Bug 2175171

Summary: Internal workaround for nonRoot->Root FG on Kubevirt
Product: Container Native Virtualization (CNV) Reporter: Simone Tiraboschi <stirabos>
Component: InstallationAssignee: Simone Tiraboschi <stirabos>
Status: CLOSED ERRATA QA Contact: Debarati Basu-Nag <dbasunag>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.13.0CC: akrgupta, dbasunag, kbidarka, kmajcher, lpivarc, ngavrilo, stirabos
Target Milestone: ---   
Target Release: 4.13.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: hco-bundle-registry-container-v4.13.0.rhel9-1701 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2174859 Environment:
Last Closed: 2023-05-18 02:57:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2174859    

Comment 1 Debarati Basu-Nag 2023-03-27 18:44:51 UTC 
Verified with CNV-v4.13.0.rhel9-1836:
[cloud-user@ocp-ipi-executor-xl must-gather-vm-2-1679941614-426225]$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o json | jq ".spec.featureGates"
{
  "deployKubeSecondaryDNS": false,
  "deployTektonTaskResources": false,
  "enableCommonBootImageImport": true,
  "nonRoot": true,
  "withHostPassthroughCPU": false
}
[cloud-user@ocp-ipi-executor-xl must-gather-vm-2-1679941614-426225]$ 

I don't see root: false
Comment 2 Simone Tiraboschi 2023-03-28 09:34:55 UTC 
The idea was exactly to keep nonRoot (with a default of True) on the HCO CR to avoid introducing a user visible change on APIs so late in the game internally translating it to Root on the kubevirt CR (with negated semantic).
Comment 3 Akriti Gupta 2023-03-28 10:55:02 UTC 
I checked on v4.13.0.rhel9-1808

Setting NonRoot: false in HRoCR and checking if virtlauncher pod is root also we see Root feature gate in KV CR
[akriti@fedora cnv-tests]$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o yaml | grep -A 8 "featureGates"
  featureGates:
    deployKubeSecondaryDNS: false
    deployTektonTaskResources: false
    enableCommonBootImageImport: true
    nonRoot: false
    withHostPassthroughCPU: false

[akriti@fedora cnv-tests]$ oc -n test-bugs get pods virt-launcher-example-f284x -o json | jq .spec.securityContext.runAsUser
0

[akriti@fedora cnv-tests]$ oc get kubevirt kubevirt-kubevirt-hyperconverged -n openshift-cnv -o yaml | grep -A 20 "featureGates"
      featureGates:
      - DataVolumes
      - SRIOV
      - CPUManager
      - CPUNodeDiscovery
      - Snapshot
      - HotplugVolumes
      - ExpandDisks
      - GPU
      - HostDevices
      - DownwardMetrics
      - NUMA
      - VMExport
      - DisableCustomSELinuxPolicy
      - KubevirtSeccompProfile
      - WithHostModelCPU
      - HypervStrictCheck
      - Root

virt launcher is now running as root , implies we can configure Root feature gate by setting nonRoot: false in Hco CR
Comment 4 Akriti Gupta 2023-03-30 07:18:49 UTC 
based  on comment 3
Marking it verified
Comment 6 errata-xmlrpc 2023-05-18 02:57:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.13.0 Images security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:3205