• Stars
    star
    201
  • Rank 189,343 (Top 4 %)
  • Language
    Shell
  • License
    Apache License 2.0
  • Created over 7 years ago
  • Updated about 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Simple Docker KVM container

Docker KVM simple container

Generic container for launching a Virtual Machine inside a Docker container.

Features:

  • Non libvirt dependant.
  • It uses QEMU/KVM to launch the VM directly with PID 1.
  • It attaches to the VM as many NICs as the docker container has.
  • The VM gets the original container IPs.
  • Uses macvtap tun devices for best network throughput.
  • Outputs serial console to stdio, thus visible using docker logs

Partially based on RancherVM project.

Running:

  • It is mandatory to define the AUTO_ATTACH variable:
    • If AUTO_ATTACH is set to yes, then all the container interfaces are attached to the VM. This is the typical use case.
    • If AUTO_ATTACH is set to no, a list of interfaces have to be declared in the ATTACH_IFACES variable. This is useful when launching the container with net=host flag, and only a subset of network interfaces need to be attached to the container.
  • The VM image needs to be located in /image/image (no extension)
  • Any additional parameters for QEMU/KVM can be specified as CMD argument when launching the container.
  • When launching the VM, its serial port is accesible through docker attach
$ docker run                                     \
      --name kvm                                 \
      -td                                        \
      --privileged                               \
      -v /path_to/image_file.qcow2:/image/image  \
      -e AUTO_ATTACH=yes                         \
      bbvainnotech/kvm:latest

Using more than one interface for the container (and the VM)

Before running the container, it is needed to create the networks:

$ docker network create --driver=bridge network1 --subnet=172.19.0.0/24
$ docker network create --driver=bridge network2 --subnet=172.19.2.0/24

Then, create the container and attach the network prior to start the container:

$ docker create                                 \
      --name container_name                     \
      -td                                       \
      --privileged                              \
      --network=network1                        \
      -v /path_to/image_file.qcow2:/image/image \
      -e AUTO_ATTACH=yes                        \
      bbvainnotech/kvm:latest

$ docker network connect network2 container_name
$ docker start container_name

Using the dockerhost interfaces

$ docker run                                    \
      --name container_name                     \
      -net=host                                 \
      -td                                       \
      --privileged                              \
      -v /path_to/image_file.qcow2:/image/image \
      -e AUTO_ATTACH=yes                        \
      bbvainnotech/kvm:latest

Debug mode

Passing bash keyword as argument to the container will launch a bash shell:

$ docker run                                    \
      -ti                                       \
      --privileged                              \
      -v /path_to/image_file.qcow2:/image/image \
      -e AUTO_ATTACH=yes                        \
      bbvainnotech/kvm:latest bash

Environment variables

SELECTED_NETWORK

If the container has more than one IP configured in a given interface, the user can select which one to use. The SELECTED_NETWORK environment variable is used to select that IP. This env variable must be in the form IP/MASK (e.g. 1.2.3.4/24). If this env variable is not set, the IP to be given to the VM is the first in the list for that interface (default behaviour).

This usecase is found when working with Kubernetes: Kubernetes assigns two IP addresses to the docker eth0 interface.

AUTO_ATTACH

When this env variable is set to yes, the entrypoint will scan all the vNICs present in the Docker container, and it will configure the hosted VM to get as many vNICs as the host container.

If this variable is set to no, only the interface names specified in the env variable $ATTACH_IFACES will be connected to the guest VM. Interfaces shall be separated by spaces (eg. ATTACH_IFACES='eth0 eth2').

If AUTO_ATTACH is set to no and no interfaces are defined, the VM will start with no NICs (and thus no vtap devices connected to container interfaces).

DNSMASQ_OPTS

This var controls the invocation parameters for dnsmasq daemon, used to give IP addresses to the VM. See dnsmasq's man page for info about available options.

It's specially useful the following options when debugging dnsmasq behaviour:

--log-facility=/var/log/dnsmasq.log --log-dhcp

DEBUG

When this env varable is set to yes, the verbosity is increased.

USE_NET_BRIDGES

This container uses macvlan devices to setup network connectivity. If an old kernel or limited host is used, it is possible to use linux bridge by setting the variable USE_NET_BRIDGES to yes.

Notes / Troubleshooting

  • Privileged mode (--privileged) is needed in order for KVM to access to macvtap devices see issue #3 for further information.

  • If you get the following error from KVM:

    qemu-kvm: -netdev tap,id=net0,vhost=on,fd=3: vhost-net requested but could not be initialized
    qemu-kvm: -netdev tap,id=net0,vhost=on,fd=3: Device 'tap' could not be initialized
    
    

    you will need to load the vhost-net kernel module in your dockerhost (as root) prior to launch this container:

    # modprobe vhost-net
    

    This is probed to be needed when using RancherOS.

License

Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Authors

  • BBVA Innotech - Fernando Alvarez (@methadata)
  • BBVA Innotech - Pancho Horrillo (@panchoh)
  • BBVA Innotech - Rodrigo de la Fuente (@rodrigofuente)

More Repositories

1

kapow

Kapow! If you can script it, you can HTTP it.
Go
579
star
2

apicheck

The DevSecOps toolset for REST APIs
Python
263
star
3

mirrorgate

MirrorGate DevOps Dashboard
Java
124
star
4

raft-badger

Raft backend implementation using BadgerDB
Go
101
star
5

patton

The clever vulnerability dependency finder
Gherkin
95
star
6

qed

The scalable, auditable and high-performance tamper-evident log project
Go
87
star
7

deeptracy

The Security Dependency Orchestrator Service
Python
86
star
8

timecop

Time series based anomaly detector
Python
80
star
9

waf-brain

Machine Learning WAF Based
Jupyter Notebook
77
star
10

chaos-monkey-engine

A Chaos Engineering swiss army knife
Python
45
star
11

patton-cli

The knife of the Admin & Security auditor
Python
42
star
12

susto

Systematic Universal Security Testing Orchestration
37
star
13

sqerzo

Tiny ORM for graph databases: Neo4j, RedisGraph, AWS Neptune or Gremlin
Python
34
star
14

openstack-k8s

Openstack Deployment based on Kubernetes
Shell
29
star
15

Tarkin

A tool for anomaly detection over streaming data based on sentiment analysis
Jupyter Notebook
29
star
16

open-cells

Open Cells routes & communicates web component applications.
JavaScript
24
star
17

data-refinery

Data transformation
Python
22
star
18

mist

Create complex tools execution Workflows for working together
Python
21
star
19

brainslug

Parasitic Computing Framework
Python
15
star
20

idsfree

Launch hacking tests in cloud providers securely, isolated and without raise security alerts in the provider
Python
14
star
21

gitsec

gitsec: GIT Secret Discovery
Python
14
star
22

UMAL

Modelling heterogeneous distributions with an Uncountable Mixture of Asymmetric Laplacians
Jupyter Notebook
13
star
23

spark-benchmarks

Benchmarking suite for Apache Spark
Scala
13
star
24

ust2dsa

Improves Ubuntu security feed compatibility allowing it to be consumed by Debian vulnerability report tool, debsecan.
Haskell
12
star
25

mercury-robust

mercury-robust is a framework to perform robust testing on ML models and datasets. It provides a collection of test that are easy to configure and helpful to guarantee robustness in your ML processes.
Jupyter Notebook
12
star
26

masquerade

High-performance, real-time, multi-location data obfuscation tool
Go
12
star
27

openshift-utils

Openshift resources
Jupyter Notebook
12
star
28

mercury-dataschema

Utility package that, given a Pandas DataFrame, it uses the DataSchema class which auto-infers feature types and automatically calculates different statistics depending on the types.
Python
11
star
29

mercury-explainability

mercury-explainability is a library with implementations of different state-of-the-art methods in the field of explainability. They are designed to work efficiently and to be easily integrated with the main Machine Learning frameworks.
Jupyter Notebook
11
star
30

mercury-reels

Reels is a library for analyzing sequences of events from transactional data to predict when related target events may occur in the future.
C++
10
star
31

contract-testing

An experiment of contract testing using pact
Scala
9
star
32

waf-benchmark

Web Application Firewall Benchmark
Python
9
star
33

BeagleML

Machine Learning Model Trainer
9
star
34

mercury-settrie

A Python 3 library developed in C++ that enables efficient storage and querying of sets of sets. It can be used to perform fast document search. Uses the Settrie algorithm: https://osebje.famnit.upr.si/~savnik/papers/cdares13.pdf
C++
9
star
35

mercury-monitoring

mercury-monitoring is a library to monitor data and model drift
Jupyter Notebook
8
star
36

docker-hdfs-alluxio-spark

Docker images and deployment configurations for a cluster of HDFS, Alluxio and Spark. Focusing on data locality. Support Openshift 3.4, and more comming.
Shell
8
star
37

k8s-configs

Kubernetes templates for openstack-k8s
Python
7
star
38

deeptracy-core

Deeptracy core for building deeptracy plugins
Python
7
star
39

economics-of-serverless

Economics of Serverless
Python
6
star
40

purescript-google-apps

Google Apps Script bindings for PureScript
PureScript
6
star
41

mirrorgate-jenkins-builds-collector

Jenkins plugin for collecting build results inside the MirrorGate dashboard
Java
6
star
42

hancock-dlt-adapter

Docs:
TypeScript
5
star
43

hancock-wallet-hub

Docs:
TypeScript
5
star
44

hancock-dlt-broker

Docs: https://bbva.github.io/hancock-dlt-broker/api.html
TypeScript
5
star
45

json-logex

Logger custom backend for console json output (elixir library)
Elixir
5
star
46

k8s-course

4
star
47

security-vault

Secrets bridge for containers
Go
4
star
48

deeptracy-api

REST API for Deeptracy project
Python
4
star
49

BeagleML-front

Machine Learning Model Trainer - Frontend
TypeScript
4
star
50

pacarana

A standalone ETL tool to generate advanced features for your Machine Learning projects
Scala
4
star
51

mirrorgate-jira-stories-collector

Jira collector for mirrorgate dashboard
Java
4
star
52

heat-templates

Heat Docker Templates
Shell
3
star
53

osc-docker

Docker container for Openstack clients
3
star
54

bump-go

Action for keeping the Go version of your project up-to-date
2
star
55

mirrorgate-bamboo-builds-collector

Bamboo builds collector for MirrorGate
JavaScript
2
star
56

deeptracy-dashboard

Deeptracy dashboard
TypeScript
2
star
57

gitbook

GitBook Documentation
2
star
58

mirrorgate-aws-cloudwatch-metrics-collector

MirrorGate collector that gathers operation metrics from AWS CloudWatch
JavaScript
2
star
59

Overlord

HTML
2
star
60

mirrorgate-sample-deployment

Sample docker-compose running the MirrorGate
2
star
61

mirrorgate-markets-collector

This Node application connects to a MirrorGate endpoint to get the id of the applications which comments and ratings must be recovered from Google Play and App Store.
JavaScript
2
star
62

mirrorgate-google-analytics-collector

Collector for analytics data from Google Analytics
JavaScript
2
star
63

cognito-mfa-singlestep-authorization-plugin

Java
1
star
64

proctool

PoC: Artifact Tracing via Process IO Monitoring
Go
1
star
65

BeagleML-scheduler

Machine Learning Model Trainer - Scheduler
Python
1
star
66

crawlino

Crawling by rules definition
Python
1
star
67

buildbot-washer

Useful Patterns for Buildbot
Python
1
star
68

BeagleML-monitor

Machine Learning Model Trainer - Monitor
Python
1
star