Description of problem: Running 'virtctl guestfs' currently requires permission to run pods with uid 0, while libguestfs tools typically doesn't require to be run as root. Version-Release number of selected component (if applicable): % virtctl version Client Version: version.Info{GitVersion:"v0.49.0-119-gb7f0c6b53", GitCommit:"b7f0c6b535a00e01f4833d8746f2f9be527208f3", GitTreeState:"clean", BuildDate:"2022-04-01T07:23:21Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"darwin/amd64"} Server Version: version.Info{GitVersion:"v0.49.0-119-gb7f0c6b53", GitCommit:"b7f0c6b535a00e01f4833d8746f2f9be527208f3", GitTreeState:"clean", BuildDate:"2022-04-01T07:24:56Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"linux/amd64"} How reproducible: Always Steps to Reproduce: 1. Identify the PVC to attach to libguestfs-tools pod 2. Run virtctl guestfs % virtctl guestfs --image quay.io/openshift-cnv/container-native-virtualization-libguestfs-tools@sha256:591e6d1e817bbd42b80f24b1ff9863533acc00fa6032c8abcbc38b9bb9e964ae rhel8-lovely-python-rootdisk-wtxhu Actual results: Use image: quay.io/openshift-cnv/container-native-virtualization-libguestfs-tools@sha256:591e6d1e817bbd42b80f24b1ff9863533acc00fa6032c8abcbc38b9bb9e964ae The PVC has been mounted at /disk pods "libguestfs-tools-rhel8-lovely-python-rootdisk-wtxhu" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "pipelines-scc": Forbidden: not usable by user or serviceaccount, provider "containerized-data-importer": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1002250000, 1002259999], provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "noobaa": Forbidden: not usable by user or serviceaccount, provider "noobaa-endpoint": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "kubevirt-controller": Forbidden: not usable by user or serviceaccount, provider "bridge-marker": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "nfd-worker": Forbidden: not usable by user or serviceaccount, provider "linux-bridge": Forbidden: not usable by user or serviceaccount, provider "nmstate": Forbidden: not usable by user or serviceaccount, provider "ovs-cni-marker": Forbidden: not usable by user or serviceaccount, provider "kubevirt-handler": Forbidden: not usable by user or serviceaccount, provider "rook-ceph": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount, provider "trident": Forbidden: not usable by user or serviceaccount] Expected results: User should be able to execute 'virtctl guestfs' without requiring permission to run pods with uid 0.
I published the PR [1], this removed the requirement of running the libguestfs-tools pod as uid/gid 0 [1] https://github.com/kubevirt/kubevirt/pull/7594
Updated bug status to reflect work being done on it.
Alice, do you have any updates for the PR?
I'm waiting for the PR to be merged, I pinged David yesterday
I have tested this defect using 10.3-3 and it succeeds as the admin user but fails when running it as the unprivileged user: Tested with the following code: ---------------------------------- oc version Client Version: 4.10.0-202206211856.p0.g45460a5.assembly.stream-45460a5 Server Version: 4.10.20 Kubernetes Version: v1.23.5+3afdacb oc get csv -n openshift-cnv NAME DISPLAY VERSION REPLACES PHASE kubevirt-hyperconverged-operator.v4.10.3 OpenShift Virtualization 4.10.3 kubevirt-hyperconverged-operator.v4.10.2 Succeeded Tested with the following scenario: ----------------------------------- 1. Create dv my-data-volume 2. Run 'virtctl guestfs my-data-volume as admin user >>>>> successfully completes 3. Login as unprivileged user 4. Run 'virtctl guestfs my-data-volume as unprivileged user >>>>> fails with error. virtctl guestfs my-data-volume Use image: registry.redhat.io/container-native-virtualization/libguestfs-tools@sha256:bbf228f3ae191c48ed324bf2c81a3501cef75ac3883bc5ef5f6afba293619f6a pods is forbidden: User "unprivileged-user" cannot list resource "pods" in API group "" in the namespace "openshift-virtualization-os-images" Additional information: ------------------------- oc whoami unprivileged-user [cnv-qe-jenkins@localhost ~]$ oc get dv NAME PHASE PROGRESS RESTARTS AGE centos-stream8-178796a2fbe3 Succeeded 100.0% 22h centos-stream9-4993d660c60b Succeeded 100.0% 22h centos7-680e9b4e0fba Succeeded 100.0% 22h fedora-3b3fc310abea Succeeded 100.0% 22h my-data-volume Succeeded 100.0% 5m53s rhel8-d8b84352ee28 Succeeded 100.0% 22h rhel9-e04dfadb2d71 Succeeded 100.0% 22h virtctl guestfs --help Create a pod with libguestfs-tools, mount the pvc and attach a shell to it. The pvc is mounted under the /disks directory inside the pod for filesystem-based pvcs, or as /dev/vda for block-based pvcs Usage: virtctl guestfs [flags] Examples: # Create a pod with libguestfs-tools, mount the pvc and attach a shell to it: virtctl guestfs <pvc-name> Flags: -h, --help help for guestfs --image string libguestfs-tools container image --kvm Use kvm for the libguestfs-tools container (default true) --pull-policy string pull policy for the libguestfs image (default "IfNotPresent") --root Set uid 0 for the libguestfs-tool container ######## This is an indication that the fix is in this version ###### Use "virtctl options" for a list of global command-line options (applies to all commands). virtctl guestfs my-data-volume Use image: registry.redhat.io/container-native-virtualization/libguestfs-tools@sha256:bbf228f3ae191c48ed324bf2c81a3501cef75ac3883bc5ef5f6afba293619f6a pods is forbidden: User "unprivileged-user" cannot list resource "pods" in API group "" in the namespace "openshift-virtualization-os-images"
hi Kevin, I think you don't have the right permission to get and create pods with that user (maybe you are in the wrong namespace?). As a quick test, just try to start a VMI. This is independent of the bug reported.
Verified with the following code: ------------------------------------- oc version Client Version: 4.10.0-202206211856.p0.g45460a5.assembly.stream-45460a5 Kubernetes Version: v1.23.5+3afdacb oc get csv -n openshift-cnv NAME DISPLAY VERSION REPLACES PHASE kubevirt-hyperconverged-operator.v4.10.3 OpenShift Virtualization 4.10.3 kubevirt-hyperconverged-operator.v4.10.2 Succeeded Verified with the following scenario: ------------------------------------- 1. Create dv my-data-volume 2. Login as unprivileged user 3. Run 'virtctl guestfs my-data-volume as unprivileged user >>>>> successful Moving to verified! Additional information: ------------------------------------ oc login https://api.stg10-kevin.cnv-qe.rhcloud.com:6443 -u unprivileged-user -p unprivileged-password Login successful. You have access to the following projects and can switch between them with 'oc project <projectname>': openshift-virtualization-os-images test-libguestfs ----------------- oc create -f dv-guestfs.yaml datavolume.cdi.kubevirt.io/my-data-volume created ----------------- oc get dv -w NAME PHASE PROGRESS RESTARTS AGE guestfs-dv-cnv-6566 Succeeded 100.0% 152m my-data-volume Succeeded 100.0% 45s ----------------- virtctl guestfs my-data-volume Use image: registry.redhat.io/container-native-virtualization/libguestfs-tools@sha256:613a36a5d70c2a2b85718b139a82e611f671d185423bee790b850413da90f05c The PVC has been mounted at /dev/vda Waiting for container libguestfs still in pending, reason: ContainerCreating, message: Waiting for container libguestfs still in pending, reason: ContainerCreating, message: If you don't see a command prompt, try pressing enter.+ touch /usr/local/lib/guestfs/appliance/done + /bin/bash bash-4.4$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT loop0 7:0 0 150G 0 loop loop1 7:1 0 150G 0 loop loop2 7:2 0 3G 0 loop loop3 7:3 0 500M 0 loop rbd0 251:0 0 3G 0 disk |-rbd0p1 251:1 0 35M 0 part `-rbd0p15 251:15 0 8M 0 part rbd1 251:16 0 500M 0 disk |-rbd1p1 251:17 0 35M 0 part `-rbd1p15 251:31 0 8M 0 part vda 252:0 0 230G 0 disk |-vda1 252:1 0 1M 0 part |-vda2 252:2 0 127M 0 part |-vda3 252:3 0 384M 0 part `-vda4 252:4 0 229.5G 0 part /usr/local/lib/guestfs/appliance vdb 252:16 0 150G 0 disk vdc 252:32 0 150G 0 disk bash-4.4$
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Virtualization 4.10.3 Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:5675