Make nonroot default runtime #8563

xpivarc · 2022-10-04T12:07:47Z

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Release note:

Kubevirt now runs with nonroot user by default

kubevirt-bot · 2022-10-04T12:07:48Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

xpivarc · 2022-10-04T12:07:54Z

/retest

xpivarc · 2022-10-06T09:20:45Z

/retest

vladikr · 2022-10-06T17:00:38Z

/retest

xpivarc · 2022-10-07T08:18:24Z

/test pull-kubevirt-e2e-k8s-1.22-sig-compute-realtime
Expected failure

vladikr · 2022-10-14T02:15:21Z

/retest

xpivarc · 2022-10-19T10:08:03Z

pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter.go

 	if spec.Domain.CPU != nil && spec.Domain.CPU.Realtime != nil {
+		if nonroot {


@vladikr Maybe adding the sys_nice for time being is better option

I think we should add sys_nice back for the time being - I agree

xpivarc · 2022-10-19T10:08:15Z

/retest

xpivarc · 2022-10-20T16:01:12Z

/retest

acardace · 2022-10-21T07:55:28Z

/lgtm

vladikr · 2022-10-24T13:38:56Z

/approve

kubevirt-bot · 2022-10-24T13:39:05Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vladikr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [vladikr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

acardace · 2022-10-25T08:26:35Z

/test pull-kubevirt-e2e-kind-1.22-sriov

Signed-off-by: L. Pivarc <[email protected]>

Currently RT VMs require SYS_NICE capability. Signed-off-by: L. Pivarc <[email protected]>

xpivarc · 2022-10-26T06:58:53Z

@acardace PTAL

acardace · 2022-10-26T07:10:19Z

/lgtm

kubevirt-bot · 2022-10-26T08:43:45Z

@xpivarc: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubevirt-e2e-k8s-1.22-sig-compute-realtime	`3986c45`	link	false	`/test pull-kubevirt-e2e-k8s-1.22-sig-compute-realtime`
pull-kubevirt-check-tests-for-flakes	`c53bed2`	link	false	`/test pull-kubevirt-check-tests-for-flakes`
pull-kubevirt-e2e-kind-1.23-vgpu	`c53bed2`	link	true	`/test pull-kubevirt-e2e-kind-1.23-vgpu`

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

acardace · 2022-10-26T15:43:12Z

/retest-required

rmohr · 2022-10-27T09:50:38Z

Hi Lubo. Great change. Does this mean that we test now in the nonroot lanes the same as in the other CI lanes? And as such not testing root anymore?

xpivarc · 2022-10-27T10:02:19Z

Hi Lubo. Great change. Does this mean that we test now in the nonroot lanes the same as in the other CI lanes? And as such not testing root anymore?

For a brief time yes, kubevirt/project-infra#2418 should fix it. We should talk about how long we want to do this in the next community meeting.

With kubevirt/kubevirt#8563 Kubevirt introduced a new FG named `Root`, the `nonRoot` FG we are using is still there but declared as deprecated. Unfortunately due to bug on Kubevirt the now deprecated `nonRoot` FG we rely on is completely ignored so, as a workaround, we will start internally translating nonRoot -> Root on Kubevirt with negative logic. In a future PR the nonRoot FG will be properly deprecated also here and a new Root FG will be introduced with a proper conversion logic on upgrades. Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=2175171 JIRA-ticket: https://issues.redhat.com/browse/CNV-26406 Signed-off-by: stirabos <[email protected]>

The NonRootExperimental feature gate was deprecated in PR kubevirt#8563. There is no code that is affected by this feature gate. Signed-off-by: Orel Misan <[email protected]>

The NonRootExperimental feature gate was deprecated in PR kubevirt#8563. The presence or absence of this feature gate does not change KubeVirt's behavior. Signed-off-by: Orel Misan <[email protected]>

The `NonRoot` feature gate was deprecated in PR kubevirt#8563. The presence or absence of this feature gate does not change KubeVirt's behavior. Signed-off-by: Orel Misan <[email protected]>

The NonRootExperimental feature gate was deprecated in PR kubevirt#8563. The presence or absence of this feature gate does not change KubeVirt's behavior. Signed-off-by: Orel Misan <[email protected]>

kubevirt-bot requested a review from maiqueb October 4, 2022 12:07

kubevirt-bot requested a review from vasiliy-ul October 4, 2022 12:07

kubevirt-bot added the size/M label Oct 4, 2022

xpivarc force-pushed the nonroot-default branch from 3986c45 to 4b3d9fc Compare October 19, 2022 10:07

kubevirt-bot added size/L and removed size/M labels Oct 19, 2022

xpivarc commented Oct 19, 2022

View reviewed changes

xpivarc force-pushed the nonroot-default branch from 4b3d9fc to 2f965cc Compare October 19, 2022 10:57

xpivarc marked this pull request as ready for review October 20, 2022 06:33

kubevirt-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 20, 2022

kubevirt-bot requested review from kbidarkar and stu-gott October 20, 2022 06:34

kubevirt-bot assigned acardace Oct 21, 2022

kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Oct 21, 2022

acardace mentioned this pull request Oct 21, 2022

Run VMs as 'restricted' PSA pods #8649

Merged

kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 24, 2022

kubevirt-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 25, 2022

xpivarc added 3 commits October 26, 2022 08:46

Make nonroot default runtime

097521a

Signed-off-by: L. Pivarc <[email protected]>

Fix nonroot tests

6932d31

Signed-off-by: L. Pivarc <[email protected]>

Block RT VM with nonroot

c53bed2

Currently RT VMs require SYS_NICE capability. Signed-off-by: L. Pivarc <[email protected]>

xpivarc force-pushed the nonroot-default branch from 2f965cc to c53bed2 Compare October 26, 2022 06:58

kubevirt-bot removed lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Oct 26, 2022

kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Oct 26, 2022

kubevirt-bot merged commit 9c6bccf into kubevirt:main Oct 27, 2022

tiraboschi mentioned this pull request Mar 3, 2023

Workaround for nonRoot FG on Kubevirt kubevirt/hyperconverged-cluster-operator#2273

Merged

11 tasks

orelmisan mentioned this pull request Oct 17, 2023

Remove leftover NonRootExperimental feature gate #10582

Merged

8 tasks

This was referenced Oct 23, 2023

Remove usage of the deprecated NonRoot feature gate #10615

Merged

Add a proposal to remove rootful VMs feature kubevirt/community#248

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Make nonroot default runtime #8563

Make nonroot default runtime #8563

xpivarc commented Oct 4, 2022

kubevirt-bot commented Oct 4, 2022

xpivarc commented Oct 4, 2022

xpivarc commented Oct 6, 2022

vladikr commented Oct 6, 2022

xpivarc commented Oct 7, 2022

vladikr commented Oct 14, 2022

xpivarc Oct 19, 2022

vladikr Oct 20, 2022

xpivarc commented Oct 19, 2022

xpivarc commented Oct 20, 2022

acardace commented Oct 21, 2022

vladikr commented Oct 24, 2022

kubevirt-bot commented Oct 24, 2022

acardace commented Oct 25, 2022

xpivarc commented Oct 26, 2022

acardace commented Oct 26, 2022

kubevirt-bot commented Oct 26, 2022 •

edited

Loading

acardace commented Oct 26, 2022

rmohr commented Oct 27, 2022 •

edited

Loading

xpivarc commented Oct 27, 2022

		if spec.Domain.CPU != nil && spec.Domain.CPU.Realtime != nil {
		if nonroot {

Make nonroot default runtime #8563

Make nonroot default runtime #8563

Conversation

xpivarc commented Oct 4, 2022

kubevirt-bot commented Oct 4, 2022

xpivarc commented Oct 4, 2022

xpivarc commented Oct 6, 2022

vladikr commented Oct 6, 2022

xpivarc commented Oct 7, 2022

vladikr commented Oct 14, 2022

xpivarc Oct 19, 2022

Choose a reason for hiding this comment

vladikr Oct 20, 2022

Choose a reason for hiding this comment

xpivarc commented Oct 19, 2022

xpivarc commented Oct 20, 2022

acardace commented Oct 21, 2022

vladikr commented Oct 24, 2022

kubevirt-bot commented Oct 24, 2022

acardace commented Oct 25, 2022

xpivarc commented Oct 26, 2022

acardace commented Oct 26, 2022

kubevirt-bot commented Oct 26, 2022 • edited Loading

acardace commented Oct 26, 2022

rmohr commented Oct 27, 2022 • edited Loading

xpivarc commented Oct 27, 2022

kubevirt-bot commented Oct 26, 2022 •

edited

Loading

rmohr commented Oct 27, 2022 •

edited

Loading