Bug 2032873

Summary: [4.9] Windows VMs fail to start on air-gapped environments for non-admin users
Product: Container Native Virtualization (CNV) Reporter: Oren Cohen <ocohen>
Component: InstallationAssignee: Oren Cohen <ocohen>
Status: CLOSED ERRATA QA Contact: Guohua Ouyang <gouyang>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.9.2CC: cnv-qe-bugs, gouyang, ocohen, stirabos
Target Milestone: ---Flags: gouyang: needinfo-
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: hco-bundle-registry-container-v4.9.2-10 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2025295 Environment:
Last Closed: 2022-03-16 15:59:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2025295, 2032876    
Bug Blocks:    

Description Oren Cohen 2021-12-15 12:36:36 UTC 
+++ This bug was initially created as a clone of Bug #2025295 +++

Cloning the bug for CNV 4.9

Description of problem:
During Windows VM creation there is a virtio-win containerDisk that is being used.
Previously we had Bug 1942839 which was fixed for 4.8 (fail to pull image with latest tag).
The solution was to reference this image with a digest instead of tag (the digest is taken from a configmap).
We experience now a similar issue but only for regular users (not cluster-admins).
 

Version-Release number of selected component (if applicable):


How reproducible:
Try to create a Windows VM (that requires the default virtio-win drivers) in a disconnected (air-gapped) environment. 

Steps to Reproduce:
1. Create a Windows VM using a regular user (not cluster-admin)
2. Wait until the VM starts 
3. Verify that is stuck on starting phase and that the virt-launcher is in imagePullBackoff

Actual results:
VM is stuck on starting, virt-launcher fails to pull the virtio-win containerDisk image

Expected results:
Windows VM is successfully created 

Additional info:
Currently we use configmaps/v2v-vmware to let us know the clusters virtio-win image, this configmap is not readable to all.

--- Additional comment from Yaacov Zamir on 2021-11-22 10:54:08 UTC ---

Moving to installation (hyper converged operator)

because HCO installs the local images air gaped environment images, and can put them in a config map that should be readable by project admin (non cluster admin users)

--- Additional comment from Oren Cohen on 2021-12-13 12:36:12 UTC ---

Fixed in version:
hco-bundle-registry-container-v4.10.0-465
hyperconverged-cluster-operator-container-v4.10.0-88 (https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1824536)

--- Additional comment from Guohua Ouyang on 2021-12-15 03:34:30 UTC ---

Verified the bug with hco-bundle-registry-container-v4.10.0-465 and latest console, create a windows VM by non-admin user is running normally, virtio-win image is using the one in virtio-win config map and is able to pull down.
Comment 1 Guohua Ouyang 2021-12-20 02:15:07 UTC 
Hi Oren,
Does it need to cherry-pick https://github.com/openshift/console/pull/10616 to 4.9.z as well?
If the answer is yes, do you prefer to do it in this bug or create a console bug for it?
Comment 2 Guohua Ouyang 2021-12-20 03:52:44 UTC 
(In reply to Guohua Ouyang from comment #1)
> Hi Oren,
> Does it need to cherry-pick https://github.com/openshift/console/pull/10616
> to 4.9.z as well?
> If the answer is yes, do you prefer to do it in this bug or create a console
> bug for it?

The fix for 4.9.z is different from 4.10, so the answer is no. Cancel the needinfo.
Verified on CNV-4.9.2-11.
Comment 8 errata-xmlrpc 2022-03-16 15:59:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.10.0 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0947