-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
config, sccs: add required parameters #1332
Conversation
@maiqueb the commit message does not contain the [0] link, would you please add it? |
/lgtm |
/lgtm cancel |
/hold |
e26bf94
to
6547407
Compare
/hold cancel @qinqon seems this is now working (at least, it managed to pass the unit tests). |
Had to change the multus SCC since it does require access to the host network, as per its spec. |
/hold On second thought, lets try to get feedback first from the community. |
I've started testing on microshift (where bug was first observed). I could use guidance on best method to test, as testing on microshift requires deviating from Makefile & ./cluster/*.sh scripts. I deployed the operator with image Still getting the same error: $ kubectl describe networkaddonsconfig cluster
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Failed: Failing 24m cluster Operator failed: Unable to apply desired configuration
Warning Failed: FailedToApply 11m (x18 over 24m) cluster Operator failed: could not apply (security.openshift.io/v1, Kind=SecurityContextConstraints) /multus: could not create (security.openshift.io/v1, Kind=SecurityContextConstraints) /multus: SecurityContextConstraints.security.openshift.io "multus" is invalid: [allowHostIPC: Required value, allowHostNetwork: Required value, allowHostPID: Required value, allowHostPorts: Required value, readOnlyRootFilesystem: Required value, volumes: Required value]
Warning Failed: FailedToApply 4s (x17 over 7m15s) cluster Operator failed: could not apply (security.openshift.io/v1, Kind=SecurityContextConstraints) /multus: could not create (security.openshift.io/v1, Kind=SecurityContextConstraints) /multus: SecurityContextConstraints.security.openshift.io "multus" is invalid: volumes: Required value More Details:NetworkAddonsConfig cluster
Operator Deployment
|
@usrbinkat weird... It seems it is executing 2 multus SCCs - the first one is missing the following list of capabilities: The second one, is only missing the |
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
/test pull-e2e-cluster-network-addons-operator-workflow-k8s |
1 similar comment
/test pull-e2e-cluster-network-addons-operator-workflow-k8s |
@maiqueb I tested image Here is pastebin output of: Looks like an improvement. We're seeing the same scc error on the linux-bridge component now though. Looking at your patch, I wonder if we also need an scc patch in hack/components/bump-linux-bridge.sh?
I also attempted to run a VM with multus interface on microshift in the current condition and got the following results. Event Logs# VMI Events
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal SuccessfulCreate 75s virtualmachine-controller Created virtual machine pod virt-launcher-kargo3-htb6t
Warning SyncFailed 33s (x14 over 74s) virt-handler failed to configure vmi network: setup failed, err: failed plugging phase1 at nic 'net1': Link not found
# Kube Events
Warning SyncFailed virtualmachineinstance/kargo3 failed to detect VMI pod: dial unix //pods/2a2ba989-807a-44ee-b8e8-f8f8a9b2dbcb/volumes/kubernetes.io~empty-dir/sockets/launcher-sock: connect: connection refused virt-launcher pod logs{"component":"virt-launcher","level":"info","msg":"Collected all requested hook sidecar sockets","pos":"manager.go:76","timestamp":"2022-04-27T19:09:44.606356Z"}
{"component":"virt-launcher","level":"info","msg":"Sorted all collected sidecar sockets per hook point based on their priority and name: map[]","pos":"manager.go:79","timestamp":"2022-04-27T19:09:44.606459Z"}
{"component":"virt-launcher","level":"info","msg":"Connecting to libvirt daemon: qemu:///system","pos":"libvirt.go:495","timestamp":"2022-04-27T19:09:44.609580Z"}
{"component":"virt-launcher","level":"info","msg":"Connecting to libvirt daemon failed: virError(Code=38, Domain=7, Message='Failed to connect socket to '/var/run/libvirt/libvirt-sock': No such file or directory')","pos":"libvirt.go:503","timestamp":"2022-04-27T19:09:44.612940Z"}
{"component":"virt-launcher","level":"info","msg":"libvirt version: 7.6.0, package: 6.el8s (CBS \u003ccbs@centos.org\u003e, 2021-10-29-15:04:36, )","subcomponent":"libvirt","thread":"40","timestamp":"2022-04-27T19:09:44.641000Z"}
{"component":"virt-launcher","level":"info","msg":"hostname: kargo3","subcomponent":"libvirt","thread":"40","timestamp":"2022-04-27T19:09:44.641000Z"}
{"component":"virt-launcher","level":"error","msg":"internal error: Child process (dmidecode -q -t 0,1,2,3,4,11,17) unexpected exit status 1: /dev/mem: No such file or directory","pos":"virCommandWait:2749","subcomponent":"libvirt","thread":"40","timestamp":"2022-04-27T19:09:44.641000Z"}
{"component":"virt-launcher","level":"info","msg":"Connected to libvirt daemon","pos":"libvirt.go:511","timestamp":"2022-04-27T19:09:45.119274Z"}
{"component":"virt-launcher","level":"info","msg":"Registered libvirt event notify callback","pos":"client.go:509","timestamp":"2022-04-27T19:09:45.130444Z"}
{"component":"virt-launcher","level":"info","msg":"Marked as ready","pos":"virt-launcher.go:80","timestamp":"2022-04-27T19:09:45.131330Z"}
panic: timed out waiting for domain to be defined
goroutine 1 [running]:
main.waitForDomainUUID(0xc000084900, 0xc000084780, 0xc0019fa840, {0x1ca6b00, 0xc00022e000})
cmd/virt-launcher/virt-launcher.go:250 +0x43a
main.main()
cmd/virt-launcher/virt-launcher.go:504 +0x141a
{"component":"virt-launcher","level":"info","msg":"Reaped pid 15 with status 512","pos":"virt-launcher.go:554","timestamp":"2022-04-27T19:14:42.146151Z"}
{"component":"virt-launcher","level":"error","msg":"dirty virt-launcher shutdown: exit-code 2","pos":"virt-launcher.go:572","timestamp":"2022-04-27T19:14:42.147078Z"} |
@usrbinkat it might make sense for you to remove the linux-bridge configuration from CNAO's CR - odds are microshift itself installs that plugin. I'll ship around the idea of adding an SCC for this plugin.
... |
/test pull-e2e-cluster-network-addons-operator-workflow-k8s |
/hold cancel The SCC issue seems to be fixed, since the provided logs no longer show any SCC issue. There is still a deeper issue, preventing multus from creating a link on the pod's netns, which I am currently debugging. |
Had to force push here because I saw the following error when testing with the following CR:
apiVersion: networkaddonsoperator.network.kubevirt.io/v1
kind: NetworkAddonsConfig
metadata:
annotations:
name: cluster
spec:
linuxBridge: {}
multus: {} |
According to openshift's API specification - [0] - the following attributes are required: - allowHostDirVolumePlugin - allowHostIPC - allowHostNetwork - allowHostPID - allowHostPorts - allowPrivilegedContainer - readOnlyRootFilesystem This commits adds the required parameters to the SCCs that were missing them. [0] - https://docs.openshift.com/container-platform/4.10/rest_api/security_apis/securitycontextconstraints-security-openshift-io-v1.html Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
The `volume` parameter is marked as required in the SCC CRD, despite being nullable - and not listed as required in the API doc - [0]. A tracker bug requesting the API to be updated can be found in [1]. [0] - https://docs.openshift.com/container-platform/4.10/rest_api/security_apis/securitycontextconstraints-security-openshift-io-v1.html [1] - https://bugzilla.redhat.com/show_bug.cgi?id=2079224 Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: qinqon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@RamLavi could you push a release out with this change ? I know @usrbinkat is keen on checking out this integration w/ microshift. |
What this PR does / why we need it:
According to openshift's API specification the following
attributes are required:
This commits adds the required parameters to the SCCs that were missing
them.
Furthermore, there's this openshift documentation bug, in which the
volumes
attribute is missing from the API.
Special notes for your reviewer:
Release note: