I am trying to do this, giving the container as few exceptional abilities as possible. How can I accomplish this? I know I could simply make the container "privileged", and that would work. But I am trying to give less than that to the container. Could I get what I need by giving the container some Linux "capabilities"? If so, which ones? It looks like the process inside the container needs to see a char-special file at "/dev/kvm". So I tried making one, with `mknod /dev/kvm c 10 232` inside the container (matching the major and minor I found outside the container). Here is what I saw from inside the container after that `mknod`: # ls -l /dev/kvm crw-rw---- 1 root 121 10, 232 Nov 27 01:31 /dev/kvm But I still got these complaints when QEMU inside the container tried to use KVM: Could not access KVM kernel module: Operation not permitted failed to initialize KVM: Operation not permitted I also tried bind-mounting the host's /dev/kvm to /dev/kvm inside the container. But that also led to the two same complaints. I also tried bind-mounting the host's /dev to /hostdev inside the container and then symlinking /hostdev/kvm to /dev/kvm inside the container, but that also produced the same two complaints. What does it take to get an adequate /dev/kvm inside the container? Is it just a matter of the right Linux capabilities, or is it something else? I am running QEMU as root inside the container. I am using Docker 1.12 and QEMU 2.6 on Ubuntu 16.10 (I know that's outdated). Thanks, Mike
