Skip to content

Instantly share code, notes, and snippets.

Forked from johananl/
Created December 21, 2021 19:37
Show Gist options
  • Save dweomer/6eebb65eac49208060024f9149af467e to your computer and use it in GitHub Desktop.
Save dweomer/6eebb65eac49208060024f9149af467e to your computer and use it in GitHub Desktop.
KVM in runc

KVM in runc

Running a KVM virtual machine inside a runc contianer.


  • A host which can run KVM virtual machines using Vagrant.

Setting up a test VM


Vagrant.configure("2") do |config| = "generic/ubuntu1804"
  config.vm.provider :libvirt do |libvirt|
    libvirt.cpus = 4
    libvirt.memory = 8000
    libvirt.nested = true
    libvirt.cpu_mode = "host-passthrough"
    libvirt.driver = "kvm"
vagrant up
vagrant ssh

Inside the test VM

# Install runc
sudo apt-get update
sudo apt-get install runc

# Install Docker (required for generating a rootfs for runc)
curl -fsSL | sudo apt-key add -
sudo add-apt-repository \
   "deb [arch=amd64] \
   $(lsb_release -cs) \
sudo apt-get update
sudo apt-get install -y docker-ce
sudo gpasswd -a $USER docker

Log out and back in to update permissions.

Create a Dockerfile:

FROM ubuntu:18.04
RUN apt-get update -y && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y \
    libvirt-bin libvirt-dev qemu-kvm virtinst gnupg2 vagrant && \
    apt autoclean && \
    apt autoremove
RUN vagrant plugin install vagrant-libvirt

Build a Docker image:

docker build -t kvm-in-runc .

Generate a rootfs for runc:

mkdir -p kvm/rootfs
cd kvm
docker export $(docker create kvm-in-runc) | sudo tar -C rootfs -xvf -

Create a config.json file:

    "ociVersion": "1.0.1-dev",
    "process": {
        "terminal": true,
        "user": {
            "uid": 0,
            "gid": 0
        "args": [
        "env": [
        "cwd": "/",
        "capabilities": {
            "bounding": [
            "effective": [
            "inheritable": [
            "permitted": [
            "ambient": [
        "rlimits": [
                "type": "RLIMIT_NOFILE",
                "hard": 1024,
                "soft": 1024
        "noNewPrivileges": false
    "root": {
        "path": "rootfs",
        "readonly": false
    "hostname": "runc",
    "mounts": [
            "destination": "/proc",
            "type": "proc",
            "source": "proc"
            "destination": "/dev",
            "type": "tmpfs",
            "source": "tmpfs",
            "options": [
            "destination": "/dev/pts",
            "type": "devpts",
            "source": "devpts",
            "options": [
            "destination": "/dev/shm",
            "type": "tmpfs",
            "source": "shm",
            "options": [
            "destination": "/dev/mqueue",
            "type": "mqueue",
            "source": "mqueue",
            "options": [
            "destination": "/sys",
            "type": "sysfs",
            "source": "sysfs",
            "options": [
            "destination": "/sys/fs/cgroup",
            "type": "cgroup",
            "source": "cgroup",
            "options": [
    "linux": {
        "devices": [
                "path": "/dev/kvm",
                "type": "c",
                "major": 10,
                "minor": 232,
                "fileMode": 432,
                "uid": 0,
                "gid": 104
                "path": "/dev/net/tun",
                "type": "c",
                "major": 10,
                "minor": 200,
                "fileMode": 438,
                "uid": 0,
                "gid": 104
        "resources": {
            "devices": [
                    "allow": true,
                    "access": "rwm"
        "namespaces": [
                "type": "pid"
                "type": "ipc"
                "type": "uts"
                "type": "mount"
        "maskedPaths": [
        "readonlyPaths": [
        "seccomp": {
            "defaultAction": "SCMP_ACT_ALLOW"

Ensure required kernel modules are loaded:

sudo modprobe ip6_tables
sudo modprobe ip6table_filter
sudo modprobe kvm

Start a runc container:

sudo runc run test

Inside the container

echo "nameserver" > /etc/resolv.conf
service libvirtd start
service virtlogd start

Create a Vagrantfile:

Vagrant.configure("2") do |config| = "generic/alpine38"
  config.vm.provider :libvirt do |libvirt|
    libvirt.cpus = 1
    libvirt.memory = 1000
    libvirt.driver = "kvm"
    libvirt.management_network_name = 'vagrant-libvirt-new'
    libvirt.management_network_address = ''
vagrant up
vagrant ssh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment