Bug 2025295

Summary: Windows VMs fail to start on air-gapped environments for non-admin users
Product: Container Native Virtualization (CNV) Reporter: ssoroka
Component: InstallationAssignee: Oren Cohen <ocohen>
Status: CLOSED ERRATA QA Contact: Guohua Ouyang <gouyang>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.10.0CC: cnv-qe-bugs, gouyang, kmajcher, ocohen, rsdeor, stirabos, yzamir
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: hco-bundle-registry-container-v4.10.0-465 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2032873 2032876 (view as bug list) Environment:
Last Closed: 2022-03-16 15:56:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2032873, 2032876    

Description ssoroka 2021-11-21 14:03:32 UTC 
Description of problem:
During Windows VM creation there is a virtio-win containerDisk that is being used.
Previously we had Bug 1942839 which was fixed for 4.8 (fail to pull image with latest tag).
The solution was to reference this image with a digest instead of tag (the digest is taken from a configmap).
We experience now a similar issue but only for regular users (not cluster-admins).
 

Version-Release number of selected component (if applicable):


How reproducible:
Try to create a Windows VM (that requires the default virtio-win drivers) in a disconnected (air-gapped) environment. 

Steps to Reproduce:
1. Create a Windows VM using a regular user (not cluster-admin)
2. Wait until the VM starts 
3. Verify that is stuck on starting phase and that the virt-launcher is in imagePullBackoff

Actual results:
VM is stuck on starting, virt-launcher fails to pull the virtio-win containerDisk image

Expected results:
Windows VM is successfully created 

Additional info:
Currently we use configmaps/v2v-vmware to let us know the clusters virtio-win image, this configmap is not readable to all.
Comment 1 Yaacov Zamir 2021-11-22 10:54:08 UTC 
Moving to installation (hyper converged operator)

because HCO installs the local images air gaped environment images, and can put them in a config map that should be readable by project admin (non cluster admin users)
Comment 2 Oren Cohen 2021-12-13 12:36:12 UTC 
Fixed in version:
hco-bundle-registry-container-v4.10.0-465
hyperconverged-cluster-operator-container-v4.10.0-88 (https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1824536)
Comment 3 Guohua Ouyang 2021-12-15 03:34:30 UTC 
Verified the bug with hco-bundle-registry-container-v4.10.0-465 and latest console, create a windows VM by non-admin user is running normally, virtio-win image is using the one in virtio-win config map and is able to pull down.
Comment 9 errata-xmlrpc 2022-03-16 15:56:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.10.0 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0947