Bug 2105130
| Summary: | DPDK/SRIOV pod configuration without privilege | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Seunghwan Jung <jseunghw> |
| Component: | Networking | Assignee: | Sebastian Scheinkman <sscheink> |
| Networking sub component: | SR-IOV | QA Contact: | zhaozhanqi <zzhao> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | medium | ||
| Priority: | medium | CC: | apanatto, cgoncalves, ealcaniz, eglottma, fbaudin, maxime.coquelin, shkim, soh, sscheink, yonpark, zshi |
| Version: | 4.9 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.12.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-01-17 19:45:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Comment 26
zhaozhanqi
2022-09-08 06:51:23 UTC
By adding the following label to fixe comment 26 issue. and this worker can load vhost # lsmod | grep vhost vhost_net 28672 0 vhost 49152 1 vhost_net vhost_iotlb 16384 1 vhost tap 28672 1 vhost_net tun 49152 1 vhost_net Move to verified. Hi Shienna,
Tested locally and I confirm NET_ADMIN is needed in order to change dynamic route:
```
apiVersion: v1
kind: Pod
metadata:
name: pod-test
spec:
containers:
- name: pod-test
image: "centos:8"
command:
- /bin/sleep
- "3000"
securityContext:
capabilities:
add:
- NET_ADMIN
```
$ oc rsh pod-cgoncalves
sh-4.4# ip route
default via 10.129.2.1 dev eth0
10.128.0.0/14 dev eth0
10.129.2.0/23 dev eth0 proto kernel scope link src 10.129.2.14
172.30.0.0/16 via 10.129.2.1 dev eth0
224.0.0.0/4 dev eth0
sh-4.4# ip route add 10.0.1.0/24 dev eth0
sh-4.4# ip route
default via 10.129.2.1 dev eth0
10.0.1.0/24 dev eth0 scope link <----------------
10.128.0.0/14 dev eth0
10.129.2.0/23 dev eth0 proto kernel scope link src 10.129.2.14
172.30.0.0/16 via 10.129.2.1 dev eth0
224.0.0.0/4 dev eth0
Please, notice that if your container is running with non-root user, you need to set CAP_NET_ADMIN capability on the executable file via `setcap` (usually this is done in Dockerfile):
```
sh-4.4# useradd user1
sh-4.4# su user1 -c "/usr/sbin/ip route add 10.0.2.0/24 dev eth0"
RTNETLINK answers: Operation not permitted
sh-4.4# setcap cap_net_admin=epi /usr/sbin/ip
sh-4.4# su user1 -c "/usr/sbin/ip route add 10.0.2.0/24 dev eth0"
sh-4.4# ip route
default via 10.132.2.1 dev eth0
10.0.2.0/24 dev eth0 scope link
10.132.2.0/23 dev eth0 proto kernel scope link src 10.132.3.111
```
Andrea
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.12.0 extras update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7400 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |