Virtual machines and containers are two of my favorite technologies. I have always wondered about different ways they can work together. It has become clear over time these two technologies compliment each other. True there is overlap, but most people who are running containers today run them on virtual machines, and for good reason. Virtual machines provide the underlying computing resources and are typically managed by the IT operations teams. Containers, on the other hand, are managed by application developers and devops teams. I always thought this was a good approach, and that for most use cases containers would reside inside virtual machines. Then, a few months ago, a meeting with Jeremy Huylebroeck of Orange Silicon Valley changed my thinking. Jeremy mentioned it might make sense to run virtual machines inside containers. At first the concept seemed odd. But the more I thought about it the more I saw its merit. Interestingly numerous use cases for VM containers started to appear in our conversations with Rancher users. We have heard three common use cases for VM containers:
- Isolation and security. The first reason one might want to run VM containers is to retain the isolation and security properties of virtual machines while still being able to package and distribute software as Docker containers. Despite the great deal of progress in container security, virtual machines are still better at isolating workloads. Compared with hundreds of Linux kernel interfaces, virtual machines have a smaller surface area (CPU, memory, networking and storage interfaces) to protect. It is thus not surprising that folks who want to host untrusted workloads (for example, managed hosting companies and continuous integration services) have expressed interest in continuing to use virtual machines.
- Docker on-boarding. On-boarding existing workloads is always a challenge for organizations starting to adopt container technologies. This is a second interesting use case for VM containers, as they offer a useful transition path. For example, while we expect a future version of Windows to support Docker containers natively, VM containers can enable organizations to run existing Windows virtual machines on the same infrastructure built for Linux containers today. The same approach applies to other non-Linux operating systems and older version of Linux operating systems or application packages that have not yet been containerized.
- KVM management. We have also seen a great deal of interest in better management tools for open source virtualization technologies like KVM. At its core, KVM is solid. It is reliable and efficient. However, KVM lacks the rich management tools in vSphere that IT operations teams love. KVM can benefit from Docker, which offers a superb experience for application developers and devops teams. If KVM runs inside Docker containers, the resulting VM container can retain the security, reliability, and efficiency of KVM, while offering the Docker management experience devops teams love. The ability to package virtual machines as Docker images and distribute them through Docker Hub is valuable. Powerful service discovery mechanisms developed for containers can now apply to virtual machines. Native container management systems like Rancher can now be used to manage virtual machine workloads at large scale.
Because of all of these use cases, I started experimenting with running KVM inside Docker containers, and I have come up with an experimental system called RancherVM. RancherVM allows you to package KVM images inside Docker images and manage VM containers using the familiar Docker commands. A VM container looks and feels like a regular container. It can be created from Dockerfile, distributed using DockerHub, managed using docker command line, and networked together using links and port bindings. Inside each VM container, however, is a virtual machine instance. You can package any QEMU/KVM image as RancherVM containers. RancherVM accomplishes all this without introducing any performance overhead against running KVM without containers. RancherVM additionally comes with a management container that provides a web UI for managing virtual machines. The following command starts the RancherVM management container on a server where Docker and KVM are installed:
docker run -v /var/run/docker.sock:/var/run/docker.sock -p 8080:80 -v /tmp/ranchervm:/ranchervm rancher/ranchervm
Once the management container is up, you can access a web-based virtual
machine management experience for VM containers at
The web-based UI allows you to perform basic life-cycle
operations for VM containers and access the VNC console for virtual
machines. VNC console access comes in handy when you need to perform
operations that cannot be performed with remote SSH or RDP, such as
troubleshooting a Windows VM’s network configuration:
The web UI experience is attractive for users familiar
with VM management tools. A great benefit of RancherVM vs. traditional
VM management is we can now use the powerful Docker command lines to
manage virtual machines. The following command, for example, starts a
docker run -e "RANCHER_VM=true" --cap-add NET_ADMIN -v /tmp/ranchervm:/ranchervm --device /dev/kvm:/dev/kvm --device /dev/net/tun:/dev/net/tun rancher/vm-rancheros
Other than some command-line options required to setup a Docker
container to host KVM, this is just a normal docker command used to
instantiate a container image called
docker commands like
docker images, and
docker inspect all work as expected. The following video shows the
live experience of using RancherVM.
Today we’re making RancherVM available on GitHub. I hope the initial release of RancherVM gives you some ideas about building and using VM containers. If you are interested, please check out the demo video, download the software, and create some VM containers for yourself. If you have any questions or issues, please file them as issues in GitHub and we’ll respond as quickly as possible. On May 13th we will be hosting an online meetup to demonstrate RancherVM, show a few use cases, and answer any questions you might have. Please register to attend below.