Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove SYS_RESOURCE capability from launcher pod #2584

Merged
merged 6 commits into from
Aug 30, 2019
Merged

Remove SYS_RESOURCE capability from launcher pod #2584

merged 6 commits into from
Aug 30, 2019

Commits on Aug 27, 2019

  1. Use syscall.Setrlimit instead of direct RawSyscall6 

    This syscall is implemented in libraries we use anyway, so we can
easily avoid dealing with unsafe pointers etc.
    @booxter
    booxter committed Aug 27, 2019
    Configuration menu
    Copy the full SHA
    1034cd2 View commit details
    Browse the repository at this point in the history

  2. Remove SYS_RESOURCE capability from launcher pod 

    Instead, set the (unlimited) limit for libvirtd from handler pod that
is already privileged.
    @booxter
    booxter committed Aug 27, 2019
    Configuration menu
    Copy the full SHA
    dc7fa75 View commit details
    Browse the repository at this point in the history

  3. Estimate rlimit for memlock for vfio backed SR-IOV interfaces 

    Instead of setting to unlimited, try to estimate the actual amount
libvirtd may need for the VM. The actual formula in libvirtd code is
very complex and hard to reproduce (it involves estimating necessary
resources based on NUMA topology, number of CPUs, platform specific
requirements for memory alignment etc.) We are not going to reproduce it
in kubevirt, instead making our best conservative guess and then
allowing libvirtd to set the actual calculated value (that should work
as long as the value used by libvirtd is lower than the limit we set in
kubevirt).
    @booxter
    booxter committed Aug 27, 2019
    Configuration menu
    Copy the full SHA
    822f904 View commit details
    Browse the repository at this point in the history

  4. Use generated mock for IsolationDetector instead of in-house

    @booxter
    booxter committed Aug 27, 2019
    Configuration menu
    Copy the full SHA
    a3418f1 View commit details
    Browse the repository at this point in the history

  5. Don't adjust RLIMIT_MEMLOCK for libvirtd unless VFIO is attached 

    Libvirtd configures the limit in particular domain configurations
only. This limit adjustment is of no use for VMIs not attached to
VFIO.
    @booxter
    booxter committed Aug 27, 2019
    Configuration menu
    Copy the full SHA
    228587f View commit details
    Browse the repository at this point in the history

  6. Document how we estimate memory lock size for libvirtd

    @booxter
    booxter committed Aug 27, 2019
    Configuration menu
    Copy the full SHA
    17db974 View commit details
    Browse the repository at this point in the history