[RHEL-9921] Run virtiofsd unprivileged for CNV

Type: Epic
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: virtiofsd
Labels:
- rhel-sst-cnv

Epic Name:
Run virtiofsd unprivileged for CNV
Severity:
Medium
Products:

Red Hat OpenShift Virtualization
Hierarchy Progress Bar:

0% To Do, 0% In Progress, 100% Done

Pool Team:

rhel-sst-virtualization-storage
Sub-System Group:

ssg_virtualization

Story Points:
8
Blocked:
False
Blocked Reason:

Hide

None

Show
None

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description

CNV wants to run virtiofsd unprivileged. Some basic support has been already added by German which allows for singe uid/gid.

One can also run virtiofsd inside a user namespace to to support arbitrary uid/gid.

As per discussions with Adam Litke, support for unprivileged virtiofsd has been identified as one of the core requirements for CNV.

Hence I am creating this Epic to keep track of all the bugs/issues/stories associated with this Epic. Will be easy to have discussions and keep track of various issues in a single place.

Acceptance Criteria

A list of specific needs or objectives must be delivered to satisfy the epic.

< What needs to be developed in order for this epic to satisfy the intent of the work? >

Verify X
Verify Y
Verify Z

What SSTs and Layered Product teams should review this?

blocks

CNV-27131 GA: File-system based attachment of Secrets/ConfigMaps to VMs in API

Backlog

is related to

RHEL-7386 [libvirt] Add support to run virtiofsd inside a user namespace (unprivileged)

Closed

Tingting Mao added a comment - 2024/08/19 6:43 AM

Close this issue as the issues in this epic are all done.

Tingting Mao added a comment - 2024/08/19 6:43 AM Close this issue as the issues in this epic are all done.

German Maglione added a comment - 2023/11/08 5:29 PM

This will be a first approach, running virtiofsd without any privilege and without a user namespace. We already do that for configMaps, secrets, serviceAccounts and downwardAPIs, but extends it for PVs

virtiofs: Run unprivileged without feature gate
https://github.com/kubevirt/kubevirt/pull/10657

German Maglione added a comment - 2023/11/08 5:29 PM This will be a first approach, running virtiofsd without any privilege and without a user namespace. We already do that for configMaps, secrets, serviceAccounts and downwardAPIs, but extends it for PVs virtiofs: Run unprivileged without feature gate https://github.com/kubevirt/kubevirt/pull/10657

Dan Kenigsberg added a comment - 2023/09/12 11:09 AM

Marking this epic as blocking CNV-27131 because there is no way to delivering virtiofs in CNV without this epic completion.

Dan Kenigsberg added a comment - 2023/09/12 11:09 AM Marking this epic as blocking CNV-27131 because there is no way to delivering virtiofs in CNV without this epic completion.

Assignee:: German Maglione

Reporter:: Vivek Goyal

Contributors:: German Maglione, Hanna Czenczek, Jano Tomko

QA Contact:: Tingting Mao

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2023/08/15 9:18 PM

Updated:: 2024/11/19 6:26 PM

Resolved:: 2024/08/19 6:43 AM

Details

Description

Description

Acceptance Criteria

What SSTs and Layered Product teams should review this?

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Tingting Mao added a comment - 2024/08/19 6:43 AM

Expand comment: Tingting Mao added a comment - 2024/08/19 6:43 AM

Collapse comment: German Maglione added a comment - 2023/11/08 5:29 PM

Expand comment: German Maglione added a comment - 2023/11/08 5:29 PM

Collapse comment: Dan Kenigsberg added a comment - 2023/09/12 11:09 AM

Expand comment: Dan Kenigsberg added a comment - 2023/09/12 11:09 AM

People

Dates