From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Mike Spreitzer <mspreitz@us.ibm.com>, kvm@vger.kernel.org
Subject: Re: Using KVM from a process inside a Docker container
Date: Fri, 01 Dec 2017 12:04:54 -0800 [thread overview]
Message-ID: <1512158694.5863.2.camel@intel.com> (raw)
In-Reply-To: <OF8093AE14.95F626D0-ON852581E9.006C5255-852581E9.006C701E@notes.na.collabserv.com>
On Fri, 2017-12-01 at 14:44 -0500, Mike Spreitzer wrote:
> I am trying to do this, giving the container as few exceptional abilities
> as possible. How can I accomplish this?
>
> I know I could simply make the container "privileged", and that would
> work. But I am trying to give less than that to the container.
>
> Could I get what I need by giving the container some Linux "capabilities"?
> If so, which ones?
>
> It looks like the process inside the container needs to see a char-special
> file at "/dev/kvm". So I tried making one, with `mknod /dev/kvm c 10 232`
> inside the container (matching the major and minor I found outside the
> container). Here is what I saw from inside the container after that
> `mknod`:
>
> # ls -l /dev/kvm
> crw-rw---- 1 root 121 10, 232 Nov 27 01:31 /dev/kvm
>
> But I still got these complaints when QEMU inside the container tried to
> use KVM:
>
> Could not access KVM kernel module: Operation not permitted
> failed to initialize KVM: Operation not permitted
>
> I also tried bind-mounting the host's /dev/kvm to /dev/kvm inside the
> container. But that also led to the two same complaints. I also tried
> bind-mounting the host's /dev to /hostdev inside the container and then
> symlinking /hostdev/kvm to /dev/kvm inside the container, but that also
> produced the same two complaints. What does it take to get an adequate
> /dev/kvm inside the container? Is it just a matter of the right Linux
> capabilities, or is it something else? I am running QEMU as root inside
> the container.
>
> I am using Docker 1.12 and QEMU 2.6 on Ubuntu 16.10 (I know that's
> outdated).
>
> Thanks,
> Mike
>
Try --device, e.g. 'docker run --device=/dev/kvm ...'. I haven't used it
for KVM specifically, but have successfully used it to expose other IOCTL
char devices to an otherwise unprivileged container.
https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
next prev parent reply other threads:[~2017-12-01 20:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-01 19:44 Using KVM from a process inside a Docker container Mike Spreitzer
2017-12-01 20:04 ` Sean Christopherson [this message]
[not found] ` <OF37FA08E6.3309AFBF-ON002581E9.006EB91B@LocalDomain>
2017-12-03 22:01 ` Mike Spreitzer
2017-12-04 13:16 ` Mike Rapoport
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1512158694.5863.2.camel@intel.com \
--to=sean.j.christopherson@intel.com \
--cc=kvm@vger.kernel.org \
--cc=mspreitz@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.