I got Whonix running on KVM via libvirt’s qemu:///session inside of a Docker container. I’m sharing here as this may be of interest to the forum, or at least of use to anyone attempting anything similar in the future.
Motivation
Docker serves to simplify the configuration and management of the network and filesystem resources associated with Whonix virtual machines. This approach enables reproducibility and ease of management for custom configurations of Whonix-based environments. On the other side of the spectrum, this approach also enables contained, side effect-free, single-command setup and teardown of pre-baked Whonix environments for new users.
Implementation notes
libvirt runs inside of a Docker container which runs with --device /dev/kvm. virt-manager and virtual machine GUIs are forwarded to the host’s X11 session.
libvirt’s qemu:///session doesn’t have the privilege to manage virtual networking resources, so the container must set up the virtual networks on behalf of libvirt and then define them using <forward mode='bridge'/>.
To work around a libvirt-related networking issue which I have yet to diagnose, I had to include a patch for the Whonix-Gateway firewall [1][2]. This is a temporary hack which I will remove once I manage to find and resolve the underlying problem.
[1] whonix-now/whonix.nix at 5b4937481465f60ce64f4beadf24386d48287b69 · nspin/whonix-now · GitHub
[2] Have firewall accept ICMP Fragmentation Needed - #3 by pege