Tighten Docker restrictions for acceptance test #93
Description
Problem
We are currently using the --privileged flag when running Docker in the acceptance test. This is done to run KVM inside but basically gives the container full root access on the host.
Solution
Use options such as --device and --cap-add to only give the container the exact permissions we need.
Remarks
Access to the Docker API is effectively root access. Even lacking --privileged, there are numerous mechanisms to avoid system policy if one has access to the docker socket or API.
It seems that when a user has access to docker, that user essentially has root access. If we were going to have root access anyway, I figured it's better to make that obvious by using sudo so the next person touching the code will be aware of it.
It could be a good idea to also investigate if there are side-effects to that and if it that was a terrible idea.