Created attachment 1510237 [details] VM definition Document URL: https://kubevirt.io/user-guide/#/workloads/virtual-machines/disks-and-volumes?id=datavolume-vm-behavior Section Number and Name: DataVolume VM Behavior Describe the issue: I've changed the yaml definition slightly to import cirros instead of alpine (yaml attached), I'm logged in as an unprivileged user (developer) without any cluster-admin or similar roles, but owning a project. $ oc whoami developer $ oc new-project test-dv Now using project "test-dv" on server ... $ oc create -f test-dv-from-url.yml # the running field is set to true virtualmachine.kubevirt.io/vm-cirros-datavolume created $ oc get events -w ... events about the importing and syncing of the DV seem to be ok ... 0s 0s 1 vm-cirros-datavolume.156bfaf6e3b42be7 VirtualMachineInstance Warning FailedCreate virtualmachine-controller Error creating pod: pods "virt-launcher-vm-cirros-datavolume-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.seLinuxOptions.level: Invalid value: "": must be s0:c21,c20 provider restricted: .spec.securityContext.seLinuxOptions.type: Invalid value: "spc_t": must be spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000460000, 1000469999] spec.containers[0].securityContext.seLinuxOptions.level: Invalid value: "": must be s0:c21,c20 spec.containers[0].securityContext.seLinuxOptions.type: Invalid value: "spc_t": must be capabilities.add: Invalid value: "NET_ADMIN": capability may not be added capabilities.add: Invalid value: "SYS_NICE": capability may not be added] 0s 0s 2 vm-cirros-datavolume.156bfaf6e3b42be7 VirtualMachineInstance Warning FailedCreate virtualmachine-controller Error creating pod: pods "virt-launcher-vm-cirros-datavolume-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.seLinuxOptions.level: Invalid value: "": must be s0:c21,c20 provider restricted: .spec.securityContext.seLinuxOptions.type: Invalid value: "spc_t": must be spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000460000, 1000469999] spec.containers[0].securityContext.seLinuxOptions.level: Invalid value: "": must be s0:c21,c20 spec.containers[0].securityContext.seLinuxOptions.type: Invalid value: "spc_t": must be capabilities.add: Invalid value: "NET_ADMIN": capability may not be added capabilities.add: Invalid value: "SYS_NICE": capability may not be added] This last error repeats several times and the virt-launcher pod is not running so the VMI is never really created. $ oc describe vmi | grep -E '(Reason:|Status|Phase)' Reason: FailedCreate Status: False Phase: Pending After seeing these errors, I deleted the VM object, logged in with a user having cluster-admin, assigned the privileged SCC to the default SA in the developer's project: $ oc adm policy add-scc-to-user privileged -z default test-dv Logged back in as developer, recreated the VM using the same YAML and the VMI is up and running, with no errors on the events. $ oc get pods NAME READY STATUS RESTARTS AGE virt-launcher-vm-cirros-datavolume-5wm8k 1/1 Running 0 2m Using virtctl I'm able to connect to the console. Suggestions for improvement: I'm not sure what would be the correct way to fix this but feels like the documentation is missing some steps to allow users to run VMs using DataVolumes. Additional information: The following are the packages I used to set up the environment: kubevirt-cdi-manifests-1.3.0-4.baac3e8.noarch.rpm kubevirt-manifests-0.9.6-2.g377460b.4badea0.noarch.rpm kubevirt-virtctl-0.9.6-2.g377460b.4badea0.x86_64.rpm
The doc linked is an upstream doc. Please file an issue upstream instead. I think this is the correct place to file an issue: https://github.com/kubevirt/kubevirt/issues Closing bug UPSTREAM.