How to launch qemu-kvm from inside a Docker container?

Question

Assuming the host system already supports KVM, is it possible to create a docker image which contains some scripts to launch a VM (inside the container) with virsh and QEMU-KVM?

We are looking into dockerize a script which launches a VM through QEMU-KVM and extracts some results from the VM.

Answer 1

docker --privileged

Some working commands from Ubuntu 17.10 host, Docker 1.13.1:

sudo docker run --name ub16 -i --privileged -t ubuntu:16.04 bash

Then inside Docker:

apt-get update -y
apt-get install qemu -y
qemu-system-x86_64
qemu-system-x86_64 \
  -append 'root=/dev/vda console=ttyS0' \
  -drive file='rootfs.ext2.qcow2,if=virtio,format=qcow2'  \
  -enable-kvm \
  -kernel 'bzImage' \
  -nographic \
;

Root file system and bzImage generated with this setup.

Answer 2

--device=/dev/kvm

Adding to the previous answer: Using --privileged may open up too many permissions for your use case. I have been able to run qemu with kvm and without privileges using the device parameter instead.

Try the following commands:

docker run --device=/dev/kvm -it ubuntu bash

Inside docker:

apt-get update -y
apt-get install -y qemu-system-x86
qemu-system-x86_64 \
  -append 'root=/dev/vda console=ttyS0' \
  -drive file='rootfs.ext2.qcow2,if=virtio,format=qcow2'  \
  -enable-kvm \
  -kernel 'bzImage' \
  -nographic \
;

Answer 3

--device=/dev/kvm works only if the container user has access to /dev/kvm on host system already.

The correct way is to add the container user to the kvm group, but the group ID (GID) under the container must be the same GID on the host system. You can find the group IDs on host with grep kvm /etc/groups.

The problem now is that GIDs depends on host system, different hosts will generally have different GIDs. To fix this you can set a known GID for kvm group on both the image and host system with groupmod:

groupmod -g 1100 kvm

Make sure /dev/kvm on host system has kvm as group.

Another easier way is set the group at container startup:

docker run --device=/dev/kvm --group-add GID

where GID is the ID of kvm group on host system.

This all is required because permissions are tracked by UID and GID, docker uses the host system's kernel, so UID and GIDs on docker containers maps directly to IDs on the host system. Container users and groups with same names as the ones on host system doesn't mean they have same IDs.