2097328 – virtctl guestfs shouldn't required uid = 0

Bug 2097328 - virtctl guestfs shouldn't required uid = 0

Summary: virtctl guestfs shouldn't required uid = 0

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Storage
Sub Component:
Version:	4.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Target Release:	4.11.0
Assignee:	Alice Frosi
QA Contact:	Kevin Alon Goldblatt
Docs Contact:
URL:
Whiteboard:
Depends On:	2076616
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-15 12:56 UTC by Alex Kalenyuk
Modified:	2023-11-13 08:16 UTC (History)
CC List:	7 users (show)
Fixed In Version:	kubevirt-virtctl-4.11.0-613, CNV v4.11.0-479
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2076616
Environment:
Last Closed:	2022-09-14 19:35:59 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	kubevirt kubevirt pull 7594	None	Merged	guestfs: run libguestfs container with no-root user	2022-06-16 02:48:42 UTC
Red Hat Issue Tracker	CNV-19148	None	None	None	2023-11-13 08:16:53 UTC
Red Hat Product Errata	RHSA-2022:6526	None	None	None	2022-09-14 19:36:07 UTC

Description Alex Kalenyuk 2022-06-15 12:56:16 UTC

+++ This bug was initially created as a clone of Bug #2076616 +++

Description of problem:
Running 'virtctl guestfs' currently requires permission to run pods with uid 0, while libguestfs tools typically doesn't require to be run as root.

Version-Release number of selected component (if applicable):
% virtctl version
Client Version: version.Info{GitVersion:"v0.49.0-119-gb7f0c6b53", GitCommit:"b7f0c6b535a00e01f4833d8746f2f9be527208f3", GitTreeState:"clean", BuildDate:"2022-04-01T07:23:21Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{GitVersion:"v0.49.0-119-gb7f0c6b53", GitCommit:"b7f0c6b535a00e01f4833d8746f2f9be527208f3", GitTreeState:"clean", BuildDate:"2022-04-01T07:24:56Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"linux/amd64"}

How reproducible:
Always

Steps to Reproduce:
1. Identify the PVC to attach to libguestfs-tools pod
2. Run virtctl guestfs

% virtctl guestfs --image quay.io/openshift-cnv/container-native-virtualization-libguestfs-tools@sha256:591e6d1e817bbd42b80f24b1ff9863533acc00fa6032c8abcbc38b9bb9e964ae rhel8-lovely-python-rootdisk-wtxhu

Actual results:
Use image: quay.io/openshift-cnv/container-native-virtualization-libguestfs-tools@sha256:591e6d1e817bbd42b80f24b1ff9863533acc00fa6032c8abcbc38b9bb9e964ae
The PVC has been mounted at /disk
pods "libguestfs-tools-rhel8-lovely-python-rootdisk-wtxhu" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "pipelines-scc": Forbidden: not usable by user or serviceaccount, provider "containerized-data-importer": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1002250000, 1002259999], provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "noobaa": Forbidden: not usable by user or serviceaccount, provider "noobaa-endpoint": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "kubevirt-controller": Forbidden: not usable by user or serviceaccount, provider "bridge-marker": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "nfd-worker": Forbidden: not usable by user or serviceaccount, provider "linux-bridge": Forbidden: not usable by user or serviceaccount, provider "nmstate": Forbidden: not usable by user or serviceaccount, provider "ovs-cni-marker": Forbidden: not usable by user or serviceaccount, provider "kubevirt-handler": Forbidden: not usable by user or serviceaccount, provider "rook-ceph": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount, provider "trident": Forbidden: not usable by user or serviceaccount]

Expected results:
User should be able to execute 'virtctl guestfs' without requiring permission to run pods with uid 0.

--- Additional comment from Vagner Farias on 2022-04-19 13:55:11 UTC ---

Discussion on Google Chat room: https://chat.google.com/room/AAAAgKto59A/bPZX57WGQ9s

--- Additional comment from Alice Frosi on 2022-04-20 08:07:25 UTC ---

I published the PR [1], this removed the requirement of running the libguestfs-tools pod as uid/gid 0

[1] https://github.com/kubevirt/kubevirt/pull/7594

--- Additional comment from Alice Frosi on 2022-04-20 09:56:12 UTC ---

Once we have the PR merged, we need also to adjust the downstream dockerfile for 4.11 and backport the fix to 4.10

--- Additional comment from Maya Rashish on 2022-04-24 10:40:18 UTC ---

Updated bug status to reflect work being done on it.

--- Additional comment from Yan Du on 2022-05-25 12:09:54 UTC ---

Alice, do you have any updates for the PR?

--- Additional comment from Alice Frosi on 2022-05-25 12:14:27 UTC ---

I'm waiting for the PR to be merged, I pinged David yesterday

--- Additional comment from Alice Frosi on 2022-05-25 12:18:38 UTC ---

Yan, once the upstream PR is merged we need to backport the change to 4.10 together with this fix for the downstream build image [2]

[2] https://gitlab.cee.redhat.com/cpaas-midstream/openshift-virtualization/kubevirt/-/merge_requests/77

--- Additional comment from Alice Frosi on 2022-06-15 07:46:16 UTC ---

I want to give an update to this bugzilla.
The needed upstream and downstream PRs for 4.11 and 4.12 have been merged

The last missing cherry-pick for 4.10 is still open (I hope we can get it merge this week):
  https://github.com/kubevirt/kubevirt/pull/7896

Once the last PR is merged, we can verify the BZ with the new builds again

Comment 1 Kevin Alon Goldblatt 2022-07-12 17:23:54 UTC

Verified with the following code:
------------------------------------------
oc version
Client Version: 4.11.0-202207072008.p0.gf17f1aa.assembly.stream-f17f1aa
Kustomize Version: v4.5.4
Server Version: 4.11.0-rc.1
Kubernetes Version: v1.24.0+2dd8bb1

oc get csv -n openshift-cnv
NAME                                       DISPLAY                    VERSION   REPLACES                                   PHASE
kubevirt-hyperconverged-operator.v4.11.0   OpenShift Virtualization   4.11.0    kubevirt-hyperconverged-operator.v4.10.2   Succeeded



Verified with the following scenario:
-----------------------------------------
oc whoami
unprivileged-user

oc create -f vm-alice.yaml 
virtualmachine.kubevirt.io/vm-cirros-datavolume-alice created

oc get dv -w
NAME                  PHASE              PROGRESS   RESTARTS   AGE
cirros-dv-alice       ImportInProgress   N/A                   9s
guestfs-dv-cnv-6566   Succeeded          100.0%                4m24s
cirros-dv-alice       Succeeded          100.0%                9s

 oc get vm
NAME                         AGE   STATUS    READY
vm-cirros-datavolume-alice   17s   Stopped   False

oc get pvc
NAME                  STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS                  AGE
cirros-dv-alice       Bound    nfs-pv-03                                  5Gi        RWO,RWX        nfs                           83s
guestfs-dv-cnv-6566   Bound    pvc-379049ee-1e51-4f7d-bb26-dbf5fc202e18   1Gi        RWX            ocs-storagecluster-ceph-rbd   5m38s

virtctl guestfs cirros-dv-alice
Use image: registry.redhat.io/container-native-virtualization/libguestfs-tools@sha256:468675ed096bf4888d42e034a72575bf713490a19f941f5c9d7510f30afefd3b 
The PVC has been mounted at /disk 
If you don't see a command prompt, try pressing enter.+ touch /usr/local/lib/guestfs/appliance/done
+ /bin/bash
bash-4.4$ lsblk
NAME      MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
loop0       7:0    0    70G  0 loop 
loop1       7:1    0    70G  0 loop 
loop2       7:2    0     1G  0 loop 
rbd0      251:0    0     1G  0 disk 
|-rbd0p1  251:1    0    35M  0 part 
`-rbd0p15 251:15   0     8M  0 part 
vda       252:0    0   150G  0 disk 
|-vda1    252:1    0     1M  0 part 
|-vda2    252:2    0   127M  0 part 
|-vda3    252:3    0   384M  0 part 
`-vda4    252:4    0 149.5G  0 part /usr/local/lib/guestfs/appliance
vdb       252:16   0    70G  0 disk 
vdc       252:32   0    70G  0 disk 

Moving to VERIFIED!

Comment 4 errata-xmlrpc 2022-09-14 19:35:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.11.0 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6526

Note You need to log in before you can comment on or make changes to this bug.