Creating VMs by using container disks

Creating VMs by using container disks

You can create virtual machines (VMs) by using container disks built from operating system images.

You can enable auto updates for your container disks. See Managing automatic boot source updates for details.

If the container disks are large, the I/O traffic might increase and cause worker nodes to be unavailable. You can perform the following tasks to resolve this issue:

You create a VM from a container disk by performing the following steps:

Build an operating system image into a container disk and upload it to your container registry.
If your container registry does not have TLS, configure your environment to disable TLS for your registry.
Create a VM with the container disk as the disk source by using the web console or the command line.

You must install the QEMU guest agent on VMs created from operating system images that are not provided by Red Hat.

Building and uploading a container disk

You can build a virtual machine (VM) image into a container disk and upload it to a registry.

The size of a container disk is limited by the maximum layer size of the registry where the container disk is hosted.

For Red Hat Quay, you can change the maximum layer size by editing the YAML configuration file that is created when Red Hat Quay is first deployed.

Prerequisites

You must have podman installed.
You must have a QCOW2 or RAW image file.

Procedure

Create a Dockerfile to build the VM image into a container image. The VM image must be owned by QEMU, which has a UID of 107, and placed in the /disk/ directory inside the container. Permissions for the /disk/ directory must then be set to 0440.

The following example uses the Red Hat Universal Base Image (UBI) to handle these configuration changes in the first stage, and uses the minimal scratch image in the second stage to store the result:
```
$ cat > Dockerfile << EOF
FROM registry.access.redhat.com/ubi8/ubi:latest AS builder
ADD --chown=107:107 <vm_image>.qcow2 /disk/ \(1)
RUN chmod 0440 /disk/*
FROM scratch
COPY --from=builder /disk/* /disk/
EOF
```
1 Where <vm_image> is the image in either QCOW2 or RAW format. If you use a remote image, replace <vm_image>.qcow2 with the complete URL.

Build and tag the container:

$ podman build -t <registry>/<container_disk_name>:latest .

Push the container image to the registry:

$ podman push <registry>/<container_disk_name>:latest

Disabling TLS for a container registry

You can disable TLS (transport layer security) for one or more container registries by editing the insecureRegistries field of the HyperConverged custom resource.

Prerequisites

Procedure

Edit the HyperConverged custom resource and add a list of insecure registries to the spec.storageImport.insecureRegistries field.

apiVersion: hco.kubevirt.io/v1beta1
kind: HyperConverged
metadata:
  name: kubevirt-hyperconverged
  namespace: kubevirt-hyperconverged
spec:
  storageImport:
    insecureRegistries: (1)
      - "private-registry-example-1:5000"
      - "private-registry-example-2:5000"

1	Replace the examples in this list with valid registry hostnames.

Creating a VM from a container disk by using the web console

You can create a virtual machine (VM) by importing a container disk from a container registry by using the OKD web console.

Procedure

Navigate to Virtualization → Catalog in the web console.
Click a template tile without an available boot source.
Click Customize VirtualMachine.
On the Customize template parameters page, expand Storage and select Registry (creates PVC) from the Disk source list.
Enter the container image URL. Example: https://mirror.arizona.edu/fedora/linux/releases/38/Cloud/x86_64/images/Fedora-Cloud-Base-38-1.6.x86_64.qcow2
Set the disk size.
Click Customize VirtualMachine.
Click Create VirtualMachine.

Creating a VM from a container disk by using the command line

You can create a virtual machine (VM) from a container disk by using the command line.

When the virtual machine (VM) is created, the data volume with the container disk is imported into persistent storage.

Prerequisites

You must have access credentials for the container registry that contains the container disk.

Procedure

If the container registry requires authentication, create a Secret manifest, specifying the credentials, and save it as a data-source-secret.yaml file:
```
apiVersion: v1
kind: Secret
metadata:
  name: data-source-secret
  labels:
    app: containerized-data-importer
type: Opaque
data:
  accessKeyId: "" (1)
  secretKey:   "" (2)
```
1 Specify the Base64-encoded key ID or user name.
2 Specify the Base64-encoded secret key or password.
Apply the Secret manifest by running the following command:
```
$ oc apply -f data-source-secret.yaml
```
If the VM must communicate with servers that use self-signed certificates or certificates that are not signed by the system CA bundle, create a config map in the same namespace as the VM:
```
$ oc create configmap tls-certs (1)
  --from-file=</path/to/file/ca.pem> (2)
```
1 Specify the config map name.
2 Specify the path to the CA certificate.

Edit the VirtualMachine manifest and save it as a vm-fedora-datavolume.yaml file:

Details

apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
  creationTimestamp: null
  labels:
    kubevirt.io/vm: vm-fedora-datavolume
  name: vm-fedora-datavolume (1)
spec:
  dataVolumeTemplates:
  - metadata:
      creationTimestamp: null
      name: fedora-dv (2)
    spec:
      storage:
        resources:
          requests:
            storage: 10Gi (3)
        storageClassName: <storage_class> (4)
      source:
        registry:
          url: "docker://kubevirt/fedora-cloud-container-disk-demo:latest" (5)
          secretRef: data-source-secret (6)
          certConfigMap: tls-certs (7)
    status: {}
  running: true
  template:
    metadata:
      creationTimestamp: null
      labels:
        kubevirt.io/vm: vm-fedora-datavolume
    spec:
      domain:
        devices:
          disks:
          - disk:
              bus: virtio
            name: datavolumedisk1
        machine:
          type: ""
        resources:
          requests:
            memory: 1.5Gi
      terminationGracePeriodSeconds: 180
      volumes:
      - dataVolume:
          name: fedora-dv
        name: datavolumedisk1
status: {}

1	Specify the name of the VM.
2	Specify the name of the data volume.
3	Specify the size of the storage requested for the data volume.
4	Optional: If you do not specify a storage class, the default storage class is used.
5	Specify the URL of the container registry.
6	Optional: Specify the secret name if you created a secret for the container registry access credentials.
7	Optional: Specify a CA certificate config map.

Create the VM by running the following command:
```
$ oc create -f vm-fedora-datavolume.yaml
```
The oc create command creates the data volume and the VM. The CDI controller creates an underlying PVC with the correct annotation and the import process begins. When the import is complete, the data volume status changes to Succeeded. You can start the VM.

Data volume provisioning happens in the background, so there is no need to monitor the process.

Verification

The importer pod downloads the container disk from the specified URL and stores it on the provisioned persistent volume. View the status of the importer pod by running the following command:
```
$ oc get pods
```
Monitor the data volume until its status is Succeeded by running the following command:
```
$ oc describe dv fedora-dv (1)
```
1 Specify the data volume name that you defined in the VirtualMachine manifest.
Verify that provisioning is complete and that the VM has started by accessing its serial console:
```
$ virtctl console vm-fedora-datavolume
```

1	Specify the Base64-encoded key ID or user name.
2	Specify the Base64-encoded secret key or password.

1	Specify the config map name.
2	Specify the path to the CA certificate.