From 7eff04c3777d68c84c057a67d56e1257ed5d933f Mon Sep 17 00:00:00 2001
From: NaysKutzu <87282334+NaysKutzu@users.noreply.github.com>
Date: Fri, 21 Nov 2025 18:42:19 +0100
Subject: [PATCH 1/4] PUSH - Native support for KVM

---
 config/config.go        | 32 ++++++++++++++++++++++++++++++++
 config/config_docker.go |  5 +++++
 environment/settings.go | 11 +++++++++++
 3 files changed, 48 insertions(+)

diff --git a/config/config.go b/config/config.go
index a57d9c46..2e99a467 100644
--- a/config/config.go
+++ b/config/config.go
@@ -555,6 +555,17 @@ func FromFile(path string) error {
 		return err
 	}
 
+	// Check if enable_native_kvm was explicitly set in the YAML
+	var rawConfig map[string]interface{}
+	explicitlySet := false
+	if err := yaml.Unmarshal(b, &rawConfig); err == nil {
+		if dockerConfig, ok := rawConfig["docker"].(map[interface{}]interface{}); ok {
+			if _, exists := dockerConfig["enable_native_kvm"]; exists {
+				explicitlySet = true
+			}
+		}
+	}
+
 	if err := yaml.Unmarshal(b, c); err != nil {
 		return err
 	}
@@ -579,6 +590,12 @@ func FromFile(path string) error {
 		return err
 	}
 
+	// Set default for EnableNativeKVM based on KVM availability if not explicitly set.
+	// Default is true if KVM is available on the host, otherwise false.
+	if !explicitlySet {
+		c.Docker.EnableNativeKVM = IsKVMAvailable()
+	}
+
 	// Store this configuration in the global state.
 	Set(c)
 	return nil
@@ -788,6 +805,21 @@ func UseOpenat2() bool {
 	}
 }
 
+// IsKVMAvailable checks if KVM is available on the host system by checking
+// if /dev/kvm exists and is accessible.
+func IsKVMAvailable() bool {
+	if _, err := os.Stat("/dev/kvm"); err != nil {
+		return false
+	}
+	// Try to open the device to verify it's actually accessible
+	file, err := os.Open("/dev/kvm")
+	if err != nil {
+		return false
+	}
+	file.Close()
+	return true
+}
+
 // Expand expands an input string by calling [os.ExpandEnv] to expand all
 // environment variables, then checks if the value is prefixed with `file://`
 // to support reading the value from a file.
diff --git a/config/config_docker.go b/config/config_docker.go
index f3e846b0..28b32a65 100644
--- a/config/config_docker.go
+++ b/config/config_docker.go
@@ -96,6 +96,11 @@ type DockerConfiguration struct {
 		Type   string            `default:"local" json:"type" yaml:"type"`
 		Config map[string]string `default:"{\"max-size\":\"5m\",\"max-file\":\"1\",\"compress\":\"false\",\"mode\":\"non-blocking\"}" json:"config" yaml:"config"`
 	} `json:"log_config" yaml:"log_config"`
+
+	// EnableNativeKVM enables native KVM support for containers. This allows containers
+	// to access /dev/kvm for hardware-accelerated virtualization. The default value is
+	// automatically set to true if KVM is available on the host system, otherwise false.
+	EnableNativeKVM bool `json:"enable_native_kvm" yaml:"enable_native_kvm"`
 }
 
 func (c DockerConfiguration) ContainerLogConfig() container.LogConfig {
diff --git a/environment/settings.go b/environment/settings.go
index 596da6fc..8974f4c9 100644
--- a/environment/settings.go
+++ b/environment/settings.go
@@ -133,6 +133,17 @@ func (l Limits) AsContainerResources() container.Resources {
 		resources.CpusetCpus = l.Threads
 	}
 
+	// Add KVM device mapping if native KVM support is enabled
+	if config.Get().Docker.EnableNativeKVM {
+		resources.Devices = []container.DeviceMapping{
+			{
+				PathOnHost:        "/dev/kvm",
+				PathInContainer:   "/dev/kvm",
+				CgroupPermissions: "rwm",
+			},
+		}
+	}
+
 	return resources
 }
 

From 2e654b3be9cc1ab07c494f92d317e2929955fadc Mon Sep 17 00:00:00 2001
From: NaysKutzu <87282334+NaysKutzu@users.noreply.github.com>
Date: Fri, 21 Nov 2025 19:05:56 +0100
Subject: [PATCH 2/4] Soft kvm mapping containers & Better kvm check

---
 config/config.go        | 25 ++++++++++++++++++++++++-
 environment/settings.go | 12 ++++++------
 2 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/config/config.go b/config/config.go
index 2e99a467..0ca3ec9f 100644
--- a/config/config.go
+++ b/config/config.go
@@ -808,15 +808,38 @@ func UseOpenat2() bool {
 // IsKVMAvailable checks if KVM is available on the host system by checking
 // if /dev/kvm exists and is accessible.
 func IsKVMAvailable() bool {
+	// Check if /dev/kvm exists
 	if _, err := os.Stat("/dev/kvm"); err != nil {
+		if os.IsNotExist(err) {
+			log.Debug("/dev/kvm not found: KVM is not available on this system")
+			return false
+		}
+		// Other errors from Stat (e.g., permission issues checking the file)
+		log.WithError(err).Warn("/dev/kvm stat failed: unexpected error, assuming KVM not available")
 		return false
 	}
+
 	// Try to open the device to verify it's actually accessible
 	file, err := os.Open("/dev/kvm")
 	if err != nil {
+		if os.IsPermission(err) {
+			// KVM device exists but we don't have permission to access it
+			// Return true since KVM is present, just not accessible to this process
+			log.Info("/dev/kvm permission denied: KVM is present but not accessible to this process")
+			return true
+		}
+		if os.IsNotExist(err) {
+			// Shouldn't happen if Stat succeeded, but handle it anyway
+			log.Debug("/dev/kvm not found: KVM is not available on this system")
+			return false
+		}
+		// Other unexpected errors
+		log.WithError(err).Warn("/dev/kvm open failed: unexpected error, assuming KVM not available")
 		return false
 	}
-	file.Close()
+	defer file.Close()
+
+	log.Debug("/dev/kvm is available and accessible")
 	return true
 }
 
diff --git a/environment/settings.go b/environment/settings.go
index 8974f4c9..0567109f 100644
--- a/environment/settings.go
+++ b/environment/settings.go
@@ -135,13 +135,13 @@ func (l Limits) AsContainerResources() container.Resources {
 
 	// Add KVM device mapping if native KVM support is enabled
 	if config.Get().Docker.EnableNativeKVM {
-		resources.Devices = []container.DeviceMapping{
-			{
-				PathOnHost:        "/dev/kvm",
-				PathInContainer:   "/dev/kvm",
-				CgroupPermissions: "rwm",
-			},
+		kvmDevice := container.DeviceMapping{
+			PathOnHost:        "/dev/kvm",
+			PathInContainer:   "/dev/kvm",
+			CgroupPermissions: "rwm",
 		}
+		// Append to existing devices slice (append handles nil slices safely)
+		resources.Devices = append(resources.Devices, kvmDevice)
 	}
 
 	return resources

From 403af1a508956eed91264c67f26cb1d68829c10b Mon Sep 17 00:00:00 2001
From: NaysKutzu <87282334+NaysKutzu@users.noreply.github.com>
Date: Fri, 21 Nov 2025 19:36:27 +0100
Subject: [PATCH 3/4] By default kvm is disabled!

---
 config/config.go        | 17 -----------------
 config/config_docker.go |  4 ++--
 2 files changed, 2 insertions(+), 19 deletions(-)

diff --git a/config/config.go b/config/config.go
index 0ca3ec9f..7e6114ff 100644
--- a/config/config.go
+++ b/config/config.go
@@ -555,17 +555,6 @@ func FromFile(path string) error {
 		return err
 	}
 
-	// Check if enable_native_kvm was explicitly set in the YAML
-	var rawConfig map[string]interface{}
-	explicitlySet := false
-	if err := yaml.Unmarshal(b, &rawConfig); err == nil {
-		if dockerConfig, ok := rawConfig["docker"].(map[interface{}]interface{}); ok {
-			if _, exists := dockerConfig["enable_native_kvm"]; exists {
-				explicitlySet = true
-			}
-		}
-	}
-
 	if err := yaml.Unmarshal(b, c); err != nil {
 		return err
 	}
@@ -590,12 +579,6 @@ func FromFile(path string) error {
 		return err
 	}
 
-	// Set default for EnableNativeKVM based on KVM availability if not explicitly set.
-	// Default is true if KVM is available on the host, otherwise false.
-	if !explicitlySet {
-		c.Docker.EnableNativeKVM = IsKVMAvailable()
-	}
-
 	// Store this configuration in the global state.
 	Set(c)
 	return nil
diff --git a/config/config_docker.go b/config/config_docker.go
index 28b32a65..6090dd49 100644
--- a/config/config_docker.go
+++ b/config/config_docker.go
@@ -98,8 +98,8 @@ type DockerConfiguration struct {
 	} `json:"log_config" yaml:"log_config"`
 
 	// EnableNativeKVM enables native KVM support for containers. This allows containers
-	// to access /dev/kvm for hardware-accelerated virtualization. The default value is
-	// automatically set to true if KVM is available on the host system, otherwise false.
+	// to access /dev/kvm for hardware-accelerated virtualization. Defaults to false.
+	// Must be explicitly enabled in the configuration file.
 	EnableNativeKVM bool `json:"enable_native_kvm" yaml:"enable_native_kvm"`
 }
 

From 1af9afa19d70a9879a4c902f435f0a3d148ea950 Mon Sep 17 00:00:00 2001
From: NaysKutzu <87282334+NaysKutzu@users.noreply.github.com>
Date: Fri, 21 Nov 2025 19:38:13 +0100
Subject: [PATCH 4/4] Be default false

---
 config/config_docker.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/config/config_docker.go b/config/config_docker.go
index 6090dd49..99036279 100644
--- a/config/config_docker.go
+++ b/config/config_docker.go
@@ -99,8 +99,7 @@ type DockerConfiguration struct {
 
 	// EnableNativeKVM enables native KVM support for containers. This allows containers
 	// to access /dev/kvm for hardware-accelerated virtualization. Defaults to false.
-	// Must be explicitly enabled in the configuration file.
-	EnableNativeKVM bool `json:"enable_native_kvm" yaml:"enable_native_kvm"`
+	EnableNativeKVM bool `default:"false" json:"enable_native_kvm" yaml:"enable_native_kvm"`
 }
 
 func (c DockerConfiguration) ContainerLogConfig() container.LogConfig {