Bug 1655152 - Creating a VM as documented for DataVolumes fails
Summary: Creating a VM as documented for DataVolumes fails
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Documentation
Version: 1.3
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Pan Ousley
QA Contact: Irina Gulina
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-30 19:01 UTC by Sergi Jimenez Romero
Modified: 2018-11-30 20:15 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-30 20:15:02 UTC
Target Upstream Version:


Attachments (Terms of Use)
VM definition (887 bytes, text/plain)
2018-11-30 19:01 UTC, Sergi Jimenez Romero
no flags Details

Description Sergi Jimenez Romero 2018-11-30 19:01:14 UTC
Created attachment 1510237 [details]
VM definition

Document URL: 

https://kubevirt.io/user-guide/#/workloads/virtual-machines/disks-and-volumes?id=datavolume-vm-behavior

Section Number and Name:

DataVolume VM Behavior

Describe the issue:

I've changed the yaml definition slightly to import cirros instead of alpine (yaml attached), I'm logged in as an unprivileged user (developer) without any cluster-admin or similar roles, but owning a project.

$ oc whoami
developer

$ oc new-project test-dv
Now using project "test-dv" on server ...

$ oc create -f test-dv-from-url.yml # the running field is set to true
virtualmachine.kubevirt.io/vm-cirros-datavolume created

$ oc get events -w
... events about the importing and syncing of the DV seem to be ok ...
0s        0s        1         vm-cirros-datavolume.156bfaf6e3b42be7   VirtualMachineInstance             Warning   FailedCreate   virtualmachine-controller   Error creating pod: pods "virt-launcher-vm-cirros-datavolume-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.seLinuxOptions.level: Invalid value: "": must be s0:c21,c20 provider restricted: .spec.securityContext.seLinuxOptions.type: Invalid value: "spc_t": must be  spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000460000, 1000469999] spec.containers[0].securityContext.seLinuxOptions.level: Invalid value: "": must be s0:c21,c20 spec.containers[0].securityContext.seLinuxOptions.type: Invalid value: "spc_t": must be  capabilities.add: Invalid value: "NET_ADMIN": capability may not be added capabilities.add: Invalid value: "SYS_NICE": capability may not be added]
0s        0s        2         vm-cirros-datavolume.156bfaf6e3b42be7   VirtualMachineInstance             Warning   FailedCreate   virtualmachine-controller   Error creating pod: pods "virt-launcher-vm-cirros-datavolume-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.seLinuxOptions.level: Invalid value: "": must be s0:c21,c20 provider restricted: .spec.securityContext.seLinuxOptions.type: Invalid value: "spc_t": must be  spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000460000, 1000469999] spec.containers[0].securityContext.seLinuxOptions.level: Invalid value: "": must be s0:c21,c20 spec.containers[0].securityContext.seLinuxOptions.type: Invalid value: "spc_t": must be  capabilities.add: Invalid value: "NET_ADMIN": capability may not be added capabilities.add: Invalid value: "SYS_NICE": capability may not be added]


This last error repeats several times and the virt-launcher pod is not running so the VMI is never really created.

$ oc describe vmi | grep -E '(Reason:|Status|Phase)'
    Reason:                FailedCreate
    Status:                False
  Phase:                   Pending


After seeing these errors, I deleted the VM object, logged in with a user having cluster-admin, assigned the privileged SCC to the default SA in the developer's project:

$ oc adm policy add-scc-to-user privileged -z default test-dv

Logged back in as developer, recreated the VM using the same YAML and the VMI is up and running, with no errors on the events.

$ oc get pods
NAME                                       READY     STATUS    RESTARTS   AGE
virt-launcher-vm-cirros-datavolume-5wm8k   1/1       Running   0          2m

Using virtctl I'm able to connect to the console.

Suggestions for improvement: 

I'm not sure what would be the correct way to fix this but feels like the documentation is missing some steps to allow users to run VMs using DataVolumes.

Additional information: 

The following are the packages I used to set up the environment:

kubevirt-cdi-manifests-1.3.0-4.baac3e8.noarch.rpm
kubevirt-manifests-0.9.6-2.g377460b.4badea0.noarch.rpm
kubevirt-virtctl-0.9.6-2.g377460b.4badea0.x86_64.rpm

Comment 1 Pan Ousley 2018-11-30 20:15:02 UTC
The doc linked is an upstream doc. Please file an issue upstream instead. 

I think this is the correct place to file an issue: https://github.com/kubevirt/kubevirt/issues

Closing bug UPSTREAM.


Note You need to log in before you can comment on or make changes to this bug.