Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-69839

Add steps for starting IBM Secure Execution VMs to Openshift Documentation

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • CNV Documentation
    • None
    • Product / Portfolio Work
    • 0.42
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None

      Description of problem:

      OCP Virt 4.20 comes with IBM Secure Execution as a Tech Preview. Ensure this feature is documented for customers.

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      Launching IBM Secure Execution Virtual
Machines on IBM Z and IBM Linux One
TODO: Check other docs for mentions of launch Security and AMD SEV
- It is mentioned twice 4.1.5 additional memory overhead and 8.1.1.2 Optional Attributes
- The latter 8.1.1.2 we need to change, as launchSecurity now also applies to us
Prerequisites
- Cluster needs LPAR nodes running on z15 or newer
- Secure Execution prepared workloads to run on the cluster
Preparing the cluster
In order to run Secure Execution VMs, the feature needs to be enabled on the nodes via the kernel
cmdline. To do this for all worker nodes, apply the following machine configuration:
```
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker
name: secure-execution
spec:
kernelArguments:
- prot_virt=1
```
metadata:
annotations:
kubevirt.kubevirt.io/jsonpatch: |-
[
{
"op":"add",
"path":"/spec/configuration/developerConfiguration/featureGates/-",
"value":"SecureExecution"
}
]
```
Launching a Secure Execution VM
Launching a Secure Execution VM is nearly the same as launching a regular VM. The only important
part is that `launchSecurity: {}` needs to be enabled. Otherwise, the VM will not boot correctly, as it
will not have access to its devices.
Here is a simple example VM:
```
apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
labels:
kubevirt.io/vm: f41-se
name: f41-se
spec:
runStrategy: Always
template:
metadata:
labels:
kubevirt.io/vm: f41-se
spec:
domain:
 After applying the configuration, the Machine Config Operator should apply it and reboot the nodes
in a controlled rollout.
Additionally, the feature gate for secure execution needs to be enabled. As it is in Tech Preview, this
will result in a warning being shown in HCO. It can be enabled by annotating the hyperconverged
resource:
```
launchSecurity: {}
devices:
disks:
- disk:
bus: virtio
name: rootfs
machine:
type: ""
resources:
requests:
memory: 4Gi
terminationGracePeriodSeconds: 0
volumes:
- name: rootfs
dataVolume:
name: f41-se
```
Note: As the memory of the VM is protected, Secure Execution VMs are not live migratable. The VMs
can only be migrated offline.
3 / 3
125%
  

      Actual results:

       

      Expected results:

       

      Additional info:

       

              sniemann@redhat.com Silke Niemann
              jschinta@redhat.com Jan Schintag
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: