Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: CNV v4.18.z
Affects Version/s: CNV v4.18.0
Component/s: Storage Ecosystem
Labels:
None

Activity Type:
Quality / Stability / Reliability
Story Points:
0.42
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Component Fix Version(s):
None
Market:

Severity:
Important
Customer Impact:

Customer Reported

Regression:
None

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

PX Impact Score:

Description of problem:

The issue is observed while using IBM Flashsystem storage class. Creating the TPM directory is failing with following error:

    message: 'server error. command SyncVMI failed: "LibvirtError(Code=38, Domain=0,
      Message=''Could not create TPM directory /var/run/kubevirt-private/libvirt/qemu/swtpm/67633203-8c32-53ad-935c-5abd8139f0e9:
      Permission denied'')"'

So the permission is not getting propagated as expected to the mounted directory. virt-launcher pod runs with "fsGroup: 107" security context:

oc get pod virt-launcher-vm-name-ccw82 -o yaml|yq '.spec.securityContext'
fsGroup: 107                       <===
runAsGroup: 107
runAsNonRoot: true
runAsUser: 107

As per https://kubernetes-csi.github.io/docs/support-fsgroup.html , CSI driver should set the group to 107 when the pod passes the fsGroup:107 in the pod definition.

However, the problem here is the fsGroupPolicy for the CSI driver is "ReadWriteOnceWithFSType".

attachRequired: true
fsGroupPolicy: ReadWriteOnceWithFSType       <===
podInfoOnMount: false
requiresRepublish: false
seLinuxMount: false
storageCapacity: false
volumeLifecycleModes:
  - Persistent

And the storageprofile have RWX for filesystem by default:

status:
  claimPropertySets:
  - accessModes:
    - ReadWriteMany
    volumeMode: Block
  - accessModes:
    - ReadWriteOnce
    volumeMode: Block
  - accessModes:
    - ReadWriteOnce
    volumeMode: Filesystem          
  - accessModes:
    - ReadWriteMany                 <===
    volumeMode: Filesystem     <===
  cloneStrategy: snapshot
  dataImportCronSourceFormat: pvc
  provisioner: block.csi.ibm.com

As per https://github.com/kubevirt/kubevirt/blob/fc7e7972922cfa7876fe8945036c53e17ed05819/pkg/storage/backend-storage/backend-storage.go#L442C1-L461C1, RWX filesystem will be preferred if the storage profile have filesystem RWX. So it will created filesystem RWX PVC for TPM volume and since the CSI driver got ReadWriteOnceWithFSType, permission will not be set.

The workaround for the customer was to modify the storage profile and to remove filesystem RWX from the claimPropertySets since removing it here is fine for them because they are using block RWX for the VM disks.

Version-Release number of selected component (if applicable):

4.18.0

How reproducible:

100% at customer's environment

Steps to Reproduce:

Create a Windows VM with TPM device on IBM flash storage class

Actual results:

Permission denied error while starting virtual machine with TPM device

Expected results:

Starting of virtual machine which use TPM device should work without customizing the storage profile

Additional info:

links to

Why starting Windows Virtual machine with vTPM device is failing with permission denied error?

Assignee:: Arnon Gilboa

Reporter:: Nijin Ashok

QA Contact:: Kedar Bidarkar

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2025/04/29 7:22 PM

Updated:: 2025/09/24 9:06 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates