+++ This bug was initially created as a clone of Bug #2076616 +++ Description of problem: Running 'virtctl guestfs' currently requires permission to run pods with uid 0, while libguestfs tools typically doesn't require to be run as root. Version-Release number of selected component (if applicable): % virtctl version Client Version: version.Info{GitVersion:"v0.49.0-119-gb7f0c6b53", GitCommit:"b7f0c6b535a00e01f4833d8746f2f9be527208f3", GitTreeState:"clean", BuildDate:"2022-04-01T07:23:21Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"darwin/amd64"} Server Version: version.Info{GitVersion:"v0.49.0-119-gb7f0c6b53", GitCommit:"b7f0c6b535a00e01f4833d8746f2f9be527208f3", GitTreeState:"clean", BuildDate:"2022-04-01T07:24:56Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"linux/amd64"} How reproducible: Always Steps to Reproduce: 1. Identify the PVC to attach to libguestfs-tools pod 2. Run virtctl guestfs % virtctl guestfs --image quay.io/openshift-cnv/container-native-virtualization-libguestfs-tools@sha256:591e6d1e817bbd42b80f24b1ff9863533acc00fa6032c8abcbc38b9bb9e964ae rhel8-lovely-python-rootdisk-wtxhu Actual results: Use image: quay.io/openshift-cnv/container-native-virtualization-libguestfs-tools@sha256:591e6d1e817bbd42b80f24b1ff9863533acc00fa6032c8abcbc38b9bb9e964ae The PVC has been mounted at /disk pods "libguestfs-tools-rhel8-lovely-python-rootdisk-wtxhu" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "pipelines-scc": Forbidden: not usable by user or serviceaccount, provider "containerized-data-importer": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1002250000, 1002259999], provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "noobaa": Forbidden: not usable by user or serviceaccount, provider "noobaa-endpoint": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "kubevirt-controller": Forbidden: not usable by user or serviceaccount, provider "bridge-marker": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "nfd-worker": Forbidden: not usable by user or serviceaccount, provider "linux-bridge": Forbidden: not usable by user or serviceaccount, provider "nmstate": Forbidden: not usable by user or serviceaccount, provider "ovs-cni-marker": Forbidden: not usable by user or serviceaccount, provider "kubevirt-handler": Forbidden: not usable by user or serviceaccount, provider "rook-ceph": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount, provider "trident": Forbidden: not usable by user or serviceaccount] Expected results: User should be able to execute 'virtctl guestfs' without requiring permission to run pods with uid 0. --- Additional comment from Vagner Farias on 2022-04-19 13:55:11 UTC --- Discussion on Google Chat room: https://chat.google.com/room/AAAAgKto59A/bPZX57WGQ9s --- Additional comment from Alice Frosi on 2022-04-20 08:07:25 UTC --- I published the PR [1], this removed the requirement of running the libguestfs-tools pod as uid/gid 0 [1] https://github.com/kubevirt/kubevirt/pull/7594 --- Additional comment from Alice Frosi on 2022-04-20 09:56:12 UTC --- Once we have the PR merged, we need also to adjust the downstream dockerfile for 4.11 and backport the fix to 4.10 --- Additional comment from Maya Rashish on 2022-04-24 10:40:18 UTC --- Updated bug status to reflect work being done on it. --- Additional comment from Yan Du on 2022-05-25 12:09:54 UTC --- Alice, do you have any updates for the PR? --- Additional comment from Alice Frosi on 2022-05-25 12:14:27 UTC --- I'm waiting for the PR to be merged, I pinged David yesterday --- Additional comment from Alice Frosi on 2022-05-25 12:18:38 UTC --- Yan, once the upstream PR is merged we need to backport the change to 4.10 together with this fix for the downstream build image [2] [2] https://gitlab.cee.redhat.com/cpaas-midstream/openshift-virtualization/kubevirt/-/merge_requests/77 --- Additional comment from Alice Frosi on 2022-06-15 07:46:16 UTC --- I want to give an update to this bugzilla. The needed upstream and downstream PRs for 4.11 and 4.12 have been merged The last missing cherry-pick for 4.10 is still open (I hope we can get it merge this week): https://github.com/kubevirt/kubevirt/pull/7896 Once the last PR is merged, we can verify the BZ with the new builds again
Verified with the following code: ------------------------------------------ oc version Client Version: 4.11.0-202207072008.p0.gf17f1aa.assembly.stream-f17f1aa Kustomize Version: v4.5.4 Server Version: 4.11.0-rc.1 Kubernetes Version: v1.24.0+2dd8bb1 oc get csv -n openshift-cnv NAME DISPLAY VERSION REPLACES PHASE kubevirt-hyperconverged-operator.v4.11.0 OpenShift Virtualization 4.11.0 kubevirt-hyperconverged-operator.v4.10.2 Succeeded Verified with the following scenario: ----------------------------------------- oc whoami unprivileged-user oc create -f vm-alice.yaml virtualmachine.kubevirt.io/vm-cirros-datavolume-alice created oc get dv -w NAME PHASE PROGRESS RESTARTS AGE cirros-dv-alice ImportInProgress N/A 9s guestfs-dv-cnv-6566 Succeeded 100.0% 4m24s cirros-dv-alice Succeeded 100.0% 9s oc get vm NAME AGE STATUS READY vm-cirros-datavolume-alice 17s Stopped False oc get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE cirros-dv-alice Bound nfs-pv-03 5Gi RWO,RWX nfs 83s guestfs-dv-cnv-6566 Bound pvc-379049ee-1e51-4f7d-bb26-dbf5fc202e18 1Gi RWX ocs-storagecluster-ceph-rbd 5m38s virtctl guestfs cirros-dv-alice Use image: registry.redhat.io/container-native-virtualization/libguestfs-tools@sha256:468675ed096bf4888d42e034a72575bf713490a19f941f5c9d7510f30afefd3b The PVC has been mounted at /disk If you don't see a command prompt, try pressing enter.+ touch /usr/local/lib/guestfs/appliance/done + /bin/bash bash-4.4$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT loop0 7:0 0 70G 0 loop loop1 7:1 0 70G 0 loop loop2 7:2 0 1G 0 loop rbd0 251:0 0 1G 0 disk |-rbd0p1 251:1 0 35M 0 part `-rbd0p15 251:15 0 8M 0 part vda 252:0 0 150G 0 disk |-vda1 252:1 0 1M 0 part |-vda2 252:2 0 127M 0 part |-vda3 252:3 0 384M 0 part `-vda4 252:4 0 149.5G 0 part /usr/local/lib/guestfs/appliance vdb 252:16 0 70G 0 disk vdc 252:32 0 70G 0 disk Moving to VERIFIED!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Virtualization 4.11.0 Images security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:6526