firecracker-base/docker-compose.yml at main · BechtelCanDoIt/firecracker-base · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# =============================================================================
# firecracker-base - Docker Compose
# =============================================================================
# Hardware-isolated MicroVM with Docker inside.
#
# Requirements:
#   - Linux host with KVM enabled (/dev/kvm)
#   - Docker with BuildKit
#
# Usage:
#   # Build (requires privileged for loop mount - uses docker-container builder)
#   docker buildx create --name firecracker-builder --use --driver docker-container
#   docker buildx build --load --allow security.insecure -t firecracker-base:latest .
#
#   # Or use the build script:
#   ./build.sh
#
#   # Run
#   docker compose run --rm firecracker-base
#
#   # Inside VM:
#   docker run hello-world
#   docker compose up
# =============================================================================

services:
  firecracker-base:
    image: firecracker-base:latest
    container_name: firecracker-vm
    hostname: firecracker-host

    # =========================================================================
    # REQUIRED: KVM Access and networking
    # =========================================================================
    devices:
      - /dev/kvm:/dev/kvm
      - /dev/net/tun:/dev/net/tun

    # =========================================================================
    # REQUIRED: Capabilities
    # =========================================================================
    cap_add:
      - NET_ADMIN   # TAP device creation, iptables rules
      - NET_RAW     # Raw sockets for ping, debugging
      - SYS_ADMIN   # Mount workspace image (loop device)
      - MKNOD       # Create /dev/net/tun if needed

    # =========================================================================
    # SECURITY
    # =========================================================================
    # Note: On systems without AppArmor, remove or comment out the apparmor line
    security_opt:
      - apparmor:unconfined  # Required for TAP device and iptables
      - seccomp:unconfined   # Allow all syscalls for Firecracker VMM

    # =========================================================================
    # VOLUMES
    # =========================================================================
    volumes:
      # Your project directory - mounted at /workspace in VM
      - ${HOST_WORKSPACE:-./workspace}:/workspace:rw

    # =========================================================================
    # ENVIRONMENT
    # =========================================================================
    environment:
      # VM Resources (sized for Docker workloads)
      - FC_VCPU=${FC_VCPU:-8}
      - FC_MEM=${FC_MEM:-4096}
      - FC_WORKSPACE_SIZE=${FC_WORKSPACE_SIZE:-4096}

      # Logging
      - FC_LOG_LEVEL=${FC_LOG_LEVEL:-Warning}

      # Network configuration (optional overrides)
      - FC_TAP_IP=${FC_TAP_IP:-172.16.0.1}
      - FC_VM_IP=${FC_VM_IP:-172.16.0.2}

    # =========================================================================
    # BEHAVIOR
    # =========================================================================
    stdin_open: true
    tty: true
    privileged: false

    # =========================================================================
    # SYSCTLS - Required for NAT/routing
    # =========================================================================
    sysctls:
      # Enable IP forwarding for NAT to VM
      net.ipv4.ip_forward: 1
      # Allow forwarding on all interfaces
      net.ipv4.conf.all.forwarding: 1
      # Disable reverse path filtering (can cause issues with TAP)
      net.ipv4.conf.all.rp_filter: 0
      net.ipv4.conf.default.rp_filter: 0