Thanks for the input. I will have to dig into Docker some more, and possibly post on that list again. Docker may well handle hardware passthroughs better than LXC. Luckily, I do have access to the hardware to test, with about 100 Linux nodes that are connected with infiniband and at present side-lined. Infiniband cards (not the switch, on the compute node side) needs to give the user ownership so that user-space code can write to the hardware. It is not a real security issue, I can assure you. What gets more complicated in my case is that within the containers (for security reasons) UIDs/GIDs are changed (usually with an additive 60k integer or so) to allow malicious code execution outside of the container. I am not there yet... it needs to work first before I start worrying about security. If I get anywhere with Docker, I will ping you for your information.