config, sccs: add required parameters #1332
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kubevirt-bot
added
release-note
|
@maiqueb the commit message does not contain the [0] link, would you please add it? |
|
/lgtm |
kubevirt-bot
added
lgtm
|
/lgtm cancel |
|
/hold |
kubevirt-bot
added
the
do-not-merge/hold
This was referenced Apr 19, 2022
maiqueb
force-pushed
the
adjust-sccs
branch
2 times, most recently
from
e26bf94
to
6547407
Compare
|
/hold cancel @qinqon seems this is now working (at least, it managed to pass the unit tests). |
kubevirt-bot
removed
the
do-not-merge/hold
|
Had to change the multus SCC since it does require access to the host network, as per its spec. |
|
/hold On second thought, lets try to get feedback first from the community. |
kubevirt-bot
added
the
do-not-merge/hold
|
I've started testing on microshift (where bug was first observed). I could use guidance on best method to test, as testing on microshift requires deviating from Makefile & ./cluster/*.sh scripts. I deployed the operator with image Still getting the same error: $ kubectl describe networkaddonsconfig cluster
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Failed: Failing 24m cluster Operator failed: Unable to apply desired configuration
Warning Failed: FailedToApply 11m (x18 over 24m) cluster Operator failed: could not apply (security.openshift.io/v1, Kind=SecurityContextConstraints) /multus: could not create (security.openshift.io/v1, Kind=SecurityContextConstraints) /multus: SecurityContextConstraints.security.openshift.io "multus" is invalid: [allowHostIPC: Required value, allowHostNetwork: Required value, allowHostPID: Required value, allowHostPorts: Required value, readOnlyRootFilesystem: Required value, volumes: Required value]
Warning Failed: FailedToApply 4s (x17 over 7m15s) cluster Operator failed: could not apply (security.openshift.io/v1, Kind=SecurityContextConstraints) /multus: could not create (security.openshift.io/v1, Kind=SecurityContextConstraints) /multus: SecurityContextConstraints.security.openshift.io "multus" is invalid: volumes: Required valueMore Details:NetworkAddonsConfig clusterOperator Deployment |
|
@usrbinkat weird... It seems it is executing 2 multus SCCs - the first one is missing the following list of capabilities: The second one, is only missing the |
|
Kudos, SonarCloud Quality Gate passed!
|
|
/test pull-e2e-cluster-network-addons-operator-workflow-k8s |
1 similar comment
|
/test pull-e2e-cluster-network-addons-operator-workflow-k8s |
|
@maiqueb I tested image Here is pastebin output of: Looks like an improvement. We're seeing the same scc error on the linux-bridge component now though. Looking at your patch, I wonder if we also need an scc patch in hack/components/bump-linux-bridge.sh? I also attempted to run a VM with multus interface on microshift in the current condition and got the following results. Event Logs# VMI Events
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal SuccessfulCreate 75s virtualmachine-controller Created virtual machine pod virt-launcher-kargo3-htb6t
Warning SyncFailed 33s (x14 over 74s) virt-handler failed to configure vmi network: setup failed, err: failed plugging phase1 at nic 'net1': Link not found
# Kube Events
Warning SyncFailed virtualmachineinstance/kargo3 failed to detect VMI pod: dial unix //pods/2a2ba989-807a-44ee-b8e8-f8f8a9b2dbcb/volumes/kubernetes.io~empty-dir/sockets/launcher-sock: connect: connection refusedvirt-launcher pod logs{"component":"virt-launcher","level":"info","msg":"Collected all requested hook sidecar sockets","pos":"manager.go:76","timestamp":"2022-04-27T19:09:44.606356Z"}
{"component":"virt-launcher","level":"info","msg":"Sorted all collected sidecar sockets per hook point based on their priority and name: map[]","pos":"manager.go:79","timestamp":"2022-04-27T19:09:44.606459Z"}
{"component":"virt-launcher","level":"info","msg":"Connecting to libvirt daemon: qemu:///system","pos":"libvirt.go:495","timestamp":"2022-04-27T19:09:44.609580Z"}
{"component":"virt-launcher","level":"info","msg":"Connecting to libvirt daemon failed: virError(Code=38, Domain=7, Message='Failed to connect socket to '/var/run/libvirt/libvirt-sock': No such file or directory')","pos":"libvirt.go:503","timestamp":"2022-04-27T19:09:44.612940Z"}
{"component":"virt-launcher","level":"info","msg":"libvirt version: 7.6.0, package: 6.el8s (CBS \u003ccbs@centos.org\u003e, 2021-10-29-15:04:36, )","subcomponent":"libvirt","thread":"40","timestamp":"2022-04-27T19:09:44.641000Z"}
{"component":"virt-launcher","level":"info","msg":"hostname: kargo3","subcomponent":"libvirt","thread":"40","timestamp":"2022-04-27T19:09:44.641000Z"}
{"component":"virt-launcher","level":"error","msg":"internal error: Child process (dmidecode -q -t 0,1,2,3,4,11,17) unexpected exit status 1: /dev/mem: No such file or directory","pos":"virCommandWait:2749","subcomponent":"libvirt","thread":"40","timestamp":"2022-04-27T19:09:44.641000Z"}
{"component":"virt-launcher","level":"info","msg":"Connected to libvirt daemon","pos":"libvirt.go:511","timestamp":"2022-04-27T19:09:45.119274Z"}
{"component":"virt-launcher","level":"info","msg":"Registered libvirt event notify callback","pos":"client.go:509","timestamp":"2022-04-27T19:09:45.130444Z"}
{"component":"virt-launcher","level":"info","msg":"Marked as ready","pos":"virt-launcher.go:80","timestamp":"2022-04-27T19:09:45.131330Z"}
panic: timed out waiting for domain to be defined
goroutine 1 [running]:
main.waitForDomainUUID(0xc000084900, 0xc000084780, 0xc0019fa840, {0x1ca6b00, 0xc00022e000})
cmd/virt-launcher/virt-launcher.go:250 +0x43a
main.main()
cmd/virt-launcher/virt-launcher.go:504 +0x141a
{"component":"virt-launcher","level":"info","msg":"Reaped pid 15 with status 512","pos":"virt-launcher.go:554","timestamp":"2022-04-27T19:14:42.146151Z"}
{"component":"virt-launcher","level":"error","msg":"dirty virt-launcher shutdown: exit-code 2","pos":"virt-launcher.go:572","timestamp":"2022-04-27T19:14:42.147078Z"} |
@usrbinkat it might make sense for you to remove the linux-bridge configuration from CNAO's CR - odds are microshift itself installs that plugin. I'll ship around the idea of adding an SCC for this plugin.
... |
|
/test pull-e2e-cluster-network-addons-operator-workflow-k8s |
|
/hold cancel The SCC issue seems to be fixed, since the provided logs no longer show any SCC issue. There is still a deeper issue, preventing multus from creating a link on the pod's netns, which I am currently debugging. |
kubevirt-bot
removed
the
do-not-merge/hold
|
Had to force push here because I saw the following error when testing with the following CR:
apiVersion: networkaddonsoperator.network.kubevirt.io/v1
kind: NetworkAddonsConfig
metadata:
annotations:
name: cluster
spec:
linuxBridge: {}
multus: {} |
According to openshift's API specification - [0] - the following attributes are required: - allowHostDirVolumePlugin - allowHostIPC - allowHostNetwork - allowHostPID - allowHostPorts - allowPrivilegedContainer - readOnlyRootFilesystem This commits adds the required parameters to the SCCs that were missing them. [0] - https://docs.openshift.com/container-platform/4.10/rest_api/security_apis/securitycontextconstraints-security-openshift-io-v1.html Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
The `volume` parameter is marked as required in the SCC CRD, despite being nullable - and not listed as required in the API doc - [0]. A tracker bug requesting the API to be updated can be found in [1]. [0] - https://docs.openshift.com/container-platform/4.10/rest_api/security_apis/securitycontextconstraints-security-openshift-io-v1.html [1] - https://bugzilla.redhat.com/show_bug.cgi?id=2079224 Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
|
Kudos, SonarCloud Quality Gate passed!
|
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: qinqon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@RamLavi could you push a release out with this change ? I know @usrbinkat is keen on checking out this integration w/ microshift. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
According to openshift's API specification the following
attributes are required:
This commits adds the required parameters to the SCCs that were missing
them.
Furthermore, there's this openshift documentation bug, in which the
volumesattribute is missing from the API.
Special notes for your reviewer:
Release note: