node-labeller.sh: Consider AppArmor restrictions

Even though the virt-handler pod is privileged, on the systems with AppArmor there might be a host profile which will be automatically picked for the /usr/sbin/libvirtd binary. That may block the execution of /usr/libexec/qemu-kvm. In such a case, try moving the qemu executable to a location, which is more common for AppArmor-enabled Linux distros. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
kubevirt · Oct 28, 2022 · 940c9b2 · 940c9b2
1 parent 7594c5a
commit 940c9b2
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/cmd/virt-launcher/node-labeller/node-labeller.sh b/cmd/virt-launcher/node-labeller/node-labeller.sh
@@ -21,6 +21,13 @@ fi
 
 libvirtd -d
 
+# If the below command fails, then probably we run under AppArmor restrictions
+# and the active profile denies exec of /usr/libexec/qemu-kvm for libvirtd. In
+# such case, move the binary to a more common location and try again.
+if ! virsh domcapabilities --machine q35 --arch x86_64 --virttype $VIRTTYPE > /dev/null; then
+    [ -f /usr/libexec/qemu-kvm ] && mv /usr/libexec/qemu-kvm /usr/bin/qemu-system-x86_64
+fi
+
 virsh domcapabilities --machine q35 --arch x86_64 --virttype $VIRTTYPE > /var/lib/kubevirt-node-labeller/virsh_domcapabilities.xml
 
 cp -r /usr/share/libvirt/cpu_map /var/lib/kubevirt-node-labeller