Bug 2175171 - Internal workaround for nonRoot->Root FG on Kubevirt
Summary: Internal workaround for nonRoot->Root FG on Kubevirt
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Installation
Version: 4.13.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.13.0
Assignee: Simone Tiraboschi
QA Contact: Debarati Basu-Nag
URL:
Whiteboard:
Depends On:
Blocks: 2174859
TreeView+ depends on / blocked
 
Reported: 2023-03-03 13:00 UTC by Simone Tiraboschi
Modified: 2023-05-18 02:58 UTC (History)
7 users (show)

Fixed In Version: hco-bundle-registry-container-v4.13.0.rhel9-1701
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2174859
Environment:
Last Closed: 2023-05-18 02:57:59 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubevirt hyperconverged-cluster-operator pull 2273 0 None Merged Workaround for nonRoot FG on Kubevirt 2023-03-06 08:09:31 UTC
Red Hat Issue Tracker CNV-26406 0 None None None 2023-03-03 13:02:23 UTC
Red Hat Product Errata RHSA-2023:3205 0 None None None 2023-05-18 02:58:12 UTC

Comment 1 Debarati Basu-Nag 2023-03-27 18:44:51 UTC 
Verified with CNV-v4.13.0.rhel9-1836:
[cloud-user@ocp-ipi-executor-xl must-gather-vm-2-1679941614-426225]$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o json | jq ".spec.featureGates"
{
  "deployKubeSecondaryDNS": false,
  "deployTektonTaskResources": false,
  "enableCommonBootImageImport": true,
  "nonRoot": true,
  "withHostPassthroughCPU": false
}
[cloud-user@ocp-ipi-executor-xl must-gather-vm-2-1679941614-426225]$ 

I don't see root: false
Comment 2 Simone Tiraboschi 2023-03-28 09:34:55 UTC 
The idea was exactly to keep nonRoot (with a default of True) on the HCO CR to avoid introducing a user visible change on APIs so late in the game internally translating it to Root on the kubevirt CR (with negated semantic).
Comment 3 Akriti Gupta 2023-03-28 10:55:02 UTC 
I checked on v4.13.0.rhel9-1808

Setting NonRoot: false in HRoCR and checking if virtlauncher pod is root also we see Root feature gate in KV CR
[akriti@fedora cnv-tests]$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o yaml | grep -A 8 "featureGates"
  featureGates:
    deployKubeSecondaryDNS: false
    deployTektonTaskResources: false
    enableCommonBootImageImport: true
    nonRoot: false
    withHostPassthroughCPU: false

[akriti@fedora cnv-tests]$ oc -n test-bugs get pods virt-launcher-example-f284x -o json | jq .spec.securityContext.runAsUser
0

[akriti@fedora cnv-tests]$ oc get kubevirt kubevirt-kubevirt-hyperconverged -n openshift-cnv -o yaml | grep -A 20 "featureGates"
      featureGates:
      - DataVolumes
      - SRIOV
      - CPUManager
      - CPUNodeDiscovery
      - Snapshot
      - HotplugVolumes
      - ExpandDisks
      - GPU
      - HostDevices
      - DownwardMetrics
      - NUMA
      - VMExport
      - DisableCustomSELinuxPolicy
      - KubevirtSeccompProfile
      - WithHostModelCPU
      - HypervStrictCheck
      - Root

virt launcher is now running as root , implies we can configure Root feature gate by setting nonRoot: false in Hco CR
Comment 4 Akriti Gupta 2023-03-30 07:18:49 UTC 
based  on comment 3
Marking it verified
Comment 6 errata-xmlrpc 2023-05-18 02:57:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.13.0 Images security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:3205
Note You need to log in before you can comment on or make changes to this bug.