Bug 2032876

Summary: [4.8] Windows VMs fail to start on air-gapped environments for non-admin users
Product: Container Native Virtualization (CNV) Reporter: Oren Cohen <ocohen>
Component: InstallationAssignee: Oren Cohen <ocohen>
Status: CLOSED ERRATA QA Contact: Guohua Ouyang <gouyang>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.8.4CC: cnv-qe-bugs, gouyang, kmajcher, ocohen, stirabos
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: CNV-v4.8.4-31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2025295 Environment:
Last Closed: 2022-03-16 15:59:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2025295    
Bug Blocks: 2032873    

Description Oren Cohen 2021-12-15 12:40:18 UTC 
+++ This bug was initially created as a clone of Bug #2025295 +++

Cloning this bug for CNV 4.8

Description of problem:
During Windows VM creation there is a virtio-win containerDisk that is being used.
Previously we had Bug 1942839 which was fixed for 4.8 (fail to pull image with latest tag).
The solution was to reference this image with a digest instead of tag (the digest is taken from a configmap).
We experience now a similar issue but only for regular users (not cluster-admins).
 

Version-Release number of selected component (if applicable):


How reproducible:
Try to create a Windows VM (that requires the default virtio-win drivers) in a disconnected (air-gapped) environment. 

Steps to Reproduce:
1. Create a Windows VM using a regular user (not cluster-admin)
2. Wait until the VM starts 
3. Verify that is stuck on starting phase and that the virt-launcher is in imagePullBackoff

Actual results:
VM is stuck on starting, virt-launcher fails to pull the virtio-win containerDisk image

Expected results:
Windows VM is successfully created 

Additional info:
Currently we use configmaps/v2v-vmware to let us know the clusters virtio-win image, this configmap is not readable to all.

--- Additional comment from Yaacov Zamir on 2021-11-22 10:54:08 UTC ---

Moving to installation (hyper converged operator)

because HCO installs the local images air gaped environment images, and can put them in a config map that should be readable by project admin (non cluster admin users)

--- Additional comment from Oren Cohen on 2021-12-13 12:36:12 UTC ---

Fixed in version:
hco-bundle-registry-container-v4.10.0-465
hyperconverged-cluster-operator-container-v4.10.0-88 (https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1824536)

--- Additional comment from Guohua Ouyang on 2021-12-15 03:34:30 UTC ---

Verified the bug with hco-bundle-registry-container-v4.10.0-465 and latest console, create a windows VM by non-admin user is running normally, virtio-win image is using the one in virtio-win config map and is able to pull down.
Comment 1 Guohua Ouyang 2021-12-21 03:36:33 UTC 
verified with CNV-v4.8.4-31
Comment 7 errata-xmlrpc 2022-03-16 15:59:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.10.0 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0947