How to launch qemu-kvm from inside a Docker container?

Question

Assuming the host system already supports KVM, is it possible to create a docker image which contains some scripts to launch a VM (inside the container) with virsh and QEMU-KVM?

We are looking into dockerize a script which launches a VM through QEMU-KVM and extracts some results from the VM.

If you want dokerized KVM here is a nice [dockerfile](https://github.com/naeemkhan12/dockerfiles/blob/master/kvm/Dockerfile). — captainchhala, Jan 24 '18 at 13:02
Also, here is a nice project that runs netbsd in docker container through qemu-kvm https://github.com/madworx/docker-netbsd — btwiuse, May 08 '19 at 08:33

Ciro Santilli OurBigBook.com · Answer 1 · 2019-09-02T21:06:29.327

docker --privileged

Some working commands from Ubuntu 17.10 host, Docker 1.13.1:

sudo docker run --name ub16 -i --privileged -t ubuntu:16.04 bash

Then inside Docker:

apt-get update -y
apt-get install qemu -y
qemu-system-x86_64
qemu-system-x86_64 \
  -append 'root=/dev/vda console=ttyS0' \
  -drive file='rootfs.ext2.qcow2,if=virtio,format=qcow2'  \
  -enable-kvm \
  -kernel 'bzImage' \
  -nographic \
;

Root file system and bzImage generated with this setup.

score 17 · Answer 2 · answered Nov 24 '20 at 00:10

17

--device=/dev/kvm

Adding to the previous answer: Using --privileged may open up too many permissions for your use case. I have been able to run qemu with kvm and without privileges using the device parameter instead.

Try the following commands:

docker run --device=/dev/kvm -it ubuntu bash

Inside docker:

apt-get update -y
apt-get install -y qemu-system-x86
qemu-system-x86_64 \
  -append 'root=/dev/vda console=ttyS0' \
  -drive file='rootfs.ext2.qcow2,if=virtio,format=qcow2'  \
  -enable-kvm \
  -kernel 'bzImage' \
  -nographic \
;

answered Nov 24 '20 at 00:10

Matt

378
5
9

I still get permission errors: `qemu-system-x86_64: failed to initialize kvm: Permission denied` I have added the container user to `kvm` group and still failed. – hldev Mar 30 '22 at 22:35
@hldev Does this issue help? https://github.com/sickcodes/Docker-OSX/issues/55 – Matt Mar 30 '22 at 22:37
@hldev I know you said you tried to change the group, but this is pretty thorough: https://www.dedoimedo.com/computers/kvm-permission-denied.html – Matt Mar 30 '22 at 22:40
My permissions are `crw-rw----+ 1 root kvm 10, 232 mar 30 19:11 /dev/kvm`, root and kvm group has write/read access (6) already, I really need to grant this access to everyone? – hldev Mar 30 '22 at 22:42
@hldev Sorry, I don't have an immediate answer. Maybe try asking a new question on the site. Good luck – Matt Mar 30 '22 at 22:44
I posted an answer explaining the case where your answer doesn't work. – hldev Mar 31 '22 at 00:02

hldev · Answer 3 · 2022-04-01T21:18:26.793

--device=/dev/kvm works only if the container user has access to /dev/kvm on host system already.

The correct way is to add the container user to the kvm group, but the group ID (GID) under the container must be the same GID on the host system. You can find the group IDs on host with grep kvm /etc/groups.

The problem now is that GIDs depends on host system, different hosts will generally have different GIDs. To fix this you can set a known GID for kvm group on both the image and host system with groupmod:

groupmod -g 1100 kvm

Make sure /dev/kvm on host system has kvm as group.

Another easier way is set the group at container startup:

docker run --device=/dev/kvm --group-add GID

where GID is the ID of kvm group on host system.

This all is required because permissions are tracked by UID and GID, docker uses the host system's kernel, so UID and GIDs on docker containers maps directly to IDs on the host system. Container users and groups with same names as the ones on host system doesn't mean they have same IDs.

score 0 · Answer 4 · answered Feb 08 '18 at 22:45

0

Easy. You need run privileged container, ensure that you have /dev/kvm node in container, install all packages to serve kvm(libvirt, quemu, whatever else) - that is all you need. See https://github.com/sivaramsk/docker-kvm for reference.

answered Feb 08 '18 at 22:45

crashtua

472
2
14

Achyuth Nandikotkur · Answer 5 · 2023-08-10T03:40:10.013

0

If you prefer not to use the --privileged option, Smarter-device-manager allows containers to access host devices in a secure way.

edited Aug 10 '23 at 03:40

answered Aug 10 '23 at 03:38

Achyuth Nandikotkur

1
1

1

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Aug 14 '23 at 07:08
While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/34821136) – Koedlt Aug 16 '23 at 02:31

How to launch qemu-kvm from inside a Docker container?

5 Answers5

Linked