Context:
- bare metal is Ubuntu 18.04 with 5.04 HWE kernel
- Using the LXD snap --channel=latest/stable
- snap set lxd daemon.user.group=gem5
- lxc launch images:ubuntu/22.04 gem5proj (from user account in gem5 group)
I’ve used a similar set up for another project where I used
lxc config set other_proj nvidia.runtime=true
to map GPU’s into the container, and that works great; by far the best way to use GPUs in virtualized systems.
In this case the users are using some hardware simulation software (gem5) which requires /dev/kvm, as the simulations work by spinning up a little VM. (All this is above my pay grade, but the TA/researcher working on this showed me that some kind of kvm ioctl was needed in the gem5 source code.)
What we’d like to do is spin up individual LXD containers for each user of this system, give them privilege acceleration inside the unprivileged container so that they can install software themselves, and then just turn them loose. This would both be for research and for a class on computer hardware architecture.
The problem is that even though the kvm drivers are loaded in the kernel on the bare metal machine, and /dev/kvm exists on bare metal, the kvm device is not visible to the container. Based on Stéphane’s LXD on multi-user systems youtube video, I’m anticipating that there’s no way to make this work right now, but I’d like to understand all this better, so am asking anyway: Is there any way to have the /dev/kvm device available inside these unprivileged containers connected to an unprivileged UNIX socket?
If not, what are the precise configuration parameters necessary (privileged container? unprivileged container on the lxd socket?) necessary to facilitate this?
Finally, assuming /dev/kvm were available inside these unprivileged containers, are there any security implications? In particular I’m wondering what determines what devices are visible from an unprivileged container and what devices are not. For example, it’s kind of obvious (?) that block devices wouldn’t be visible in the container, but what about other stuff?