From mboxrd@z Thu Jan  1 00:00:00 1970
From: Sean Christopherson <sean.j.christopherson@intel.com>
Subject: Re: Using KVM from a process inside a Docker container
Date: Fri, 01 Dec 2017 12:04:54 -0800
Message-ID: <1512158694.5863.2.camel@intel.com>
References: <OF8093AE14.95F626D0-ON852581E9.006C5255-852581E9.006C701E@notes.na.collabserv.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
To: Mike Spreitzer <mspreitz@us.ibm.com>, kvm@vger.kernel.org
Return-path: <kvm-owner@vger.kernel.org>
Received: from mga01.intel.com ([192.55.52.88]:17093 "EHLO mga01.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751682AbdLAUJU (ORCPT <rfc822;kvm@vger.kernel.org>);
        Fri, 1 Dec 2017 15:09:20 -0500
In-Reply-To: <OF8093AE14.95F626D0-ON852581E9.006C5255-852581E9.006C701E@notes.na.collabserv.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On Fri, 2017-12-01 at 14:44 -0500, Mike Spreitzer wrote:
> I am trying to do this, giving the container as few exceptional abilities 
> as possible.  How can I accomplish this?
> 
> I know I could simply make the container "privileged", and that would 
> work.  But I am trying to give less than that to the container.
> 
> Could I get what I need by giving the container some Linux "capabilities"? 
>  If so, which ones?
> 
> It looks like the process inside the container needs to see a char-special 
> file at "/dev/kvm".  So I tried making one, with `mknod /dev/kvm c 10 232` 
> inside the container (matching the major and minor I found outside the 
> container).  Here is what I saw from inside the container after that 
> `mknod`:
> 
> # ls -l /dev/kvm
> crw-rw---- 1 root 121 10, 232 Nov 27 01:31 /dev/kvm
> 
> But I still got these complaints when QEMU inside the container tried to 
> use KVM:
> 
> Could not access KVM kernel module: Operation not permitted
> failed to initialize KVM: Operation not permitted
> 
> I also tried bind-mounting the host's /dev/kvm to /dev/kvm inside the 
> container.  But that also led to the two same complaints.  I also tried 
> bind-mounting the host's /dev to /hostdev inside the container and then 
> symlinking /hostdev/kvm to /dev/kvm inside the container, but that also 
> produced the same two complaints.  What does it take to get an adequate 
> /dev/kvm inside the container?  Is it just a matter of the right Linux 
> capabilities, or is it something else?  I am running QEMU as root inside 
> the container.
> 
> I am using Docker 1.12 and QEMU 2.6 on Ubuntu 16.10 (I know that's 
> outdated).
> 
> Thanks,
> Mike
> 

Try --device, e.g. 'docker run --device=/dev/kvm ...'.  I haven't used it
for KVM specifically, but have successfully used it to expose other IOCTL
char devices to an otherwise unprivileged container.

https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities