diff --git a/ansible/hosts b/ansible/hosts
index 5ff2ab6c..a60d6d61 100644
--- a/ansible/hosts
+++ b/ansible/hosts
@@ -23,3 +23,7 @@ simtest ansible_host=10.9.25.80
 [obs-workers]
 build3-obsworker1 ansible_host=2a01:4f8:212:3762::1:2 obs_worker_instances=8 obs_worker_jobs=8
 lx2-1-obs-aarch64-1 ansible_host=2a02:8106:13:1e34:4e9:e7ff:fe97:fe92 obs_worker_instances=1 obs_worker_jobs=4
+
+# Need to have kvm inside lxc, see OS#5365
+[qemu]
+build3-deb11build-ansible ansible_host=2a01:4f8:212:3762::1:3
diff --git a/ansible/roles/qemu/files/qemu-create-vms.sh b/ansible/roles/qemu/files/qemu-create-vms.sh
new file mode 100755
index 00000000..8cceba8c
--- /dev/null
+++ b/ansible/roles/qemu/files/qemu-create-vms.sh
@@ -0,0 +1,75 @@
+#!/bin/sh -e
+# Create qcow2 images with ssh root login enabled for repo-install-test and
+# store them in /opt/qemu.
+# Set KEEP_CACHE=1 during development, so virt-builder only needs to download
+# the image once.
+
+# Distribution names, as in the base images from here:
+# https://builder.libguestfs.org/
+DISTROS="
+	alma-8.5
+	debian-10
+	debian-11
+"
+TEMP_SCRIPT="$(mktemp)"
+
+if [ "$(id -u)" != 0 ]; then
+	echo "ERROR: run this as root"
+	exit 1
+fi
+
+mkdir -p /opt/qemu
+
+for distro in $DISTROS; do
+	img="/opt/qemu/$distro.qcow2"
+
+	echo
+	echo "# $distro"
+	echo
+
+	if [ -e "$img" ]; then
+		echo "=> File exists, skipping."
+		continue
+	fi
+
+	case "$distro" in
+	alma-*)
+		# Install SCTP kernel module
+		# https://forums.centos.org/viewtopic.php?t=71818
+		cat <<- EOF > "$TEMP_SCRIPT"
+		#!/bin/sh -ex
+		dnf upgrade -y kernel
+		dnf install -y kernel-modules-extra
+		rm -f /etc/modprobe.d/sctp-blacklist.conf
+		EOF
+		;;
+	debian-*)
+		# Generate SSH server keys and allow login as root
+		cat <<- EOF > "$TEMP_SCRIPT"
+		#!/bin/sh -ex
+		ssh-keygen -A
+		echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
+		EOF
+		;;
+	esac
+
+	virt-builder \
+		"$distro" \
+		-o "/opt/qemu/$distro.qcow2" \
+		--format qcow2 \
+		--root-password password:root \
+		--run "$TEMP_SCRIPT" \
+		--verbose
+
+	if [ -z "$KEEP_CACHE" ]; then
+		virt-builder --delete-cache
+	fi
+done
+
+rm "$TEMP_SCRIPT"
+
+# Marker for ansible main.yml to skipt the script
+touch /opt/qemu/.qemu-create-vms-done-v1
+
+echo
+echo "Done!"
diff --git a/ansible/roles/qemu/tasks/main.yml b/ansible/roles/qemu/tasks/main.yml
new file mode 100644
index 00000000..c296f8f7
--- /dev/null
+++ b/ansible/roles/qemu/tasks/main.yml
@@ -0,0 +1,22 @@
+---
+
+- name: install packages
+  apt:
+    name:
+      - libguestfs-tools
+      - netcat
+      - qemu-system-x86
+      - sshpass
+    cache_valid_time: 3600
+    update_cache: yes
+
+- name: run qemu-create-vms.sh
+  ansible.builtin.script: qemu-create-vms.sh
+  args:
+    creates: /opt/qemu/.qemu-create-vms-done-v1
+
+- name: add jenkins to the kvm group
+  user:
+    name: "{{ jenkins_user }}"
+    groups: kvm
+    append: yes
diff --git a/ansible/setup-jenkins-slave.yml b/ansible/setup-jenkins-slave.yml
index 05e3bdee..7eac8b7a 100644
--- a/ansible/setup-jenkins-slave.yml
+++ b/ansible/setup-jenkins-slave.yml
@@ -53,3 +53,12 @@
     - name: install-coverity
       tags:
         - coverity
+
+- name: setup qemu images
+  hosts: qemu
+  user: root
+  roles:
+    - name: qemu
+      jenkins_user: osmocom-build
+      tags:
+        - qemu