Run vmlab in a container

§ 1Purpose

Run a lab unprivileged inside Docker/Podman with only /dev/kvm.

§ 2Prerequisites

The host exposes /dev/kvm (else vmlab falls back to slow TCG).
The vmlab image is built or pulled.

§ 3Flowchart

§ 4Steps

§ 4.11

§ 4.2Build the image

console

$ docker build -t vmlab -f vmlab/Containerfile .   # from the PARENT dir (or: just image)

Build context

vmlab builds against sibling WCL/ and wscript/ workspaces, so the build context is the parent directory containing all three.

Build from the parent directory (or run just image from inside vmlab/). The image is also published per release as ghcr.io/<owner>/vmlab:<version>.

§ 4.32

§ 4.4Run a lab

console

$ docker run --rm -it --device /dev/kvm \
    -v ~/.local/share/vmlab/templates:/root/.local/share/vmlab/templates \
    -v "$PWD":/lab -w /lab vmlab vmlab up

Only /dev/kvm

No --privileged, no extra capabilities, no host network mode — the fabric is entirely userspace.

Mount the template store (persistent) and the lab directory, grant --device /dev/kvm, and run a vmlab verb. For long-running use, start with the default daemon start CMD and drive via docker exec <ctr> vmlab ....

Verification

vmlab status (via docker exec or in the one-shot command) reports the lab running; no KVM-fallback warning appears in the logs.