Description of problem: Subsequent to the stable branch for CNV 2.2.0 being created an selinux issue affecting SRIOV was noted and fixed: https://github.com/kubevirt/kubevirt/issues/2887 with the PR here: https://github.com/kubevirt/kubevirt/issues/2887 This was never backported. Without this, SRIOV devices cannot be allocated in VMIs when using SELinux. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Correct URL to PR is: https://github.com/kubevirt/kubevirt/issues/2888
Moving this back to assigned, as the current patch does not address the issue on RHCOS
These two PRs enable a workaround for this: https://github.com/kubevirt/kubevirt/pull/3056 https://github.com/kubevirt/hyperconverged-cluster-operator/pull/445
To verify: ensure virt-launcher pod runs as spc_t when deployed via HCO
Stu, this bug has patches fixing it. Are they in 2.2.0?
No, they are not.
This should be now fixed. We can verify it as soon as we have SR-IOV cluster set up.
we don't have an available SR-IOV cluster for now, will verify the bug once get the SR-IOV cluster.
Test on OCP4.4 CNV2.3 Client Version: 4.4.3 Server Version: 4.4.0-rc.13 Kubernetes Version: v1.17.1 SR-IOV network can be attached to the VM, didn't see any selinux permission error in virt-launcher when selinux is enabled
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:3194