migration: match SELinux level of source pod on target pod

[jean-edouard]

What this PR does / why we need it:
When VMIs use RWX disks based on some storage classes, like cephfs, both the source and target pods of a migration need to have access to the files.
There are 2 ways to achieve that:

• either remove the SELinux categories on the files for the duration of the migration (see WIP: host-disk: remove SELinux categories during migration #9190)
• or match the source categories of the source pod on the target pod

Both solutions have negative security implications, but they're the only way to deal with shared resources.
I believe this is the best approach, as it doesn't mess with the disk and doesn't expose files to the entire node/cluster for the duration of the migration.
The only downside here is that the target node could (have) create(d) a pod with the same categories.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Release note:

Fixed migration issue for VMIs that have RWX disks backed by filesystem storage classes.

[jean-edouard]

/retest

[jean-edouard]

/retest-required

[jean-edouard]

A functest was added and this is now ready for reviews!

[jean-edouard]

/retest

[akalenyu]

Looks good!

This does not happen in the RWX Block case, right?
I am just trying to understand why this was never an issue with our CI lanes
running ceph rbd migrations

[akalenyu]

just a suggestion, may be worth to try construct the context and grab the level out of it?

kubevirt/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go

Lines 724 to 739 in 897d63c

	func newContext(label string) (Context, error) {
	c := make(Context)
	if len(label) != 0 {
	con := strings.SplitN(label, ":", 4)
	if len(con) < 3 {
	return c, InvalidLabel
	}
	c["user"] = con[0]
	c["role"] = con[1]
	c["type"] = con[2]
	if len(con) > 3 {
	c["level"] = con[3]
	}
	}
	return c, nil

[jean-edouard]

Good point, will do!

[jean-edouard]

Looks good!

This does not happen in the RWX Block case, right? I am just trying to understand why this was never an issue with our CI lanes running ceph rbd migrations

This is actually specifically for RWX, but it's needed only for FS CSIs (at least from what I've seen so far). Ceph rbd shouldn't need this.

[akalenyu]

Looks good!
This does not happen in the RWX Block case, right? I am just trying to understand why this was never an issue with our CI lanes running ceph rbd migrations

This is actually specifically for RWX, but it's needed only for FS CSIs (at least from what I've seen so far). Ceph rbd shouldn't need this.

Yeah I am just trying to understand why this isn't a problem for ceph rbd, interesting

[jean-edouard]

Looks good!
This does not happen in the RWX Block case, right? I am just trying to understand why this was never an issue with our CI lanes running ceph rbd migrations

This is actually specifically for RWX, but it's needed only for FS CSIs (at least from what I've seen so far). Ceph rbd shouldn't need this.

Yeah I am just trying to understand why this isn't a problem for ceph rbd, interesting

Don't quote me on that, but I think dev nodes for the block volumes get their own label inside the pod mount namespace thanks to overlayfs.
However, for FS volumes, the labels are handled at the filesystem level inside each volume, and there's not much k8s/overlayfs can do there.
As you can probably see I'm no k8s storage expert, but hopefully that helps!

[akalenyu]

/lgtm

[jean-edouard]

/cc @xpivarc @vladikr
/retest

[xpivarc]

Hey @jean-edouard ,
Did you have a chance to explore how this works in Kubernetes? I mean what happens if I want ReplicaSet with shared pvc? Will only one of these Pods get to read and write to pvc?

Also how is possible we did hit this only now? Is it possible this is a problem specific to a subset of CSIs?

Sorry for the delay I should be more available moving forward.

[jean-edouard]

Hey @jean-edouard , Did you have a chance to explore how this works in Kubernetes? I mean what happens if I want ReplicaSet with shared pvc? Will only one of these Pods get to read and write to pvc?

With cephfs, I believe so yes. Unless some privileged entity auto-relabels new files with the level s0 (removing the categories).

Also how is possible we did hit this only now? Is it possible this is a problem specific to a subset of CSIs?

Yes, so far this issue has only been seen with cephfs. It is discussed here:
ceph/ceph-csi#3562

[jean-edouard]

/retest

[jean-edouard]

@akalenyu could you please re-review and maybe re-lgtm? Thanks!
@xpivarc can we unhold?

[akalenyu]

Is this condition correct? If the tunable for this is omitted, it's an opt-in?
Also, just nitpicking, it may be nice to return early if the tunable is false, avoiding the extra indentation
Would probably mean this chunk needs to get extracted to it's own func

[jean-edouard]

Yeah, it's true by default, as discussed there: #9246 (comment)
I'll address the second part asap, thank you!

[jean-edouard]

Done, PTAL!

[xpivarc]

/hold cancel

[akalenyu]

/lgtm

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[brianmcarey]

@jean-edouard - just a heads up. It looks like the SRIOV lane has never passed on this PR so there might be an issue there.
https://prow.ci.kubevirt.io/pr-history/?org=kubevirt&repo=kubevirt&pr=9246

Not sure if there is a point in leaving this to just retest.

[xpivarc]

/hold

[xpivarc]

Seems we do "selinuxContext": "none",

[jean-edouard]

Really nice catch, thank you! Should be fixed now.

[xpivarc]

I agree @brianmcarey

[xpivarc]

/lgtm

[xpivarc]

@jean-edouard maybe we can introduce helpers for this so we don't get this wrong again in future

[jean-edouard]

@jean-edouard maybe we can introduce helpers for this so we don't get this wrong again in future

@xpivarc good idea, ok to do in a later PR and unhold this one? Thanks you!

[xpivarc]

/hold cancel
@jean-edouard Sorry I have missed the hold!

[jean-edouard]

/test pull-kubevirt-e2e-kind-1.27-sriov

[kubevirt-bot]

@jean-edouard: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubevirt-e2e-kind-1.23-sriov	7bbf98d	link	true	/test pull-kubevirt-e2e-kind-1.23-sriov
pull-kubevirt-fossa	cae7333	link	false	/test pull-kubevirt-fossa
pull-kubevirt-e2e-k8s-1.24-sig-compute	80254d4	link	true	/test pull-kubevirt-e2e-k8s-1.24-sig-compute
pull-kubevirt-e2e-k8s-1.26-sig-compute	8c11802	link	unknown	/test pull-kubevirt-e2e-k8s-1.26-sig-compute

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[jean-edouard]

/retest