until the official solution from the Raspberry Pi Foundation appears, this is the best choice for enthusiasts who want to use the capabilities of the new Pi 5 as efficiently as possible.

The power of the graphical interface

In the Linux world, it is traditionally customary to focus on text interfaces: console, htop, top, systemctl – these tools are well known to experienced users. However, modern realities dictate other requirements: many users are switching from Windows to Linux, where the graphical interface is familiar and understandable. This is especially true for the visualization of system processes.

Here Mission Center comes to the rescue – an extremely convenient and visually attractive task manager, which is very reminiscent of the Task Manager from Windows 11. This is a real gift for Raspberry Pi users who want to have not only a functional, but also an aesthetically pleasing tool for monitoring the system.

What is Mission Center?

Mission Center is a modern alternative to traditional task managers, combining stylish design, high performance and rich functionality:

• display of CPU, RAM, disk, network usage;
• list of processes in a convenient window with the ability to terminate;
• convenient real-time performance diagnostics;
• visual style as close as possible to Windows Task Manager;
• support for Wayland and X11.

Why install Mission Center on Raspberry Pi?

Raspberry Pi is used not only as a server or IoT device, but also as a full-fledged desktop computer. If you run a graphical environment on it (for example, Raspberry Pi OS with an interface), a convenient task manager is a must-have. Mission Center makes monitoring processes not only informative, but also pleasing to the eye.

How to install Mission Center on Raspberry Pi

There are several installation features, namely, the Raspberry Pi must be desktop, with a graphical interface, and since Mission Center is distributed via

• AppImage (ARM64),
• Flatpak
• Snap

The easiest choice would be to install Mission Center via Flatpak. After all, the latest version of Snap on Raspberry Pi is 2.57.6, and the installation requires at least Snap version 2.61. Otherwise, the user will receive an error.

Step 1: Update the system

sudo apt-get update && sudo apt upgrade

Step 2: Install Flatpak

sudo apt-get install flatpak

Step 3: Installing Mission Center

sudo flatpak install flathub io.missioncenter.MissionCenter

Looking for matches…

Required runtime for io.missioncenter.MissionCenter/aarch64/stable (runtime/org.gnome.Platform/aarch64/48) found in remote flathub

Do you want to install it? [Y/n]: y

1. [✓] org.freedesktop.Platform.GL.default
2. [✓] org.freedesktop.Platform.openh264
3. [✓] org.gnome.Platform.Locale
4. [✓] org.gnome.Platform
5. [✓] io.missioncenter.MissionCenter

Installation complete.

Step 4: Launch Mission Center

After installation, the shortcut was not displayed in the menu, so I launched the utility via flatpak:

flatpak run io.missioncenter.MissionCenter

Comparison with Windows Task Manager

The Mission Center has three sections:

• Performance
• Applications
• Services

The Windows Task Manager has additional sections: Logs, Startup Programs, Users, and Information.

Let’s look at the sections that can be compared

Performance

Visually, almost the same metric:

• Processor (you can switch from general view to logical processors)
• Memory
• Disks
• Network (Wi-Fi and wired)

In this case, I took a comparative screenshot with my desktop on which Windows 11 is installed.

Applications

In Mission Center it is called Apps, in Windows the list of running programs is called Processes, where when sorted by name it is the active programs that are displayed, which can be called applications in a way.

As you can see from the screenshots above, it is possible to sort by processor load or RAM consumption.

Services

Mission Center and Task Manager calls it Services both. In this screen, you can stop or start services, view their status.

Application Limitations

Installing Mission Center on Raspberry Pi was possible, but it came with a number of technical limitations. The package is not available in the standard APT repositories, and installing via Snap was impossible due to the outdated version of snapd, which does not support the new basic Snap packages, in particular core20.

As a result, the only option for quick installation was the version via Flatpak. It really runs and looks modern, but it has its own nuances: due to the limitations of the Flatpak sandbox, some of the functionality is unavailable or does not work correctly. In particular, numerous messages are displayed about errors with access to system files and refusal to connect to internal sockets, and the graphical interface sometimes exceeds the size of the screen.

Conclusion

The application turned out to be really impressive in terms of design and proximity to the Windows 11 Task Manager, but unfortunately it is not optimized or adapted for weak ARM processors.

One of the most convenient ways to remotely control a Raspberry Pi has traditionally been to use a VNC server, which allows you to access the Raspberry Pi’s graphical interface via a local network or from the outside. However, with the release of a new official operating system – Raspberry Pi OS based on Debian Bookworm, which was officially released on October 10, 2023, the standard connection method via RealVNC Server is no longer supported.

Fortunately, the Raspberry Pi Foundation has introduced a new convenient service – Raspberry Pi Connect, which allows you to remotely control the device directly from a browser, without complex network settings or port forwarding. Beta testing of Raspberry Pi Connect began in December 2023, and the official stable release was released in April 2024.

In this article, I will write what are the necessary requirements and settings, make the first connection

Requirements

Unlike previous solutions like RealVNC, which required separate installation and configuration, Raspberry Pi Connect is already integrated into Raspberry Pi OS (Bookworm), starting with updates released after the official release in October 2023.

• Raspberry Pi OS (Bookworm) – updated to the latest packages.
• Graphical environment (Desktop edition) – Raspberry Pi Connect works only with a graphical shell.
• Raspberry Pi account – the service requires authorization via connect.raspberrypi.com, which allows you to securely connect your device to the cloud interface.
• Internet connection – Raspberry Pi must have stable access to the Internet.

Raspberry Pi OS Update

Connecting to Raspberry Pi via SSH, you need to update the operating system

sudo apt update
sudo apt full-upgrade

After updating the system, you can also check the version of the service itself

rpi-connect --version
rpi-connect 2.5.2 (revision 0691027f16f3ddbf6417b0030e1ebf50b2e74790) [arm64]

After executing these commands, the latest version of Raspberry Pi OS and Raspberry Pi Connect is used.

Graphical environment (Desktop edition)

A graphical environment means using a certain set of OS features during installation, it can be the so-called server version of Raspberry Pi OS Lite or the desktop version of Raspberry Pi OS Full. However, if you do not know which version is installed, you can check it by executing the following command

dpkg -l | grep raspberrypi-ui-mods
ii raspberrypi-ui-mods 1.20250506 arm64 Config to customise the LXDE UI for the Raspberry Pi

The presence of the raspberrypi-ui-mods entry indicates the presence of a graphical environment.

Raspberry Pi account

To create an account, you need to go to the link https://connect.raspberrypi.com/sign-in and click on the link create one for free

To register, you need to fill out the form:

• Email
• Password and Re-enter password
• Name (Nick) What should we call you?
• Agree to the Terms and Conditions

I have also activated 2FA to improve the security of my account.

Internet connection

Since this is an online service, an Internet connection is a prerequisite.

Connecting Raspberry Pi to Raspberry Pi Connect account

Since all the requirements are met, you need to perform additional settings, namely start the service with the command

rpi-connect on
✓ Raspberry Pi Connect started

This message indicates that the service has started and is working correctly. Now you need to link the device to the Connect account. by executing the following command

rpi-connect signin
Complete sign in by visiting https://connect.raspberrypi.com/verify/XXXX-XXXX

The result of this command will be a link with an 8-symbol code. You need to open this link in a browser for further device registration.

In this window, you need to enter a name for your device. This name will be displayed in the account and will be the identifier of this particular device. If you have multiple devices, it is better to give them unique names.

Click on Create device and sign in to add the device. In the window we will see a message about the successful completion of the connection

Device sign in successful
Your device Ostrich RPI now has access to your account. If this was a mistake, you can delete the device and its access tokens.
You can now close this window, or view all devices.

At this time, an additional line will appear in the terminal

rpi-connect signin
Complete sign in by visiting https://connect.raspberrypi.com/verify/XXXX-XXXX

✓ Signed in

This indicates the successful connection of the Raspberry Pi with the Raspberry Pi Connect account.

Connection

In the browser, follow the link view all devices, and you will get to the main screen where there is a list of connected devices and their status

To connect graphically, you need to select Screen sharing from the Connect via drop-down list. In a new window, for a short period of time, until the connection is complete, the user will see a black screen message Waiting for response from Ostrich RPI

After that, the user will see the familiar Raspberry Pi OS desktop and will be able to control the mouse.

Conclusion

The appearance of Raspberry Pi Connect has greatly simplified remote control of the device without the need for complex VNC or port forwarding settings. Thanks to integration with Raspberry Pi OS (starting with the version based on Debian Bookworm), this service opens up new possibilities for users who want to have quick access to their Raspberry Pi from anywhere in the world.

If you have a version with a graphical interface installed, activating Raspberry Pi Connect takes only a few minutes and does not require additional software. This is a great solution for developers, enthusiasts, and educational projects that require stable and secure remote access.

When I bought a domain and decided to deploy a public site on my Raspberry Pi (this blog you are reading now) I knew that a DDoS attack would happen, for sure, but it was only a matter of time. That time has come. In this post, I’ll share my experience of how I fended off a DDoS attack with Cloudflare on a free plan. I will provide here the graphs and results of the work on the fact of the completion of the attack, but they will be quite informative for visual perception.

Preventive measures

I continue to study modern network capabilities, new technologies, understand settings and services. I currently have several web services installed on my server, but from a security point of view, I have restricted access from the Internet to only the local network. Such measures cannot apply to a public web resource – this blog. After writing about the 5th article, I thought about protection against DDoS attacks, and the first thing that came to mind was the Cloudflare service.

Cloudflare – is a powerful platform for ensuring security, optimizing performance and increasing the stability of web resources. Thanks to a global network of data centers, Cloudflare acts as an intermediate link between the site and the visitor: it caches content, blocks unwanted traffic and provides analytics.

At the entry level, I chose the free plan, which has some limitations unlike the commercial one, but it is quite enough for basic site protection needs. To start using Cloudflare, you need to follow a few simple steps:

• Sign up for Cloudflare
• In the admin panel of the domain registrar it is necessary to register the DNS records of the Cloudflare servers
• In the admin panel of Cloudflare add DNS records of your physical server

After making the changes, the reindexing of DNS records will begin, which can take up to 72 hours, but in my case it happened in less than a day. After that, I breathed a sigh of relief and started using the site fully relying on Cloudflare.

DDoS attack detection

I use Zabbix to monitor the resources of my local network. I usually monitor mail server activity, Raspberry Pi temperatures, and other metrics. Visually, I placed several widgets on the dashboard so that anomalies in the operation of services can be clearly and quickly identified

Normally the temperature is around 60 – 65°C, but I noticed an over temperature of almost 10 degrees, up to 70 – 75°C. At this time, I looked at the CPU load, and it was at the level of 50%, I immediately understood that something was wrong.

I looked at the server metrics and almost all of the graph values ​​indicated an emergency situation

Visual charts only show the big picture. Now my goal was to identify the root of the evil. To do this, I connected to the server and started viewing the status of processes and services. Unfortunately, I did not take screenshots during the diagnostics, but I copied the text from the console. I will try to reproduce the course of events based on the history of the teams.

CPU resource

With the first command, I identified the first 15 processes with high CPU consumption.

ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%cpu | head -n 15

I got the following output:

ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%cpu | head -n 15
    PID    PPID CMD                         %MEM %CPU
2366770 1943100 /usr/sbin/apache2 -k start   1.1 12.4
2373538 1943100 /usr/sbin/apache2 -k start   1.2 12.2
2374705 1943100 /usr/sbin/apache2 -k start   1.2 11.8
2374940 1943100 /usr/sbin/apache2 -k start   1.2 11.3
2376091 1943100 /usr/sbin/apache2 -k start   1.0 11.1
2370641 1943100 /usr/sbin/apache2 -k start   1.2 10.4
2355557 1943100 /usr/sbin/apache2 -k start   1.2 10.4
    709       1 /opt/networkoptix/mediaserv  5.7  9.6
2375784 1943100 /usr/sbin/apache2 -k start   1.0  9.3
2373539 1943100 /usr/sbin/apache2 -k start   1.2  7.8
2375416 1943100 /usr/sbin/apache2 -k start   1.2  7.1
2376564 1943100 /usr/sbin/apache2 -k start   0.8  6.9
2372672 1943100 /usr/sbin/apache2 -k start   1.2  6.9

Of course, the values ​​were 10-20% CPU per process, which in sum gave quite a large total load.

Traffic source

The second team had to determine which IPs generate a lot of traffic. This command displays the first 10 IP addresses based on the number of requests.

awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -nr | head -n 10

I got the following output:

 118852 127.0.0.1
   7169 162.158.239.23
   7168 162.158.238.232
   6304 162.158.238.233
   5810 162.158.239.24
   5068 162.158.238.106
   4848 162.158.238.107
   3871 162.158.238.120
   3843 162.158.238.121
   2875 104.23.217.65

This information reflects local requests (127.0.0.1) – more than 118 thousand requests, that is, someone from the server actively requests the site. The pool of IP addresses 162.158.x.x and 104.23.x.x is owned by Cloudflare, as a proxy, so the real traffic is hidden behind Cloudflare and certain rules of my router are not working.

Virtual host involvement

The next step is to determine which site or virtual host is loading the server. To do this, we will analyze the first 100 lines of the log, however, for improved statistics, this number can be increased. Since I detected this attack at an early stage, 100 lines is enough.

sudo tail -n 100 /var/log/apache2/access.log | awk '{print $7}' | sort | uniq -c | sort -nr | head -20

I got the following output:

29 /wp-login.php
22 /wp-admin/images/
7 /zabbix/zabbix.php?action=widget.item.view
4 /zabbix/zabbix.php?action=widget.svggraph.view
1 /wp-cron.php?doing_wp_cron=1748089832.8370869159698486328125
...

If you ignore requests to Zabbix, then the main requests go to WordPress. To summarize, the result of the diagnosis is as follows:

• apache2 – consumes more than all the resources of the processor
• local IP and Cloudflare IP – has the most requests
• requests to WordPress pages

At the first stage, these diagnostic data turned out to be sufficient to determine further actions.

Cloudflare Security Actions

I didn’t expect Cloudflare to be such a powerful tool, even in the free version. Many features are disabled by default and must be enabled manually for certain attacks, and it is recommended to deactivate these settings after the attack is over. The main mode is I’m under attack mode.

I’m under attack mode

I’m Under Attack Mode is a special Cloudflare feature designed for protection of websites from DDoS attacks, in particular at the level HTTP flood (e.g., bulk GET/POST attacks). The basic principle of operation of this mode is as follows:

• Before each visit to the site an intermediate verification page is displayed, which lasts a few seconds.
• Cloudflare does JavaScript challenge — that is, forces the browser to “prove” that it is not a bot.
• If the check is successful, the user gets to the site.
• Bots and simple scripts that cannot execute JS – automatically are sifted out.

This mode can be enabled in the Security -> Settings section, there is a switch I’m under attack mode, it must be activated, and the work of repelling the attack will begin immediately.

In the new interface, this item was moved to the All settings tab at the bottom, and named Security Level. When you click on Edit, you can enable or disable I’m under attack mode.

After activating this mode, a message will appear on the dashboard:

In this mode, there is a small delay with the check, which looks like this:

In the Security -> Events section, you can see records about the initiator of the requests, rather complete and organized information is displayed. In the new interface, the Events section has been moved to the Analytics menu and the Events tab has been created, where the information is structured in the same way.

Custom and IP access rules

Given that the DDoS attack occurred from a single IP address, rules can be applied to it.

• IP access rules – to block IP addresses individually or using a subnet mask
• Custom rules – more flexible setting of rules

First, I decided to create a rule that would block the attacking server by IP address, for this in the new interface you need to go to the Security -> Security rules -> IP access rules section and click on the +Create button. To create a rule, it is enough to fill in only 4 fields:

• IP, IP range, country name, or ASN – 194.67.196.50
• Action – Block
• Zone – This website
• Notes – Fucking russian hacker

From the very beginning, I wanted to block all of russia by geolocation, but in the free tariff plan, at the level it is not possible to do so, after applying this rule I see an error: Sorry, block by country is only available on the Enterprise plan.

It turns out that there is a geolocation filter in the free version, but it can be configured in the Custom rules section.

• Rule name (required) – Block_country_404
• Field – Country
• Operator – equals
• Value – russian federation
• Then take action – Block
• Place at – First

This way the rule will look like this

Reports

In the Security -> Overview section, you can see a graph of the ratio of restricted, Cloudflare-handled and server-handled traffic to the total number of requests. When Cloudflare is active, the value of the traffic limit (Mitigated) will increase, and the number of cached requests will also increase, because Cloudflare in this mode works without direct traffic and has a number of restrictions to prevent hacking, such as password selection by brute force.

Many useful graphs are displayed on the dashboard – Overview. I took several screenshots, at the beginning of the attack and at the end of it. The graph shows the last 24 hours of activity, so I’ve overlayed these two graphs to show you the big picture of activity. I marked the range of Cloudflare’s service from start to finish with a red rectangle.

The graphs are quite informative and setting up Cloudflare is easy. According to the schedule, the attack lasted 17 hours from the beginning, and thanks to my vigilance, at the beginning of the attack, at the 6th hour, I applied Cloudflare protection, and already in 11 hours the attack was stopped, I think because of its irrationality for the attacker.

After the attack was over, I turned off the I’m under attack mode and continue to monitor server activity to be ready to prevent repeated attacks at any time!

Conclusions

The experience of fighting a DDoS attack on my own server has shown that even with minimal resources – a Raspberry Pi, my own blog, and a free Cloudflare plan – you can effectively protect yourself from threats if you have a basic understanding of how the network, servers, and monitoring systems work.

I was convinced that:

• Preventive actions are important. Installing Cloudflare in advance allowed me to quickly enable protective mechanisms.
• Monitoring tools such as Zabbix help to quickly detect anomalies and localize the source of the problem.
• Cloudflare has proven to be extremely effective even in its free version, in particular thanks to the I’m Under Attack mode, which allows you to filter out malicious traffic before it even reaches the server.
• Openness to learning and log analysis is the key to a quick response. The ps, awk commands, and access.log analysis helped not only identify the source of the load, but also draw conclusions about the type of attack.

This case confirmed that reliable protection is not always expensive infrastructure, but primarily attentiveness, readiness to respond, and the ability to work with available tools.

My blog remained online, and this is the best indicator of the effectiveness of the solutions applied.

russia’s massive attacks on Ukraine’s energy infrastructure have led to large-scale power outages (blackouts). This has created everyday problems for ordinary civilians, including: teaching children in the evening without electricity, moving elderly people around in high-rise buildings, cooking food using electric stoves, storing food in the refrigerator, heating water with a boiler, air conditioning rooms, and other problems associated with the lack of power supply.

Unfortunately, I also suffered from this fate, which motivated me to create a system that would notify me of the time and duration of the power outage in order to be able to predict the duration of the next outage. This would allow me to determine which generator or charging station to buy in the future to cover the minimum needs in the absence of centralized power supply.

Infrastructure

To implement my idea, I had previously created an infrastructure that fully met my needs, namely:

• Any device that is connected to the power grid and local network via a wired connection or via wi-fi.
• Router, switch and wi-fi access point that are connected to both the network and an additional power source
• Raspberry Pi that is also connected to an alternative power source

In my case, the role of the home device was a wi-fi thermostat for underfloor heating. The role of the network devices was played by devices from Ubiquiti, and the role of data processing was played by my Raspberry Pi.

I depicted the principle of connection and interaction graphically

That is, a script written in Python constantly sends ping requests 24/7. If the electricity is out, then of course the thermostat will not be able to respond, but the network equipment and Raspberry Pi will continue to work from an alternative energy source, and the user will learn about the lack of electricity via a Telegram push notification. When the electricity is restored, the thermostat will appear on the local network, and if the ping is successfully answered, the user will be informed that electricity has appeared, and the time of the power outage will also be calculated.

• To implement this algorithm, you need:
• Creating a Telegram bot
• Writing a Python script
• Automating startup via a service

I will describe these points in detail.

Creating a Telegram bot

There is a special bot in Telegram that is created specifically for creating other bots. This bot is called BotFather. To create your own bot, you need to perform the following steps:

• You need to find a bot called BotFather in Telegram
• To get started, you need to write /start
• To create your bot, you need to enter the command /newbot
• Enter the name and title of your bot

After creating the bot, you can set privacy and get an API token through the main menu. You also need to get a Chat_ID for private use of the bot, because it needs to know who to send messages to. For this, there is another bot @userinfobot, you need to write something to it, for example /start and it will write a Chat_ID in response, which will be used in the future.

The most important thing we got:

• API token
• Chat_ID

Let’s move on to creating a script in Python.

Writing a Python script

To run the script, you need to install additional packages and libraries, create and activate a virtual environment.

Installing additional packages

sudo apt install python3-venv

Creating a virtual environment in the desired directory, in my case /home/rpi/TG_BOT

cd /home/rpi/TG_BOT
python3 -m venv myenv

Activating a virtual environment

source myenv/bin/activate

Once the virtual environment is activated, you need to install libraries to work with the Telegram API.

pip install python-telegram-bot requests

СThe script will have the following functions:

• format_time – to determine the time
• send_message – to send a message
• ping_address – to ping the thermostat
• monitor_ip – to determine the status and generate a message

Code provided in the spoiler

import os
import time
import asyncio
from telegram import Bot

CHAT_ID = "<Your Chat ID>"
BOT_TOKEN = "<Your API tioken>"

bot = Bot(token=BOT_TOKEN)

def format_time(seconds):
    hours, remainder = divmod(seconds, 3600)
    minutes, seconds = divmod(remainder, 60)
    return f"{hours} hours {minutes} minutes {seconds} seconds"

async def send_message(message):
    await bot.send_message(chat_id=CHAT_ID, text=message)

def ping_address(ip, count=3):
    response = os.system(f"ping -c {count} -W 2 {ip} | ts")
    return response == 0

async def monitor_ip(ip):
    power_off_time = None
    power_on = True

    while True:
        if ping_address(ip):
            if not power_on:
                power_on = True
                time_power_on = time.time()
                outage_duration = int(time_power_on - power_off_time)
                formatted_duration = format_time(outage_duration)
                outage_message = f"The light came on. The blackout continued {formatted_duration}."
                await send_message(outage_message)
        else:
            if power_on:
                power_on = False
                power_off_time = time.time()
                await send_message("The light disappeared.")

        await asyncio.sleep(30)

if __name__ == "__main__":
    ip_address = "<Thermostat local IP>"
    asyncio.run(monitor_ip(ip_address))

Usually, the command execution log is written to the system log, and each entry there has a date and time stamp, but I decided to separate the logging into a separate file using the service. If logging does not occur in the system log, then by default the event time is not recorded. In order for the ping time to be recorded, I additionally process the ping command with the ts command, thus the output of the entry:

ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=16.1 ms

turns into:

ping -c 3 8.8.8.8 | ts
May 12 19:18:23 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
May 12 19:18:23 64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=15.7 ms

To do this, you need to additionally install the moreutils utility.

Automating startup via service

To ensure that the script runs even after the Raspberry Pi reboots, I created a service that will start automatically. Usually, all system services are located in the /etc/systemd/system/ directory, so I will place the service for the script there as well. As I mentioned earlier, logging will be done in a separate file for convenience, at the address /var/log/sun.log, so this address will be specified in the service parameters.

I came up with the following name for my service – FolletSun.service. The service parameters will be as follows:

[Unit]
Description=Script which check electricity and pass status to Telegram Bot.

[Service]
ExecStart=/home/rpi/TG_BOT/bin/python3 /home/rpi/TG_BOT/Sun.py
StandardOutput=file:/var/log/sun.log
StandardError=file:/var/log/sun.log
WorkingDirectory=/home/rpi/TG_BOT
Restart=always
User=rpi
Group=rpi

[Install]
WantedBy=multi-user.target

In order to initiate the service without rebooting the system, you must execute the following commands:

sudo systemctl daemon-reexec
sudo systemctl daemon-reload

Also, to activate the service, start it, and check its status, run the following commands:

sudo systemctl enable FolletSun.service
sudo systemctl start FolletSun.service
sudo systemctl status FolletSun.service

The result of executing the service status command will be as follows:

● FolletSun.service - Script which check electricity and pass status to Telegram Bot.
     Loaded: loaded (/etc/systemd/system/FolletSun.service; enabled; preset: enabled)
     Active: active (running) since Sun 2025-05-11 22:31:20 EEST; 21h ago
   Main PID: 1458494 (python3)
      Tasks: 1 (limit: 8735)
        CPU: 3min 40.583s
     CGroup: /system.slice/FolletSun.service
             └─1458494 /home/rpi/TG_BOT/bin/python3 /home/rpi/TG_BOT/Sun.py

This indicates that no errors or conflicts were found in the script.

Checking the bot’s operation

To check the bot’s operation, you need to find the created bot in the Telegram application and subscribe to it. From this moment on, the bot should notify about the change in the power supply status. Here is a screenshot from my smartphone:

The ping occurs every 30 seconds, and you probably noticed a message where the power went out for only 30 seconds – this is a false alarm because the thermostat did not respond to the ping request, or the Raspberry Pi did not receive a response from the thermostat. This may be the result of an unstable connection. In order to avoid this or minimize it, it is better to use at least 3 ping requests.

Conclusions

In response to the current threats related to energy security in wartime, an effective and inexpensive power supply monitoring system was developed. It is based on popular open source technologies – the Raspberry Pi microcomputer, Python scripts and Telegram bots.

The system provides continuous monitoring of the availability of electricity in the house, records the time of its disappearance and return, and also automatically sends notifications to the user. This approach allows you to quickly respond to the situation, plan the use of backup power sources and make informed decisions about purchasing a generator or charging station.

The project proves that with existing infrastructure and basic programming knowledge, you can independently create a useful tool for increasing comfort and safety in critical conditions. The proposed solution is scalable, easy to maintain, and can be adapted to any other home device or object that is connected to the network.

The Raspberry Pi has long transcended its original role as a simple board for enthusiasts: today it is a fully functional mini-computer capable of performing complex tasks, including hardware virtualization. This article provides a step-by-step guide to installing Raspberry Pi OS Lite, configuring SSH access, updating the system, installing KVM support, setting up the Cockpit web interface, and creating and running a guest operating system using KVM. This approach allows for transforming the Raspberry Pi into a convenient platform for testing and learning in the field of virtualization.

Installing Raspberry Pi OS Lite

Using the Raspberry Pi Imager utility, we install the Raspberry Pi OS Lite (64) operating system on a micro SD card. During the installation phase, we need to change the configuration so that we can then work with the Raspberry Pi remotely by connecting via SSH.

• Hostname
• Username and password
• Enable SSH

host settings

enable ssh

We boot the Raspberry Pi from this memory card and check if it is connected to the network, if not, then we initialize the process of configuring the network connection by calling the system configurator:

System Update

Connecting to the Raspberry Pi via SSH

ssh [email protected]

We update the OS to the latest version and restart the Raspberry Pi

sudo apt update && sudo apt full-upgrade -y
sudo reboot

Installing KVM + libvirt

Starting with the Linux kernel 5.10+ (and now Raspberry Pi OS uses 6.x), support for KVM hardware virtualization for ARM64 is included directly in the kernel. On Raspberry Pi OS (64-bit, desktop, or lite), KVM is activated automatically as soon as the device supports hardware virtualization.

This was made possible by the fact that the Raspberry Pi Foundation integrated KVM support directly into the upstream kernel for its ARM64 platforms. They focus on the fact that the user can immediately experiment with virtualization – without additional configuration.

However, it is better to check this by running the following commands:

if the file /dev/kvm exists – support is active

ls /dev/kvm
/dev/kvm

will show the KVM startup log

dmesg | grep -i kvm
[    1.078559] kvm [1]: nv: 554 coarse grained trap handlers
[    1.084177] kvm [1]: IPA Size Limit: 40 bits
[    1.088486] kvm [1]: GICV region size/alignment is unsafe, using trapping (reduced performance)
[    1.097272] kvm [1]: vgic interrupt IRQ9
[    1.101231] kvm [1]: VHE mode initialized successfully
[    3.526966] systemd[1]: Hostname set to <kvm>

Since kvm works by default, you need to install libvirt

sudo apt install libvirt-daemon-system libvirt-clients bridge-utils virtinst

Checking the operation of the service:

systemctl status libvirtd
● libvirtd.service - Virtualization daemon
     Loaded: loaded (/lib/systemd/system/libvirtd.service; enabled; preset: enabled)
     Active: active (running) since Thu 2025-05-08 10:42:46 BST; 25s ago
TriggeredBy: ● libvirtd-admin.socket
             ● libvirtd-ro.socket
             ● libvirtd.socket
       Docs: man:libvirtd(8)
             https://libvirt.org
   Main PID: 4708 (libvirtd)
      Tasks: 19 (limit: 32768)
        CPU: 138ms
     CGroup: /system.slice/libvirtd.service
             └─4708 /usr/sbin/libvirtd --timeout 120

May 08 10:42:46 kvm systemd[1]: Starting libvirtd.service - Virtualization daemon...
May 08 10:42:46 kvm systemd[1]: Started libvirtd.service - Virtualization daemon.

Change user permissions

You need to add a user to the libvirt and kvm groups. Since we created the kvm user in the first step, there is no need to add it to the kvm group, but if you created another user in the initial step, you need to add it to the kvm group.

sudo usermod -aG libvirt kvm

After adding a user to the libvirt group, in order not to reboot the system, you can activate the new permissions with the command:

newgrp libvirt

Installing the Cockpit

Cockpit – це веб-інтерфейс для керування Linux-серверами, і один із його плагінів — Cockpit Machines — є надбудовою саме для KVM

sudo apt install cockpit cockpit-machines

Checking the operation of the service:

sudo systemctl status cockpit.socket
● cockpit.socket - Cockpit Web Service Socket
     Loaded: loaded (/lib/systemd/system/cockpit.socket; enabled; preset: enabled)
     Active: active (listening) since Thu 2025-05-08 10:59:18 BST; 46s ago
   Triggers: ● cockpit.service
       Docs: man:cockpit-ws(8)
     Listen: [::]:9090 (Stream)
      Tasks: 0 (limit: 9561)
        CPU: 12ms
     CGroup: /system.slice/cockpit.socket

May 08 10:59:18 kvm systemd[1]: Starting cockpit.socket - Cockpit Web Service Socket...
May 08 10:59:18 kvm systemd[1]: Listening on cockpit.socket - Cockpit Web Service Socket.

The service is active, but in listening mode, you need to activate it

sudo systemctl status cockpit.socket
● cockpit.socket - Cockpit Web Service Socket
     Loaded: loaded (/lib/systemd/system/cockpit.socket; enabled; preset: enabled)
     Active: active (running) since Thu 2025-05-08 10:59:18 BST; 3min 24s ago
   Triggers: ● cockpit.service
       Docs: man:cockpit-ws(8)
     Listen: [::]:9090 (Stream)
      Tasks: 0 (limit: 9561)
        CPU: 12ms
     CGroup: /system.slice/cockpit.socket

May 08 10:59:18 kvm systemd[1]: Starting cockpit.socket - Cockpit Web Service Socket...
May 08 10:59:18 kvm systemd[1]: Listening on cockpit.socket - Cockpit Web Service Socket.

Now you can follow the link to port 9090 in your browser: https://192.168.99.181:9090/

Guest OS Test

You need to log in through the Cockpit web interface using the username and password of the server user. The first thing the user will see is a dashboard with general information about the server

I previously downloaded the Ubuntu Server ISO image ubuntu-24.04.2-live-server-arm64.iso and placed it in the root of the system in the iso directory. I will run this image locally.

• Name: Ubuntu_server
• Connection: System
• Installation type: Local install medis (ISO image or distro install tree)
• Installation source: /iso/ubuntu-24.04.2-live-server-arm64.iso
• Operating system: Generic Linux 2022
• Storage: Create new volume
• Storage limit: 20 Gib
• Memory: 4 Gib

To start the build, click create and run, but after a moment you will get an error:

This error means that the virtual machine cannot be created because the default network is inactive. Libvirt creates a virtual network named default by default, but it may be inactive or not automatically started at startup. To fix this, you need to enable the network and add it to autostart:

sudo virsh net-start default
Network default started

sudo virsh net-autostart default
Network default marked as autostarted

Let’s check the status of the default network:

sudo virsh net-list --all
 Name      State    Autostart   Persistent
--------------------------------------------
 default   active   yes         yes

Let’s try to run the guest OS creation again. Click create and run again, and the image is mounted successfully, which indicates that the service is working correctly. The corresponding entry has appeared in the list of virtual machines.

To define and change the settings of a virtual OS, or to access OS management, at least for the logical completion of the installation, you must select the required OS from the list and then the user will be taken to the dashboard of this OS with its detailed characteristics.

To enlarge the console screen, click on the Expand button, and proceed to install Ubuntu Server for ARM. In my case, the window was partially cropped, so I installed the OS intuitively, selecting parameters with the left, right, tab, spacebar and enter buttons.

The first launch of the installed OS was not successful, a loop conflict occurred. In the console, selecting Serial Console, I saw many messages: Recursive exception occurred while dumping the CPU state.

After shutting down the virtual machine and after a certain startup time, the second attempt still launched, but not without errors. Since this OS is cloud-based, it needs access to the Internet. At the moment, the Internet is not configured, so the launch took place after waiting for the message:

Connected to domain 'linux2022-2025-5-10'
[ ***  ] Job systemd-networkd-wait-online.se…tart running (1min 22s / no limit)

But the OS still started!

Now you need to go to the section for configuring the local network and Internet via the bridge.

Network settings

By default, the built-in virtio interface is used with the following network 192.168.122.1/24, the guest OS was assigned IP 192.168.122.39, but the host itself is in a different subnet, which requires some configuration.

The bridge is created in the Networking -> Interfaces section, select Add Bridge and specify the name bridge0, do not check any boxes, as this may lead to loss of connection with the host. Thus, a new interface bridge0 with automatic DHCP IP address acquisition has appeared in the list of interfaces. Currently, there is no interface associated with this bridge, so we continue the configuration on the host via the terminal.

We need to make sure that the physical interface of the host is included in the bridge

sudo brctl show
bridge name     bridge id               STP enabled     interfaces
bridge0         8000.000000000000       no
virbr0          8000.5254006ad9b7       yes

In the output of this command, the interfaces column is empty, which indicates that the interfaces are not linked to each other, you need to link them manually with the following command:

sudo brctl addif bridge0 eth0
sudo ip link set bridge0 up

We run the bridge status check command again and see that the interface column has already acquired a connection to the physical interface:

sudo brctl show
bridge name     bridge id               STP enabled     interfaces
bridge0         8000.d83adde83f07       no              eth0
virbr0          8000.5254006ad9b7       yes

After that, the bridge will perform its function. Now we go back to the Cockpit web interface, to the Networking section, and expect the bridge to provide an IP address.

The IP address of the correct subnet appeared in the IP address column, but due to some peculiarities, the virtual machine never received it.

Conclusion

Using KVM virtualization and Cockpit on Raspberry Pi is a great opportunity to learn, test and experiment in the world of ARM64 virtualization. This combination allows users to gain a deeper understanding of the principles of hypervisor, resource management and network interface configuration.

However, practical application remains quite questionable due to several serious limitations:

1. Compatibility of ARM64 operating systems
   • Many popular OSes have .img instead of .iso, which makes them difficult to run in KVM.
   • Not all distributions support UEFI correctly, which leads to difficulties with booting.
   • Lack of official optimized ARM64 distributions in .iso format.
2. Unstable operation of KVM on ARM64
   • Frequent CPU compatibility problems (KVM is not supported for this guest CPU type).
   • Critical errors such as “Recursive Exception occurred while dumping the CPU state” occur, making virtual machines unpredictable.
   • Limited support for host passthrough for ARM64.
3. Networking issues
   • Instability in the bridge configuration (bridge0) via NetworkManager.
   • Issues with DHCP and manually adding interfaces to the bridge (NO-CARRIER).
   • Cockpit does not always correctly recognize network parameters in ARM64 virtual machines.

Overall, KVM on Raspberry Pi is more of an experimental platform than a stable option for productive use. It is great for research in the field of virtualization on low-power ARM devices, but due to technical limitations and instability, it is difficult to recommend it for real-world deployments.

In the world of IoT and home servers, Raspberry Pi stands out as a versatile companion. However, to ensure its stable operation, it’s crucial to monitor key metrics such as the CPU temperature. In this guide, I’ll walk you through how to configure Zabbix for Raspberry Pi temperature monitoring — from setting access permissions to visualizing CPU temperature trends directly on the dashboard. You’ll also learn how to create an alert trigger for overheating.

Since I have Zabbix installed directly on the Raspberry Pi, it acts as both the server and agent, making setup slightly easier.

Fixing Permissions for Zabbix Agent

To avoid errors while collecting temperature data, you may need to perform some permission tweaks, especially if you run into this error:

Try creating a device file with: sudo mknod /dev/vcio c 100 0

In my case, /dev/vcio already existed but lacked proper permissions. I need to fix it.

Permission settings

sudo chgrp video /dev/vcio
sudo chmod 660 /dev/vcio

Then, add the zabbix user to the video group

sudo usermod -aG video zabbix

and restart the agent to apply changes

sudo systemctl restart zabbix-agent

Now you can go to user settings

Creating a Custom User Parameter

To let Zabbix agent fetch the CPU temperature, we add a custom user parameter to the config file

sudo nano /etc/zabbix/zabbix_agentd.conf

Add this line to the end of the file:

UserParameter=system.cpu.temp,vcgencmd measure_temp | sed -n "s/temp=\([0-9]*\.[0-9]*\)[^0-9]*$/\1/p"

Breakdown:

• UserParameter defines a custom key.
• system.cpu.temp is the key name.
• vcgencmd measure_temp is a standard Raspberry Pi command returning temp like temp=45.0'C.
• The sed command extracts just the numeric part (e.g., 63.3).

Restart the agent again:

sudo systemctl restart zabbix-agent

Adding a New Item in Zabbix Web Interface

Go to: Data collection → Hosts → Zabbix server → Items → Create item

Fill in the fields:

• Name: CPU Temperature
• Type: Zabbix agent
• Key: system.cpu.temp
• Type of information: Numeric (float)
• Units: °C

Test the item by clicking Test → Get value and test.

We got the correct result, which indicates the correct settings. We save this item. Сlick Add or Update

Creating a Trigger for Alerts

In order for me to receive notifications about the temperature rising, for example to the desired value of 70 degrees, I need to create a trigger. It will compare the current temperature with the critical one, and if such an event occurs, a notification will appear on the dashboard.

Navigate to: Data collection → Hosts → Zabbix server → Triggers → Create trigger

Fill in:

• Name: CPU Temperature is too high
• Event name: CPU Temperature is too high
• Severity: Warning
• Expression: last(/Zabbix server/system.cpu.temp)>=70

You can also use the expression constructor

Click Add to save.

Adding a Graph Widget to the Dashboard

It would be visually appealing to observe the device’s temperature graph depending on the conditions of use.

To visualize temperature data, go to your Zabbix dashboard, click Edit dashboard, and add a new widget.

Configure the widget as:

• Type: Graph
• Name: RPI Temp C
• Host patterns: Zabbix Server
• Item patterns: CPU Temperature

Click Add, then resize or reposition the widget as you like.

Add this widget by clicking the Add button. You can then resize and position this widget as you see fit. After that, confirm saving the dashboard by clicking the Save changes button in the upper right corner.

Conclusion

As you can see, Zabbix Raspberry Pi temperature monitoring is quite achievable. Once configured, you’ll have a reliable tool that can alert you when your Pi overheats and display historical temperature trends in a clean graphical format. Whether you’re running a home server or experimenting with projects, CPU temperature monitoring on Raspberry Pi is a smart precaution.