\nhave always wondered about different ways they can work together. It has
\nbecome clear over time these two technologies compliment each other.
\nTrue there is overlap, but most people who are running containers today
\nrun them on virtual machines, and for good reason. Virtual machines
\nprovide the underlying computing resources and are typically managed by
\nthe IT operations teams. Containers, on the other hand, are managed by
\napplication developers and devops teams. I always thought this was a
\ngood approach, and that for most use cases containers would reside
\ninside virtual machines. Then, a few months ago, a meeting with Jeremy
\nHuylebroeck of Orange Silicon Valley changed my thinking. Jeremy
\nmentioned it might make sense to run virtual machines inside<\/em>
\ncontainers. At first the concept seemed odd. But the more I thought
\nabout it the more I saw its merit. Interestingly numerous use cases for
\nVM containers started to appear in our conversations with Rancher
\nusers. We have heard three common use cases for VM containers:<\/p>\n
- \n
- Isolation and security. The first reason one might want to run
\nVM containers is to retain the isolation and security properties of
\nvirtual machines while still being able to package and distribute
\nsoftware as Docker containers. Despite the great deal of progress in
\ncontainer security, virtual machines are still better at isolating
\nworkloads. Compared with hundreds of Linux kernel interfaces,
\nvirtual machines have a smaller surface area (CPU, memory,
\nnetworking and storage interfaces) to protect. It is thus not
\nsurprising that folks who want to host untrusted workloads (for
\nexample, managed hosting companies and continuous integration
\nservices) have expressed interest in continuing to use virtual
\nmachines.<\/li>\n - Docker on-boarding. On-boarding existing workloads is always a
\nchallenge for organizations starting to adopt container
\ntechnologies. This is a second interesting use case for VM
\ncontainers, as they offer a useful transition path. For example,
\nwhile we expect a future version of Windows to support Docker
\ncontainers natively, VM containers can enable organizations to run
\nexisting Windows virtual machines on the same infrastructure built
\nfor Linux containers today. The same approach applies to other
\nnon-Linux operating systems and older version of Linux operating
\nsystems or application packages that have not yet been
\ncontainerized.<\/li>\n - KVM management. We have also seen a great deal of interest in
\nbetter management tools for open source virtualization technologies
\nlike KVM. At its core, KVM is solid. It is reliable and efficient.
\nHowever, KVM lacks the rich management tools in vSphere that IT
\noperations teams love. KVM can benefit from Docker, which offers a
\nsuperb experience for application developers and devops teams. If
\nKVM runs inside Docker containers, the resulting VM container can
\nretain the security, reliability, and efficiency of KVM, while
\noffering the Docker management experience devops teams love. The
\nability to package virtual machines as Docker images and distribute
\nthem through Docker Hub is valuable. Powerful service discovery
\nmechanisms developed for containers can now apply to virtual
\nmachines. Native container management systems like Rancher can now
\nbe used to manage virtual machine workloads at large scale.<\/li>\n<\/ol>\nBecause of all of these use cases, I started experimenting with running
\nKVM inside Docker containers, and I have come up with an experimental
\nsystem called RancherVM. RancherVM allows you to package KVM images
\ninside Docker images and manage VM containers using the familiar Docker
\ncommands. A VM container looks and feels like a regular container. It
\ncan be created from Dockerfile, distributed using DockerHub, managed
\nusing docker command line, and networked together using links and port
\nbindings. Inside each VM container, however, is a virtual machine
\ninstance. You can package any QEMU\/KVM image as RancherVM containers.
\nRancherVM accomplishes all this without introducing any performance
\noverhead against running KVM without containers.![\"How](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/17053553\/ranchervm.png\")
RancherVM additionally comes with a
\nmanagement container that provides a web UI for managing virtual
\nmachines. The following command starts the RancherVM management
\ncontainer on a server where Docker and KVM are installed:<\/p>\ndocker run -v \/var\/run\/docker.sock:\/var\/run\/docker.sock -p 8080:80 -v \/tmp\/ranchervm:\/ranchervm rancher\/ranchervm<\/p>\n
Once the management container is up, you can access a web-based virtual
\nmachine management experience for VM containers at
\nhttps:\/\/<kvmhost>:8080\/:
\n![\"RancherVM-Mgmt\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/17053553\/RancherVM-Mgmt.png\")
The web-based UI allows you to perform basic life-cycle
\noperations for VM containers and access the VNC console for virtual
\nmachines. VNC console access comes in handy when you need to perform
\noperations that cannot be performed with remote SSH or RDP, such as
\ntroubleshooting a Windows VM\u2019s network configuration:
\n![\"RancherVM-Windows\"](\"http:\/\/cdn.rancher.com\/wp-content\/uploads\/2015\/04\/17053553\/RancherVM-Windows.png\")
The web UI experience is attractive for users familiar
\nwith VM management tools. A great benefit of RancherVM vs. traditional
\nVM management is we can now use the powerful Docker command lines to
\nmanage virtual machines. The following command, for example, starts a
\nRancherOS VM:<\/p>\ndocker run -e “RANCHER_VM=true” –cap-add NET_ADMIN -v \/tmp\/ranchervm:\/ranchervm –device \/dev\/kvm:\/dev\/kvm –device \/dev\/net\/tun:\/dev\/net\/tun rancher\/vm-rancheros<\/p>\n
Other than some command-line options required to setup a Docker
\ncontainer to host KVM, this is just a normal docker command used to
\ninstantiate a container image called rancher\/vm-rancheros. Additional
\ndocker commands like docker stop, docker ps, docker images, and
\ndocker inspect all work as expected. The following video shows the
\nlive experience of using RancherVM.<\/p>\nToday we\u2019re making RancherVM available on
\nGitHub<\/a>. I hope the initial release of
\nRancherVM gives you some ideas about building and using VM containers.
\nIf you are interested, please check out the demo video, download the
\nsoftware, and create some VM containers for yourself. If you have any
\nquestions or issues, please file them as issues in GitHub and we\u2019ll
\nrespond as quickly as possible. On May 13th we will be hosting an online
\nmeetup to demonstrate RancherVM, show a few use cases, and answer any
\nquestions you might have. Please register to attend below.<\/p>\n