On 02/16/2018 02:33 PM, Colin Walters wrote:
On Fri, Feb 16, 2018, at 2:29 PM, Daniel Walsh wrote:
Does this actually work?
Yes =) For example it broke and we fixed it e.g.:
https://github.com/stefwalter/oci-kvm-hook/pull/4
I would figure the device cgroup would prevent
use of the kvm device inside a container unless you also modified the
cgroup?
podman run --device /dev/kvm
I guess the thing is personally, I see it as quite safe to expose
the KVM device nowadays, and having to annotate containers
explicitly for it is annoying, particularly in the Kube/OpenShift
case. That said the linked thread above contains a proposal
for the Kube equivalent of this.
Finally we have a different way of handling this in CRI-O and Podman,
but I will open an issue when this gets moved. There is a new config
file to allow us to only use the hook if necessary.
