Access KVM VM over the network from a Docker container

Question

KVM is used to host some VMs in the network 192.168.2.1/24. Docker is running on the same machine in 192.168.3.1/24. I need to configure networking so that Docker containers can access a KVM VM. For testing purpose I have two machines, each running a webserver to test working connections using wget:

Docker Container on 192.168.3.2

KVM VM on 192.168.2.2

In KVM I configured a virtual network as redirection to all physical networks. This allows me to access the Docker container from A KVM VM. But not working is the other way round: Accessing the KVM VM (192.168.2.2) from the Docker container (192.168.3.2).

docker network create --driver=bridge --subnet=192.168.3.1/24 my-network

The container is started like this:

docker run --name=gogs --network=my-network --ip=192.168.3.2 -v /var/gogs:/data gogs/gogs

What is the KVM virtual network wizard doing here that Docker is missing?

net.ipv4.ip_forward=1 is enabled in /etc/sysctl.conf and I did a reload using sysctl --system.

Docker network interface

br-7b4175d9379d: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
    inet 192.168.3.1  netmask 255.255.255.0  broadcast 0.0.0.0
    inet6 fe80::42:9ff:fe6b:75dd  prefixlen 64  scopeid 0x20<link>
    ether 02:42:09:6b:75:dd  txqueuelen 0  (Ethernet)
    RX packets 90  bytes 41977 (41.9 KB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 116  bytes 18172 (18.1 KB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

KVM network interface

virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.1  netmask 255.255.255.0  broadcast 192.168.2.255
        ether 52:54:00:85:7f:95  txqueuelen 1000  (Ethernet)
        RX packets 1463  bytes 101054 (101.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1214  bytes 1490407 (1.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Answer 1

You can run KVM/libvirt and Docker an the same networking bridge. Lets assume your KVM bridge is virbr0.

First create the configuration file /etc/docker/daemon.json as suggested in the Docker documentation with the following content (the iptables line may not even be needed):

{
"bridge": "virbr0",
"iptables": false
}

Than you stop the containers and restart the docker daemon service:

systemctl restart docker

Docker should pick up your KVM bridge and when you restart the existing containers, they will pickup an IP address on the virbr0 address room instead of the default docker0.

I had to do it twice to get it to work but it was as simple as it sounds running docker v18.09. Now, I have my VMs and containers running on the same network segment.

Answer 2

Setting up a macvlan network is probably the easiest way to do this (I did it and I'm no genius when it comes to networking).

First, you'll want to find out what network your VM is using and what its settings are (from the host machine):

$ virsh net-list
 Name      State    Autostart   Persistent
--------------------------------------------
 default   active   yes         yes

$ virsh net-info default
Name:           default
UUID:           46b9f715-39a2-4e83-bcd0-f07049f32ea5
Active:         yes
Persistent:     yes
Autostart:      yes
Bridge:         virbr0

If you're not using the default network then choose whichever one you're targeting. You just need to have the right bridge/device name (in my example it's virbr0).

Now from a terminal in the VM itself you can get the gateway and subnet info:

$ ip route
default via 192.168.122.1 dev ens3 proto dhcp metric 100
192.168.122.0/24 dev ens3 proto kernel scope link src 192.168.122.49 metric 100

Again, your output may differ but in this example the gateway is 192.168.122.1 and the subnet is 192.168.122.0/24.

Now that you have this you can create a custom macvlan network.

docker network create -d macvlan \
                    --subnet=192.168.122.0/24 \
                    --gateway=192.168.122.1 \
                    -o parent=virbr0 kvm_network

And when you start a new container give --net kvm_network as an option. Then you should be able to communicate with your VM from your container (and the other way around).