New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release-4.13] OCPBUGS-14850: Allow userfaultfd syscall to be used by unprivileged users #3743
[release-4.13] OCPBUGS-14850: Allow userfaultfd syscall to be used by unprivileged users #3743
Conversation
To implement post-copy migrations in OpenShift Virtualization (CNV), QEMU uses the userfaultfd system call. lately this syscall was blocked by the kernel by default [1]. This effectively broke post-copy migrations. Instead, there are three ways to grant permission to use userfaultfd[1]: * By allowing unprivileged users to use it explicitly via sysctl * By granting `CAP_SYS_PTRACE` capability to a process / container * By exposing the `/dev/userfaultfd` to a container This basically leaves us with two options: 1. Expose `/dev/userfaultfd` by writing a Kubernetes device plugin. This way every pod can ask for such device. 2. Allow the use of the syscall by toggling sysctl, and use seccomp to allow only VM pods (a.k.a. virt-launcher pods) to use it. After some discussions, we think that the second option is better in terms of security. The main problem with a device plugin is that every pod on the system can ask to use it and potentially compromise the system. With the second option, only VM pods can use the syscall which narrows down the attack surface. In addition, a device plugin is much more visible to Kubernetes users than a seccomp profile, which is likely to be hidden from most users. Since the syscall was available to use by anyone in previous versions (before the kernel blocked it), we feel that by allowing it we won't make things worse than what we had in the past, but rather make things more secure since we will now at least use seccomp profiles to deny it from non-VM pods. Seccomp profiles that disallow the usage of `userfaultfd` syscall is already in place. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2d5de004e009add27db76c5cdc9f1f7f7dc087e7 Signed-off-by: Itamar Holder <iholder@redhat.com>
@openshift-cherrypick-robot: Jira Issue OCPBUGS-14793 has been cloned as Jira Issue OCPBUGS-14850. Will retitle bug to link to clone. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-14850, which is valid. The bug has been moved to the POST state. 6 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Clean backport |
@sinnykumari: GitHub didn't allow me to request PR reviews from the following users: iholder101. Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: openshift-cherrypick-robot, sinnykumari The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@openshift-cherrypick-robot: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/label cherry-pick-approved |
ba507b3
into
openshift:release-4.13
@openshift-cherrypick-robot: Jira Issue OCPBUGS-14850: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-14850 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is an automated cherry-pick of #3724
/assign sinnykumari