Replace privileged into other options for creating hosts via DockerIM

Author: 0405ysj

pkg/app/instances/docker.go

@@ -372,14 +372,39 @@ func (m *DockerInstanceManager) createDockerContainer(ctx context.Context, user
 		Labels:      dockerLabelsDict(user),
 	}
 	hostConfig := &container.HostConfig{
+		CapAdd: []string{"NET_ADMIN"},
 		Mounts: []mount.Mount{
 			{
 				Type:   mount.TypeVolume,
 				Source: uaVolumeName(user),
 				Target: uaMountTarget,
 			},
 		},
-		Privileged: true,
+		Resources: container.Resources{
+			Devices: []container.DeviceMapping{
+				{
+					PathOnHost:        "/dev/kvm",
+					PathInContainer:   "/dev/kvm",
+					CgroupPermissions: "rwm",
+				},
+				{
+					PathOnHost:        "/dev/net/tun",
+					PathInContainer:   "/dev/net/tun",
+					CgroupPermissions: "rwm",
+				},
+				{
+					PathOnHost:        "/dev/vhost-net",
+					PathInContainer:   "/dev/vhost-net",
+					CgroupPermissions: "rwm",
+				},
+				{
+					PathOnHost:        "/dev/vhost-vsock",
+					PathInContainer:   "/dev/vhost-vsock",
+					CgroupPermissions: "rwm",
+				},
+			},
+		},
+		SecurityOpt: []string{"seccomp=unconfined"},
 	}
 	createRes, err := m.Client.ContainerCreate(ctx, config, hostConfig, nil, nil, "")
 	if err != nil {