Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.1] cgroupsv2: reconstruct device allowlist/drop internal device allow list state #10714

Merged
merged 4 commits into from
Nov 13, 2023
Merged

[release-1.1] cgroupsv2: reconstruct device allowlist/drop internal device allow list state #10714

merged 4 commits into from
Nov 13, 2023

Conversation

kubevirt-bot
Copy link
Contributor

This is an automated cherry-pick of #10689

/assign akalenyu

BugFix: cgroupsv2 device allowlist is bound to virt-handler internal state/block disk device overwritten on hotplug

vasiliy-ul and others added 4 commits November 10, 2023 09:52
@vasiliy-ul
cgroup v2: Allow VMI's block volume devices
c39907f 
When a block volume is non-hotpluggable (i.e. it is specified explicitly
in the VMI spec), the device cgroup permissions are managed purely by
Kubernetes and CRI. For v2, that means a BPF program is assigned to the
POD's cgroup. However, when we manage hotplug volumes, we overwrite the
BPF program to allow access to the new block device. The problem is that
we do not know what the existing BPF program does, hence we just follow
some assumptions about the 'default' devices that we need to allow (e.g.
/dev/kvm and some others). We need to also consider the non-hotpluggable
volumes, otherwise a VM with a block PVC or DV will fail to start if a
hotplug volume is attached to it.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
@vasiliy-ul
Hotplug volume mounter: set cgroup manager as arg
8d6155c 
Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
@vasiliy-ul
cgroup v2: Drop global rulesPerPid map
9f078fa 
Keep the existing device rules within the manager state.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
@akalenyu
tests: virt handler getting killed/live migration with hotplug and pe…
725e4d7 
…rsistent disk

Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
@kubevirt-bot kubevirt-bot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Nov 10, 2023
@kubevirt-bot kubevirt-bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label Nov 10, 2023
@kubevirt-bot kubevirt-bot mentioned this pull request Nov 10, 2023
Merged
8 tasks
@awels
Copy link
Member

awels commented Nov 10, 2023

/lgtm

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Nov 10, 2023
xpivarc
xpivarc approved these changes Nov 13, 2023
View reviewed changes
Copy link
Member

@xpivarc xpivarc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@kubevirt-bot
Copy link
Contributor Author

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: xpivarc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 13, 2023
@xpivarc
Copy link
Member

xpivarc commented Nov 13, 2023

/retest

@akalenyu
Copy link
Contributor

/test pull-kubevirt-e2e-k8s-1.26-sig-storage

@kubevirt-bot
Copy link
Contributor Author

@akalenyu: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test pull-kubevirt-apidocs-1.1
  • /test pull-kubevirt-build-1.1
  • /test pull-kubevirt-build-arm64-1.1
  • /test pull-kubevirt-check-unassigned-tests-1.1
  • /test pull-kubevirt-client-python-1.1
  • /test pull-kubevirt-e2e-k8s-1.26-sig-compute-1.1
  • /test pull-kubevirt-e2e-k8s-1.26-sig-monitoring-1.1
  • /test pull-kubevirt-e2e-k8s-1.26-sig-network-1.1
  • /test pull-kubevirt-e2e-k8s-1.26-sig-operator-1.1
  • /test pull-kubevirt-e2e-k8s-1.26-sig-storage-1.1
  • /test pull-kubevirt-e2e-k8s-1.27-ipv6-sig-network-1.1
  • /test pull-kubevirt-e2e-k8s-1.27-sig-compute-1.1
  • /test pull-kubevirt-e2e-k8s-1.27-sig-compute-realtime-1.1
  • /test pull-kubevirt-e2e-k8s-1.27-sig-network-1.1
  • /test pull-kubevirt-e2e-k8s-1.27-sig-operator-1.1
  • /test pull-kubevirt-e2e-k8s-1.27-sig-performance-1.1
  • /test pull-kubevirt-e2e-k8s-1.27-sig-storage-1.1
  • /test pull-kubevirt-e2e-k8s-1.28-sig-compute-1.1
  • /test pull-kubevirt-e2e-k8s-1.28-sig-compute-migrations-1.1
  • /test pull-kubevirt-e2e-k8s-1.28-sig-network-1.1
  • /test pull-kubevirt-e2e-k8s-1.28-sig-operator-1.1
  • /test pull-kubevirt-e2e-k8s-1.28-sig-storage-1.1
  • /test pull-kubevirt-e2e-kind-1.27-sriov-1.1
  • /test pull-kubevirt-e2e-kind-1.27-vgpu-1.1
  • /test pull-kubevirt-e2e-windows2016-1.1
  • /test pull-kubevirt-generate-1.1
  • /test pull-kubevirt-manifests-1.1
  • /test pull-kubevirt-prom-rules-verify-1.1
  • /test pull-kubevirt-unit-test-1.1
  • /test pull-kubevirt-verify-go-mod-1.1
  • /test pull-kubevirtci-bump-kubevirt-1.1

The following commands are available to trigger optional jobs:

  • /test build-kubevirt-builder-1.1
  • /test pull-kubevirt-check-tests-for-flakes-1.1
  • /test pull-kubevirt-code-lint-1.1
  • /test pull-kubevirt-e2e-arm64-1.1
  • /test pull-kubevirt-e2e-k8s-1.25-fips-sig-compute-1.1
  • /test pull-kubevirt-e2e-k8s-1.26-ipv6-sig-network-1.1
  • /test pull-kubevirt-e2e-k8s-1.26-sev-1.1
  • /test pull-kubevirt-e2e-k8s-1.26-sig-compute-root-1.1
  • /test pull-kubevirt-e2e-k8s-1.26-sig-network-multus-v4-1.1
  • /test pull-kubevirt-e2e-k8s-1.26-sig-storage-root-1.1
  • /test pull-kubevirt-e2e-k8s-1.26-single-node-1.1
  • /test pull-kubevirt-e2e-k8s-1.26-swap-enabled-1.1
  • /test pull-kubevirt-gosec-1.1
  • /test pull-kubevirt-goveralls-1.1
  • /test pull-kubevirt-metrics-lint-1.1
  • /test pull-kubevirt-unit-test-arm64-1.1
  • /test pull-kubevirt-verify-rpms-1.1

Use /test all to run the following jobs that were automatically triggered:

  • pull-kubevirt-apidocs-1.1
  • pull-kubevirt-build-1.1
  • pull-kubevirt-build-arm64-1.1
  • pull-kubevirt-check-tests-for-flakes-1.1
  • pull-kubevirt-check-unassigned-tests-1.1
  • pull-kubevirt-client-python-1.1
  • pull-kubevirt-code-lint-1.1
  • pull-kubevirt-e2e-arm64-1.1
  • pull-kubevirt-e2e-k8s-1.26-sig-compute-1.1
  • pull-kubevirt-e2e-k8s-1.26-sig-network-1.1
  • pull-kubevirt-e2e-k8s-1.26-sig-operator-1.1
  • pull-kubevirt-e2e-k8s-1.26-sig-storage-1.1
  • pull-kubevirt-e2e-k8s-1.27-ipv6-sig-network-1.1
  • pull-kubevirt-e2e-k8s-1.27-sig-compute-1.1
  • pull-kubevirt-e2e-k8s-1.27-sig-network-1.1
  • pull-kubevirt-e2e-k8s-1.27-sig-operator-1.1
  • pull-kubevirt-e2e-k8s-1.27-sig-performance-1.1
  • pull-kubevirt-e2e-k8s-1.27-sig-storage-1.1
  • pull-kubevirt-e2e-k8s-1.28-sig-compute-1.1
  • pull-kubevirt-e2e-k8s-1.28-sig-compute-migrations-1.1
  • pull-kubevirt-e2e-k8s-1.28-sig-network-1.1
  • pull-kubevirt-e2e-k8s-1.28-sig-operator-1.1
  • pull-kubevirt-e2e-k8s-1.28-sig-storage-1.1
  • pull-kubevirt-e2e-kind-1.27-sriov-1.1
  • pull-kubevirt-e2e-kind-1.27-vgpu-1.1
  • pull-kubevirt-e2e-windows2016-1.1
  • pull-kubevirt-generate-1.1
  • pull-kubevirt-goveralls-1.1
  • pull-kubevirt-manifests-1.1
  • pull-kubevirt-prom-rules-verify-1.1
  • pull-kubevirt-unit-test-1.1
  • pull-kubevirt-unit-test-arm64-1.1
  • pull-kubevirt-verify-go-mod-1.1

In response to this:

/test pull-kubevirt-e2e-k8s-1.26-sig-storage

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@akalenyu
Copy link
Contributor

/test pull-kubevirt-e2e-k8s-1.26-sig-storage-1.1

@kubevirt-bot kubevirt-bot merged commit 544ecfa into kubevirt:release-1.1 Nov 13, 2023
36 checks passed
@kubevirt-bot kubevirt-bot mentioned this pull request Jan 2, 2024
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xpivarc xpivarc xpivarc approved these changes

@AlonaKaplan AlonaKaplan Awaiting requested review from AlonaKaplan

@kbidarkar kbidarkar Awaiting requested review from kbidarkar

Assignees

@awels awels

@xpivarc xpivarc

@akalenyu akalenyu

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@kubevirt-bot @awels @xpivarc @akalenyu @vasiliy-ul