> From: Sean Christopherson <sean.j.christopherson@xxxxxxxxx> ... > On Fri, 2017-12-01 at 14:44 -0500, Mike Spreitzer wrote: > > I am trying to do this, giving the container as few exceptional abilities > > as possible. How can I accomplish this? > > ... > Try --device, e.g. 'docker run --device=/dev/kvm ...'. I haven't used it > for KVM specifically, but have successfully used it to expose other IOCTL > char devices to an otherwise unprivileged container. That worked! Thanks, Mike
