How to run Ubuntu KVM host in an unprivileged LXC container
5 March, 2021 by
How to run Ubuntu KVM host in an unprivileged LXC container
Administrator
| No comments yet


I like things containerized. It makes migration simple and painless. I also like my containers unprivileged. This of course brings some inconveniences while making huge strides ahead in terms of security. This is one of the reasons for having my KVM hosts containerized. The other is the fact that sometimes getting KVM on LXC host itself is cumbersome. Others have done significant work at bringing ease of VM operation to Linux, and I like to build on top of that work. This guide is for using Ubuntu KVM host inside unprivileged LXC container.

What “needed done” to run KVM host in unprivileged LXC container?
Two things:

Add two devices (/dev/kvm and /dev/net/tun)
Install bridge-utils (optional)
If your container is called kvm-host and uidmapshifted to i.e. 401000000-401100000 uids/gids, these are the commands you need to run on LXC host:

rsync -av /dev/kvm /var/lib/lxc/kvm-host/rootfs/dev/
mkdir /var/lib/lxc/kvm-host/rootfs/dev/net
rsync -av /dev/net/tun /var/lib/lxc/kvm-host/rootfs/dev/net/

chown 401000000:401000000 /var/lib/lxc/kvm-host/rootfs/dev/kvm
chown 401000000:401000000 /var/lib/lxc/kvm-host/rootfs/dev/net -R

rsync -av /dev/kvm /var/lib/lxc/kvm-host/rootfs/dev/
mkdir /var/lib/lxc/kvm-host/rootfs/dev/net
rsync -av /dev/net/tun /var/lib/lxc/kvm-host/rootfs/dev/net/

chown 401000000:401000000 /var/lib/lxc/kvm-host/rootfs/dev/kvm
chown 401000000:401000000 /var/lib/lxc/kvm-host/rootfs/dev/net -R

That is it. Now Virtual Machine Manager will stop complaining and your VMs will run with full speed of hardware-assisted virtualization (if it is supported by your hardware).

Installing package bridge-utils
This package is needed if you want to run bridge inside container. There are quirks to running multiple bridges connected together (one on host, another in LXC container) and you might want to test this configuration before diving it. Using routed network should be preferable.

 

blog.a2o.si/2015/10/26/how-to-run-ubuntu-kvm-host-in-an-unprivileged-lxc-container

Sign in to leave a comment