On Sun, Dec 03, 2017 at 05:01:02PM -0500, Mike Spreitzer wrote: > > From: Sean Christopherson <sean.j.christopherson@xxxxxxxxx> > ... > > > On Fri, 2017-12-01 at 14:44 -0500, Mike Spreitzer wrote: > > > I am trying to do this, giving the container as few exceptional > abilities > > > as possible. How can I accomplish this? > > > > ... > > > Try --device, e.g. 'docker run --device=/dev/kvm ...'. I haven't used > it > > for KVM specifically, but have successfully used it to expose other > IOCTL > > char devices to an otherwise unprivileged container. You might also want to add /dev/vhost* to speedup the guest I/O. > That worked! > > Thanks, > Mike > > -- Sincerely yours, Mike.
