pool/kubevirt
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Fix guest-console-log failure during live migration and Harvester upgrades

Browse Source 
0001-feat-pass-timeout-from-virt-monitor-to-virt-tail.patch
- Fix SEV(ES) guests not being bootable from incompatible firmware
  0002-Ensure-SEV-VMs-use-stateless-OVMF-firmware.patch (bsc#1232762)

OBS-URL: https://build.opensuse.org/package/show/Virtualization/kubevirt?expand=0&rev=171
This commit is contained in:
Caleb Crane 2025-01-18 00:04:44 +00:00 committed by Git OBS Bridge
commit dbcba5321a
16 changed files with 3210 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

455
0001-Collect-component-Role-rules-under-operator-Role-ins.patch Normal file
View File

@ -0,0 +1,455 @@
From 5b86f015a18b4f01ed5dd475509a7bd6ccd1dc67 Mon Sep 17 00:00:00 2001
From: Jed Lejosne <jed@redhat.com>
Date: Mon, 10 Jun 2024 11:34:23 -0400
Subject: [PATCH] Collect component Role rules under operator Role instead of
ClusterRole
Signed-off-by: Jed Lejosne <jed@redhat.com>
---
manifests/generated/operator-csv.yaml.in | 124 +++++++++---------
.../rbac-operator.authorization.k8s.yaml.in | 124 +++++++++---------
.../resource/generate/rbac/operator.go | 35 +++--
.../resource/generate/rbac/operator_test.go | 18 +++
4 files changed, 169 insertions(+), 132 deletions(-)
diff --git a/manifests/generated/operator-csv.yaml.in b/manifests/generated/operator-csv.yaml.in
index b50caafad..e70bb676b 100644
--- a/manifests/generated/operator-csv.yaml.in
+++ b/manifests/generated/operator-csv.yaml.in
@@ -464,14 +464,6 @@ spec:
- create
- list
- get
- - apiGroups:
- - ""
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
- apiGroups:
- ""
resources:
@@ -721,42 +713,6 @@ spec:
verbs:
- list
- watch
- - apiGroups:
- - route.openshift.io
- resources:
- - routes
- verbs:
- - list
- - get
- - watch
- - apiGroups:
- - ""
- resources:
- - secrets
- verbs:
- - list
- - get
- - watch
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - list
- - get
- - watch
- - apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - get
- - list
- - watch
- - delete
- - update
- - create
- - patch
- apiGroups:
- kubevirt.io
resources:
@@ -813,14 +769,6 @@ spec:
- get
- list
- watch
- - apiGroups:
- - ""
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
- apiGroups:
- export.kubevirt.io
resources:
@@ -836,16 +784,6 @@ spec:
verbs:
- list
- watch
- - apiGroups:
- - ""
- resourceNames:
- - kubevirt-export-ca
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
- apiGroups:
- kubevirt.io
resources:
@@ -1445,6 +1383,68 @@ spec:
- update
- create
- patch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - route.openshift.io
+ resources:
+ - routes
+ verbs:
+ - list
+ - get
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - list
+ - get
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - list
+ - get
+ - watch
+ - apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - delete
+ - update
+ - create
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resourceNames:
+ - kubevirt-export-ca
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
serviceAccountName: kubevirt-operator
strategy: deployment
installModes:
diff --git a/manifests/generated/rbac-operator.authorization.k8s.yaml.in b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
index e8146bb1b..c0e76e8e6 100644
--- a/manifests/generated/rbac-operator.authorization.k8s.yaml.in
+++ b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
@@ -75,6 +75,68 @@ rules:
- update
- create
- patch
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - route.openshift.io
+ resources:
+ - routes
+ verbs:
+ - list
+ - get
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - list
+ - get
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - list
+ - get
+ - watch
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - delete
+ - update
+ - create
+ - patch
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resourceNames:
+ - kubevirt-export-ca
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
@@ -404,14 +466,6 @@ rules:
- create
- list
- get
-- apiGroups:
- - ""
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
- apiGroups:
- ""
resources:
@@ -661,42 +715,6 @@ rules:
verbs:
- list
- watch
-- apiGroups:
- - route.openshift.io
- resources:
- - routes
- verbs:
- - list
- - get
- - watch
-- apiGroups:
- - ""
- resources:
- - secrets
- verbs:
- - list
- - get
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - list
- - get
- - watch
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - get
- - list
- - watch
- - delete
- - update
- - create
- - patch
- apiGroups:
- kubevirt.io
resources:
@@ -753,14 +771,6 @@ rules:
- get
- list
- watch
-- apiGroups:
- - ""
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
- apiGroups:
- export.kubevirt.io
resources:
@@ -776,16 +786,6 @@ rules:
verbs:
- list
- watch
-- apiGroups:
- - ""
- resourceNames:
- - kubevirt-export-ca
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
- apiGroups:
- kubevirt.io
resources:
diff --git a/pkg/virt-operator/resource/generate/rbac/operator.go b/pkg/virt-operator/resource/generate/rbac/operator.go
index 365fb0600..b90a5fae8 100644
--- a/pkg/virt-operator/resource/generate/rbac/operator.go
+++ b/pkg/virt-operator/resource/generate/rbac/operator.go
@@ -317,15 +317,14 @@ func NewOperatorClusterRole() *rbacv1.ClusterRole {
}
// now append all rules needed by KubeVirt's components
- operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsRules()...)
+ operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsClusterRules()...)
return operatorRole
}
-func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
-
+func getKubeVirtComponentsClusterRules() []rbacv1.PolicyRule {
var rules []rbacv1.PolicyRule
- // namespace doesn't matter, we are only interested in the rules of both Roles and ClusterRoles
+ // namespace doesn't matter, we are only interested in the rules of ClusterRoles
all := GetAllApiServer("")
all = append(all, GetAllController("")...)
all = append(all, GetAllHandler("")...)
@@ -337,9 +336,6 @@ func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
case *rbacv1.ClusterRole:
role, _ := resource.(*rbacv1.ClusterRole)
rules = append(rules, role.Rules...)
- case *rbacv1.Role:
- role, _ := resource.(*rbacv1.Role)
- rules = append(rules, role.Rules...)
}
}
@@ -375,6 +371,27 @@ func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
return rules
}
+func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
+ var rules []rbacv1.PolicyRule
+
+ // namespace doesn't matter, we are only interested in the rules
+ all := GetAllApiServer("")
+ all = append(all, GetAllController("")...)
+ all = append(all, GetAllHandler("")...)
+ all = append(all, GetAllExportProxy("")...)
+ all = append(all, GetAllCluster()...)
+
+ for _, resource := range all {
+ switch resource.(type) {
+ case *rbacv1.Role:
+ role, _ := resource.(*rbacv1.Role)
+ rules = append(rules, role.Rules...)
+ }
+ }
+
+ return rules
+}
+
func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding {
return &rbacv1.ClusterRoleBinding{
TypeMeta: metav1.TypeMeta{
@@ -432,7 +449,7 @@ func newOperatorRoleBinding(namespace string) *rbacv1.RoleBinding {
// NewOperatorRole creates a Role object for kubevirt-operator.
func NewOperatorRole(namespace string) *rbacv1.Role {
- return &rbacv1.Role{
+ operatorRole := &rbacv1.Role{
TypeMeta: metav1.TypeMeta{
APIVersion: VersionNamev1,
Kind: "Role",
@@ -527,6 +544,8 @@ func NewOperatorRole(namespace string) *rbacv1.Role {
},
},
}
+ operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsRules()...)
+ return operatorRole
}
func GetKubevirtComponentsServiceAccounts(namespace string) map[string]bool {
diff --git a/pkg/virt-operator/resource/generate/rbac/operator_test.go b/pkg/virt-operator/resource/generate/rbac/operator_test.go
index 51bd479cc..22c7d30c0 100644
--- a/pkg/virt-operator/resource/generate/rbac/operator_test.go
+++ b/pkg/virt-operator/resource/generate/rbac/operator_test.go
@@ -67,6 +67,11 @@ var _ = Describe("RBAC", func() {
Expect(clusterRoleBinding.Subjects[0].Namespace).To(BeEquivalentTo(expectedNamespace))
})
+ It("doesn't have critical cluster-wide permissions", func() {
+ clusterRole := getFirstItemOfType(forOperator, reflect.TypeOf(&rbacv1.ClusterRole{})).(*rbacv1.ClusterRole)
+ Expect(clusterRole).ToNot(BeNil())
+ expectExactRuleDoesntExists(clusterRole.Rules, "", "secrets", "get", "list", "watch")
+ })
})
Context("GetKubevirtComponentsServiceAccounts", func() {
@@ -96,3 +101,16 @@ func getFirstItemOfType(items []interface{}, tp reflect.Type) interface{} {
}
return nil
}
+
+func expectExactRuleDoesntExists(rules []rbacv1.PolicyRule, apiGroup, resource string, verbs ...string) {
+ for _, rule := range rules {
+ if contains(rule.APIGroups, apiGroup) &&
+ contains(rule.Resources, resource) {
+ for _, verb := range verbs {
+ if contains(rule.Verbs, verb) {
+ Fail(fmt.Sprintf("Found rule (apiGroup: %s, resource: %s, verbs: %v)", apiGroup, resource, rule.Verbs))
+ }
+ }
+ }
+ }
+}
--
2.45.2

128
0001-feat-pass-timeout-from-virt-monitor-to-virt-tail.patch Normal file
View File

@ -0,0 +1,128 @@
From 0db64ad662f3be98e503cc00c1b96cadbf01dbf5 Mon Sep 17 00:00:00 2001
From: YuJack <jk82421@gmail.com>
Date: Mon, 23 Dec 2024 12:25:34 +0800
Subject: [PATCH] feat: pass timeout from virt-monitor to virt-tail
Signed-off-by: YuJack <jk82421@gmail.com>
Signed-off-by: Caleb Crane <ccrane@suse.de>
---
cmd/virt-tail/main.go | 22 +++++++++++--------
.../services/serialconsolelog.go | 4 ++--
pkg/virt-controller/services/template.go | 6 +++--
3 files changed, 19 insertions(+), 13 deletions(-)
diff --git a/cmd/virt-tail/main.go b/cmd/virt-tail/main.go
index 3cd16d6b1f..faa652d83e 100644
--- a/cmd/virt-tail/main.go
+++ b/cmd/virt-tail/main.go
@@ -40,6 +40,9 @@ import (
"kubevirt.io/client-go/log"
)
+// initial timeout for serial console socket creation
+const initialSocketTimeout = time.Second * 20
+
type TermFileError struct{}
type SocketFileError struct{}
@@ -52,9 +55,10 @@ func (m *SocketFileError) Error() string {
}
type VirtTail struct {
- ctx context.Context
- logFile string
- g *errgroup.Group
+ ctx context.Context
+ logFile string
+ g *errgroup.Group
+ socketTimeout *time.Duration
}
func (v *VirtTail) checkFile(socketFile string) bool {
@@ -134,10 +138,8 @@ func (v *VirtTail) watchFS() error {
return err
}
- // initial timeout for serial console socket creation
- const initialSocketTimeout = time.Second * 20
socketCheckCh := make(chan int)
- time.AfterFunc(initialSocketTimeout, func() {
+ time.AfterFunc(*v.socketTimeout, func() {
socketCheckCh <- 1
})
@@ -195,6 +197,7 @@ func main() {
pflag.CommandLine.AddGoFlag(goflag.CommandLine.Lookup("v"))
pflag.CommandLine.ParseErrorsWhitelist = pflag.ParseErrorsWhitelist{UnknownFlags: true}
logFile := pflag.String("logfile", "", "path of the logfile to be streamed")
+ socketTimeout := pflag.Duration("socket-timeout", initialSocketTimeout, "Amount of time to wait for qemu")
pflag.Parse()
log.InitializeLogging("virt-tail")
@@ -212,9 +215,10 @@ func main() {
g, gctx := errgroup.WithContext(ctx)
v := &VirtTail{
- ctx: gctx,
- logFile: *logFile,
- g: g,
+ ctx: gctx,
+ logFile: *logFile,
+ socketTimeout: socketTimeout,
+ g: g,
}
g.Go(v.tailLogs)
diff --git a/pkg/virt-controller/services/serialconsolelog.go b/pkg/virt-controller/services/serialconsolelog.go
index ea6463e4d3..de9ec6f9b5 100644
--- a/pkg/virt-controller/services/serialconsolelog.go
+++ b/pkg/virt-controller/services/serialconsolelog.go
@@ -13,7 +13,7 @@ import (
virtconfig "kubevirt.io/kubevirt/pkg/virt-config"
)
-func generateSerialConsoleLogContainer(vmi *v1.VirtualMachineInstance, image string, config *virtconfig.ClusterConfig, virtLauncherLogVerbosity uint) *k8sv1.Container {
+func generateSerialConsoleLogContainer(vmi *v1.VirtualMachineInstance, image string, config *virtconfig.ClusterConfig, virtLauncherLogVerbosity uint, socketTimeout string) *k8sv1.Container {
const serialPort = 0
if isSerialConsoleLogEnabled(vmi, config) {
logFile := fmt.Sprintf("%s/%s/virt-serial%d-log", util.VirtPrivateDir, vmi.ObjectMeta.UID, serialPort)
@@ -25,7 +25,7 @@ func generateSerialConsoleLogContainer(vmi *v1.VirtualMachineInstance, image str
Image: image,
ImagePullPolicy: k8sv1.PullIfNotPresent,
Command: []string{"/usr/bin/virt-tail"},
- Args: []string{"--logfile", logFile},
+ Args: []string{"--logfile", logFile, "--socket-timeout", socketTimeout},
VolumeMounts: []k8sv1.VolumeMount{
k8sv1.VolumeMount{
Name: "private",
diff --git a/pkg/virt-controller/services/template.go b/pkg/virt-controller/services/template.go
index a0f1b3a8d6..b980fd06e5 100644
--- a/pkg/virt-controller/services/template.go
+++ b/pkg/virt-controller/services/template.go
@@ -398,6 +398,8 @@ func (t *templateService) renderLaunchManifest(vmi *v1.VirtualMachineInstance, i
}
var command []string
+ var qemuTimeout = generateQemuTimeoutWithJitter(t.launcherQemuTimeout)
+
if tempPod {
logger := log.DefaultLogger()
logger.Infof("RUNNING doppleganger pod for %s", vmi.Name)
@@ -406,7 +408,7 @@ func (t *templateService) renderLaunchManifest(vmi *v1.VirtualMachineInstance, i
"echo", "bound PVCs"}
} else {
command = []string{"/usr/bin/virt-launcher-monitor",
- "--qemu-timeout", generateQemuTimeoutWithJitter(t.launcherQemuTimeout),
+ "--qemu-timeout", qemuTimeout,
"--name", domain,
"--uid", string(vmi.UID),
"--namespace", namespace,
@@ -502,7 +504,7 @@ func (t *templateService) renderLaunchManifest(vmi *v1.VirtualMachineInstance, i
containers = append(containers, virtiofsContainers...)
}
- sconsolelogContainer := generateSerialConsoleLogContainer(vmi, t.launcherImage, t.clusterConfig, virtLauncherLogVerbosity)
+ sconsolelogContainer := generateSerialConsoleLogContainer(vmi, t.launcherImage, t.clusterConfig, virtLauncherLogVerbosity, qemuTimeout)
if sconsolelogContainer != nil {
containers = append(containers, *sconsolelogContainer)
}

149
0002-Ensure-SEV-VMs-use-stateless-OVMF-firmware.patch Normal file
View File

@ -0,0 +1,149 @@
From 7ece048f90223e395001f9fc158c5c2af35ca520 Mon Sep 17 00:00:00 2001
From: Vasiliy Ulyanov <vulyanov@suse.de>
Date: Wed, 10 Jul 2024 10:27:15 +0200
Subject: [PATCH] Ensure SEV VMs use stateless OVMF firmware
Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Signed-off-by: Caleb Crane <ccrane@suse.de>
---
.../virtwrap/converter/converter.go | 20 ++++++++++++-------
pkg/virt-launcher/virtwrap/efi/efi.go | 11 ++++------
pkg/virt-launcher/virtwrap/efi/efi_test.go | 8 +-------
rpm/BUILD.bazel | 2 +-
4 files changed, 19 insertions(+), 22 deletions(-)
diff --git a/pkg/virt-launcher/virtwrap/converter/converter.go b/pkg/virt-launcher/virtwrap/converter/converter.go
index 0565ceb5dd..8f1094d141 100644
--- a/pkg/virt-launcher/virtwrap/converter/converter.go
+++ b/pkg/virt-launcher/virtwrap/converter/converter.go
@@ -1222,6 +1222,12 @@ func Convert_v1_Firmware_To_related_apis(vmi *v1.VirtualMachineInstance, domain
Template: c.EFIConfiguration.EFIVars,
NVRam: filepath.Join(services.PathForNVram(vmi), vmi.Name+"_VARS.fd"),
}
+
+ if util.IsSEVVMI(vmi) {
+ // Use stateless firmware for SEV VMs
+ domain.Spec.OS.BootLoader.Type = "rom"
+ domain.Spec.OS.NVRam = nil
+ }
}
if firmware.Bootloader != nil && firmware.Bootloader.BIOS != nil {
@@ -1449,13 +1455,13 @@ func Convert_v1_VirtualMachineInstance_To_api_Domain(vmi *v1.VirtualMachineInsta
// Set SEV launch security parameters: https://libvirt.org/formatdomain.html#launch-security
if c.UseLaunchSecurity {
- sevPolicyBits := launchsecurity.SEVPolicyToBits(vmi.Spec.Domain.LaunchSecurity.SEV.Policy)
- // Cbitpos and ReducedPhysBits will be filled automatically by libvirt from the domain capabilities
- domain.Spec.LaunchSecurity = &api.LaunchSecurity{
- Type: "sev",
- Policy: "0x" + strconv.FormatUint(uint64(sevPolicyBits), 16),
- DHCert: vmi.Spec.Domain.LaunchSecurity.SEV.DHCert,
- Session: vmi.Spec.Domain.LaunchSecurity.SEV.Session,
+ sevPolicyBits := launchsecurity.SEVPolicyToBits(vmi.Spec.Domain.LaunchSecurity.SEV.Policy)
+ // Cbitpos and ReducedPhysBits will be filled automatically by libvirt from the domain capabilities
+ domain.Spec.LaunchSecurity = &api.LaunchSecurity{
+ Type: "sev",
+ Policy: "0x" + strconv.FormatUint(uint64(sevPolicyBits), 16),
+ DHCert: vmi.Spec.Domain.LaunchSecurity.SEV.DHCert,
+ Session: vmi.Spec.Domain.LaunchSecurity.SEV.Session,
}
controllerDriver = &api.ControllerDriver{
IOMMU: "on",
diff --git a/pkg/virt-launcher/virtwrap/efi/efi.go b/pkg/virt-launcher/virtwrap/efi/efi.go
index 0a51067dc0..730b637c9f 100644
--- a/pkg/virt-launcher/virtwrap/efi/efi.go
+++ b/pkg/virt-launcher/virtwrap/efi/efi.go
@@ -31,8 +31,7 @@ const (
EFIVarsAARCH64 = "AAVMF_VARS.fd"
EFICodeSecureBoot = "OVMF_CODE.secboot.fd"
EFIVarsSecureBoot = "OVMF_VARS.secboot.fd"
- EFICodeSEV = "OVMF_CODE.cc.fd"
- EFIVarsSEV = EFIVars
+ EFICodeSEV = "OVMF.amdsev.fd"
)
type EFIEnvironment struct {
@@ -41,14 +40,13 @@ type EFIEnvironment struct {
codeSecureBoot string
varsSecureBoot string
codeSEV string
- varsSEV string
}
func (e *EFIEnvironment) Bootable(secureBoot, sev bool) bool {
if secureBoot {
return e.varsSecureBoot != "" && e.codeSecureBoot != ""
} else if sev {
- return e.varsSEV != "" && e.codeSEV != ""
+ return e.codeSEV != ""
} else {
return e.vars != "" && e.code != ""
}
@@ -68,7 +66,8 @@ func (e *EFIEnvironment) EFIVars(secureBoot, sev bool) string {
if secureBoot {
return e.varsSecureBoot
} else if sev {
- return e.varsSEV
+ // SEV uses stateless firmware
+ return ""
} else {
return e.vars
}
@@ -100,7 +99,6 @@ func DetectEFIEnvironment(arch, ovmfPath string) *EFIEnvironment {
// detect EFI with SEV
codeWithSEV := getEFIBinaryIfExists(ovmfPath, EFICodeSEV)
- varsWithSEV := getEFIBinaryIfExists(ovmfPath, EFIVarsSEV)
return &EFIEnvironment{
codeSecureBoot: codeWithSB,
@@ -108,7 +106,6 @@ func DetectEFIEnvironment(arch, ovmfPath string) *EFIEnvironment {
code: code,
vars: vars,
codeSEV: codeWithSEV,
- varsSEV: varsWithSEV,
}
}
diff --git a/pkg/virt-launcher/virtwrap/efi/efi_test.go b/pkg/virt-launcher/virtwrap/efi/efi_test.go
index dcc0e5a6f7..1123c20abd 100644
--- a/pkg/virt-launcher/virtwrap/efi/efi_test.go
+++ b/pkg/virt-launcher/virtwrap/efi/efi_test.go
@@ -82,7 +82,7 @@ var _ = Describe("EFI environment detection", func() {
)
It("SEV EFI Roms", func() {
- ovmfPath := createEFIRoms(EFICodeSEV, EFIVarsSEV)
+ ovmfPath := createEFIRoms(EFICodeSEV)
defer os.RemoveAll(ovmfPath)
efiEnv := DetectEFIEnvironment("x86_64", ovmfPath)
@@ -98,11 +98,5 @@ var _ = Describe("EFI environment detection", func() {
Expect(efiEnv.EFICode(secureBootEnabled, !sevEnabled)).ToNot(Equal(codeSEV))
Expect(efiEnv.EFICode(!secureBootEnabled, sevEnabled)).To(Equal(codeSEV))
Expect(efiEnv.EFICode(!secureBootEnabled, !sevEnabled)).ToNot(Equal(codeSEV))
-
- varsSEV := filepath.Join(ovmfPath, EFIVarsSEV)
- Expect(efiEnv.EFIVars(secureBootEnabled, sevEnabled)).ToNot(Equal(varsSEV))
- Expect(efiEnv.EFIVars(secureBootEnabled, !sevEnabled)).ToNot(Equal(varsSEV))
- Expect(efiEnv.EFIVars(!secureBootEnabled, sevEnabled)).To(Equal(varsSEV))
- Expect(efiEnv.EFIVars(!secureBootEnabled, !sevEnabled)).To(Equal(varsSEV)) // same as EFIVars
})
})
diff --git a/rpm/BUILD.bazel b/rpm/BUILD.bazel
index 5c98670f80..13184cadb5 100644
--- a/rpm/BUILD.bazel
+++ b/rpm/BUILD.bazel
@@ -1228,7 +1228,7 @@ rpmtree(
"/usr/sbin/iptables": "/usr/sbin/iptables-legacy",
"/usr/bin/nc": "/usr/bin/ncat",
# Create a symlink to OVMF binary with SEV support (edk2 rpm does not do that for unknown reason)
- "/usr/share/OVMF/OVMF_CODE.cc.fd": "../edk2/ovmf/OVMF_CODE.cc.fd",
+ "/usr/share/OVMF/OVMF.amdsev.fd": "../edk2/ovmf/OVMF.amdsev.fd",
},
visibility = ["//visibility:public"],
)
--
2.47.1

8
_constraints Normal file
View File

@ -0,0 +1,8 @@
<constraints>
<!-- Kubevirt needs larger disk for builds -->
<hardware>
<disk>
<size unit="G">10</size>
</disk>
</hardware>
</constraints>

18
_service Normal file
View File

@ -0,0 +1,18 @@
<services>
<service name="tar_scm" mode="manual">
<param name="filename">kubevirt</param>
<param name="revision">v1.4.0</param>
<param name="scm">git</param>
<param name="submodules">disable</param>
<param name="url">https://github.com/kubevirt/kubevirt</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">[v]?([^\+]+)(.*)</param>
<param name="versionrewrite-replacement">\1</param>
</service>
<service name="recompress" mode="manual">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service name="set_version" mode="manual"/>
<service name="download_files" mode="manual"/>
</services>

62
disks-images-provider.yaml Normal file
View File

@ -0,0 +1,62 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: disks-images-provider
namespace: kubevirt
labels:
kubevirt.io: "disks-images-provider"
spec:
selector:
matchLabels:
kubevirt.io: "disks-images-provider"
template:
metadata:
labels:
name: disks-images-provider
kubevirt.io: disks-images-provider
name: disks-images-provider
spec:
tolerations:
- key: CriticalAddonsOnly
operator: Exists
serviceAccountName: kubevirt-testing
containers:
- name: target
image: quay.io/kubevirt/disks-images-provider:v1.4.0
imagePullPolicy: Always
env:
- name: NUM_TEST_IMAGE_REPLICAS
value: "6"
lifecycle:
preStop:
exec:
command: ["/bin/sh","-c","source /etc/bashrc && chroot /host umount ${LOOP_DEVICE_HP} && chroot /host losetup -d ${LOOP_DEVICE_HP}"]
volumeMounts:
- name: images
mountPath: /hostImages
- name: local-storage
mountPath: /local-storage
- name: host-dir
mountPath: /host
mountPropagation: Bidirectional
securityContext:
privileged: true
readinessProbe:
exec:
command:
- cat
- /ready
initialDelaySeconds: 10
periodSeconds: 5
volumes:
- name: images
hostPath:
path: /tmp/hostImages
type: DirectoryOrCreate
- name: local-storage
hostPath:
path: /mnt/local-storage
type: DirectoryOrCreate
- name: host-dir
hostPath:
path: /

BIN
kubevirt-1.2.2.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

3
kubevirt-1.3.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3ce1d3b095436287ca097f40cdf86b365a18647d6476a24a915e00d0a8dd8ed3
size 17797364

3
kubevirt-1.4.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5fe7ba2504735a0dc349ab69e3b51d3ad90b4c3e8bb414b86b7b84c7e021a85b
size 18188053

1
kubevirt-rpmlintrc Normal file
View File

@ -0,0 +1 @@
addFilter("statically-linked-binary")

1903
kubevirt.changes Normal file
View File

File diff suppressed because it is too large Load Diff

412
kubevirt.spec Normal file
View File

@ -0,0 +1,412 @@
#
# spec file for package kubevirt
#
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if 0%{?sle_version} && !0%{?is_opensuse}
# SLE
%define _exclusive_arch x86_64 aarch64
%else
%if 0%{?suse_version} == 1600
# ALP
%define _exclusive_arch x86_64
%else
# TW
%define _exclusive_arch x86_64 aarch64
%endif
%endif
Name: kubevirt
Version: 1.4.0
Release: 0
Summary: Container native virtualization
License: Apache-2.0
Group: System/Packages
URL: https://github.com/kubevirt/kubevirt
Source0: %{name}-%{version}.tar.gz
Source1: kubevirt_containers_meta
Source2: kubevirt_containers_meta.service
Source3: %{url}/releases/download/v%{version}/disks-images-provider.yaml
Source100: %{name}-rpmlintrc
Patch1: 0001-feat-pass-timeout-from-virt-monitor-to-virt-tail.patch
Patch2: 0002-Ensure-SEV-VMs-use-stateless-OVMF-firmware.patch
BuildRequires: glibc-devel-static
BuildRequires: golang-packaging
BuildRequires: pkgconfig
BuildRequires: rsync
BuildRequires: sed
BuildRequires: golang(API) >= 1.22
BuildRequires: pkgconfig(libvirt)
ExclusiveArch: %{_exclusive_arch}
%description
Kubevirt is a virtual machine management add-on for Kubernetes
%package virtctl
Summary: Client for managing kubevirt
Group: System/Packages
%description virtctl
The virtctl client is a command-line utility for managing container native virtualization resources
%package virt-api
Summary: Kubevirt API server
Group: System/Packages
%description virt-api
The virt-api package provides the kubernetes API extension for kubevirt
%package container-disk
Summary: Container disk for kubevirt
Group: System/Packages
%description container-disk
The containter-disk package provides a container disk functionality for kubevirt
%package virt-controller
Summary: Controller for kubevirt
Group: System/Packages
%description virt-controller
The virt-controller package provides a controller for kubevirt
%package virt-exportproxy
Summary: Export proxy for kubevirt
Group: System/Packages
%description virt-exportproxy
The virt-exportproxy package provides a proxy for kubevirt to pass
requests to virt-exportserver
%package virt-exportserver
Summary: Export server for kubevirt
Group: System/Packages
%description virt-exportserver
The virt-exportserver package provides an http server for kubevirt to
serve the data of VirtualMachineExport resource in different formats
%package virt-handler
Summary: Handler component for kubevirt
Group: System/Packages
%description virt-handler
The virt-handler package provides a handler for kubevirt
%package virt-launcher
Summary: Launcher component for kubevirt
Group: System/Packages
# Starting from v1.1.0, KubeVirt ships /usr/bin/virt-tail which conflicts with
# the respective guestfs tool.
Conflicts: guestfs-tools
%description virt-launcher
The virt-launcher package provides a launcher for kubevirt
%package virt-operator
Summary: Operator component for kubevirt
Group: System/Packages
%description virt-operator
The virt-opertor package provides an operator for kubevirt CRD
%package pr-helper-conf
Summary: Configuration files for persistent reservation helper
Group: System/Packages
%description pr-helper-conf
The pr-helper-conf package provides configuration files for persistent
reservation helper
%package sidecar-shim
Summary: Entrypoint for the sidecar-shim container
Group: System/Packages
%description sidecar-shim
The package provides sidecar-shim binary than will call the respective
hooks with the proper command-line arguments.
%package manifests
Summary: YAML manifests used to install kubevirt
Group: System/Packages
%description manifests
This contains the built YAML manifests used to install kubevirt into a
kubernetes installation with kubectl apply.
%package tests
Summary: Kubevirt functional tests
Group: System/Packages
%description tests
The package provides Kubevirt end-to-end tests.
%package -n obs-service-kubevirt_containers_meta
Summary: Kubevirt containers meta information (build service)
Group: System/Packages
%description -n obs-service-kubevirt_containers_meta
The package provides meta information that is used during the build of
the Kubevirt container images.
%prep
%autosetup -p1
%build
# Hackery to determine which registry path to use in kubevirt-operator.yaml
# when building the manifests
#
# The 'kubevirt_registry_path' macro can be used to define an explicit path in
# the project config, e.g.
#
# Macros:
# %kubevirt_registry_path registry.opensuse.org/Virtualization/container
# :Macros
#
# 'kubevirt_registry_path' can also be defined when building locally, e.g.
#
# osc build --define='kubevirt_registry_path registry.opensuse.org/foo/bar/baz' ...
#
# If 'kubevirt_registry_path' is not specified, the standard publish location
# for SLE and openSUSE-based containers is used.
#
distro='%{?sle_version}:%{?is_opensuse}%{!?is_opensuse:0}'
case "${distro}" in
150500:0)
tagprefix=suse/sles/15.5
labelprefix=com.suse.kubevirt
registry=registry.suse.com
;;
150600:0)
tagprefix=suse/sles/15.6
labelprefix=com.suse.kubevirt
registry=registry.suse.com
;;
150700:0)
tagprefix=suse/sles/15.7
labelprefix=com.suse.kubevirt
registry=registry.suse.com
;;
*:1)
tagprefix=kubevirt
labelprefix=org.opensuse.kubevirt
registry=registry.opensuse.org
;;
*)
%if 0%{?suse_version} == 1600
tagprefix=alp/kubevirt
labelprefix=com.suse.kubevirt
registry=registry.suse.com
%else
echo "Unsupported distro: ${distro}" >&2
exit 1
%endif
;;
esac
%if "%{?kubevirt_registry_path}" == ""
reg_path="${registry}/${tagprefix}"
%else
reg_path='%{kubevirt_registry_path}'
%endif
sed -i"" \
-e "s#_TAGPREFIX_#${tagprefix}#g" \
-e "s#_LABELPREFIX_#${labelprefix}#g" \
-e "s#_REGISTRY_#${registry}#g" \
-e "s#_PKG_VERSION_#%{version}#g" \
-e "s#_PKG_RELEASE_#%{release}#g" \
-e "s#_DISTRO_#${distro}#g" \
%{S:1}
mkdir -p go/src/kubevirt.io go/pkg
ln -s ../../../ go/src/kubevirt.io/kubevirt
export GOPATH=${PWD}/go
export GOFLAGS="-buildmode=pie"
cd ${GOPATH}/src/kubevirt.io/kubevirt
env \
KUBEVIRT_GO_BASE_PKGDIR="${GOPATH}/pkg" \
KUBEVIRT_VERSION=%{version} \
KUBEVIRT_SOURCE_DATE_EPOCH="$(date -r LICENSE +%s)" \
KUBEVIRT_GIT_COMMIT='v%{version}' \
KUBEVIRT_GIT_VERSION='v%{version}' \
KUBEVIRT_GIT_TREE_STATE="clean" \
build_tests="true" \
./hack/build-go.sh install \
cmd/sidecars \
cmd/virt-api \
cmd/virt-chroot \
cmd/virt-controller \
cmd/virt-exportproxy \
cmd/virt-exportserver \
cmd/virt-freezer \
cmd/virt-handler \
cmd/virt-launcher \
cmd/virt-launcher-monitor \
cmd/virt-operator \
cmd/virt-probe \
cmd/virt-tail \
cmd/virtctl \
%{nil}
env DOCKER_PREFIX=$reg_path DOCKER_TAG=%{version}-%{release} KUBEVIRT_NO_BAZEL=true ./hack/build-manifests.sh
%install
mkdir -p %{buildroot}%{_bindir}
install -p -m 0755 _out/cmd/container-disk-v2alpha/container-disk %{buildroot}%{_bindir}/
install -p -m 0755 _out/cmd/sidecars/sidecars %{buildroot}%{_bindir}/sidecar-shim
install -p -m 0755 _out/cmd/virtctl/virtctl %{buildroot}%{_bindir}/
install -p -m 0755 _out/cmd/virt-api/virt-api %{buildroot}%{_bindir}/
install -p -m 0755 _out/cmd/virt-controller/virt-controller %{buildroot}%{_bindir}/
install -p -m 0755 _out/cmd/virt-chroot/virt-chroot %{buildroot}%{_bindir}/
install -p -m 0755 _out/cmd/virt-exportproxy/virt-exportproxy %{buildroot}%{_bindir}/
install -p -m 0755 _out/cmd/virt-exportserver/virt-exportserver %{buildroot}%{_bindir}/
install -p -m 0755 _out/cmd/virt-handler/virt-handler %{buildroot}%{_bindir}/
install -p -m 0755 _out/cmd/virt-launcher/virt-launcher %{buildroot}%{_bindir}/
install -p -m 0755 _out/cmd/virt-launcher-monitor/virt-launcher-monitor %{buildroot}%{_bindir}/
install -p -m 0755 _out/cmd/virt-freezer/virt-freezer %{buildroot}%{_bindir}/
install -p -m 0755 _out/cmd/virt-probe/virt-probe %{buildroot}%{_bindir}/
install -p -m 0755 _out/cmd/virt-tail/virt-tail %{buildroot}%{_bindir}/
install -p -m 0755 _out/cmd/virt-operator/virt-operator %{buildroot}%{_bindir}/
install -p -m 0755 _out/tests/tests.test %{buildroot}%{_bindir}/virt-tests
install -p -m 0755 cmd/virt-launcher/node-labeller/node-labeller.sh %{buildroot}%{_bindir}/
# Install network stuff
mkdir -p %{buildroot}%{_datadir}/kube-virt/virt-handler
install -p -m 0644 cmd/virt-handler/nsswitch.conf %{buildroot}%{_datadir}/kube-virt/virt-handler/
# virt-launcher SELinux policy needs to land in virt-handler container
install -p -m 0644 cmd/virt-handler/virt_launcher.cil %{buildroot}%{_datadir}/kube-virt/virt-handler/
# Persistent reservation helper configuration files
mkdir -p %{buildroot}%{_datadir}/kube-virt/pr-helper
install -p -m 0644 cmd/pr-helper/multipath.conf %{buildroot}%{_datadir}/kube-virt/pr-helper/
# Configuration files for libvirt
mkdir -p %{buildroot}%{_datadir}/kube-virt/virt-launcher
install -p -m 0644 cmd/virt-launcher/virtqemud.conf %{buildroot}%{_datadir}/kube-virt/virt-launcher
install -p -m 0644 cmd/virt-launcher/qemu.conf %{buildroot}%{_datadir}/kube-virt/virt-launcher
# Install release manifests
mkdir -p %{buildroot}%{_datadir}/kube-virt/manifests/release
install -m 0644 _out/manifests/release/kubevirt-operator.yaml %{buildroot}%{_datadir}/kube-virt/manifests/release/
install -m 0644 _out/manifests/release/kubevirt-cr.yaml %{buildroot}%{_datadir}/kube-virt/manifests/release/
# Install manifests for testing
mkdir -p %{buildroot}%{_datadir}/kube-virt/manifests/testing
install -m 0644 _out/manifests/testing/* %{buildroot}%{_datadir}/kube-virt/manifests/testing/
# The generated disks-images-provider.yaml refers to nonexistent container
# images. Overwrite it with the upstream version for testing.
install -m 0644 %{S:3} %{buildroot}/%{_datadir}/kube-virt/manifests/testing/
install -m 0644 tests/default-config.json %{buildroot}%{_datadir}/kube-virt/manifests/testing/
# Install kubevirt_containers_meta build service
mkdir -p %{buildroot}%{_prefix}/lib/obs/service
install -m 0755 %{S:1} %{buildroot}%{_prefix}/lib/obs/service
install -m 0644 %{S:2} %{buildroot}%{_prefix}/lib/obs/service
%files virtctl
%license LICENSE
%doc README.md
%{_bindir}/virtctl
%files virt-api
%license LICENSE
%doc README.md
%{_bindir}/virt-api
%files container-disk
%license LICENSE
%doc README.md
%{_bindir}/container-disk
%files virt-controller
%license LICENSE
%doc README.md
%{_bindir}/virt-controller
%files virt-exportproxy
%license LICENSE
%doc README.md
%{_bindir}/virt-exportproxy
%files virt-exportserver
%license LICENSE
%doc README.md
%{_bindir}/virt-exportserver
%files virt-handler
%license LICENSE
%doc README.md
%dir %{_datadir}/kube-virt
%dir %{_datadir}/kube-virt/virt-handler
%{_bindir}/virt-handler
%{_bindir}/virt-chroot
%{_datadir}/kube-virt/virt-handler
%files virt-launcher
%license LICENSE
%doc README.md
%dir %{_datadir}/kube-virt
%dir %{_datadir}/kube-virt/virt-launcher
%{_bindir}/virt-launcher
%{_bindir}/virt-launcher-monitor
%{_bindir}/virt-freezer
%{_bindir}/virt-probe
%{_bindir}/virt-tail
%{_bindir}/node-labeller.sh
%{_datadir}/kube-virt/virt-launcher
%files virt-operator
%license LICENSE
%doc README.md
%{_bindir}/virt-operator
%files pr-helper-conf
%license LICENSE
%doc README.md
%dir %{_datadir}/kube-virt
%dir %{_datadir}/kube-virt/pr-helper
%{_datadir}/kube-virt/pr-helper
%files sidecar-shim
%license LICENSE
%doc cmd/sidecars/README.md
%{_bindir}/sidecar-shim
%files manifests
%license LICENSE
%doc README.md
%dir %{_datadir}/kube-virt
%dir %{_datadir}/kube-virt/manifests
%{_datadir}/kube-virt/manifests/release
%files tests
%license LICENSE
%doc README.md
%dir %{_datadir}/kube-virt
%dir %{_datadir}/kube-virt/manifests
%{_bindir}/virt-tests
%{_datadir}/kube-virt/manifests/testing
%files -n obs-service-kubevirt_containers_meta
%license LICENSE
%doc README.md
%dir %{_prefix}/lib/obs
%{_prefix}/lib/obs/service
%changelog

36
kubevirt_containers_meta Normal file
View File

@ -0,0 +1,36 @@
#!/bin/bash -xe
TAGPREFIX=_TAGPREFIX_
LABELPREFIX=_LABELPREFIX_
REGISTRY=_REGISTRY_
PKG_VERSION=_PKG_VERSION_
PKG_RELEASE=_PKG_RELEASE_
DISTRO=_DISTRO_
# Set HOME=/root as a workaround for
# https://github.com/openSUSE/obs-build/issues/901
_distro=$(HOME=/root rpm --eval '%{?sle_version}:%{?is_opensuse}%{!?is_opensuse:0}')
[ "${DISTRO}" == "${_distro}" ] || exit 1
if [ -n "${pkg}" ]; then
if rpm -q ${pkg}; then
PKG_VERSION=$(rpm -q --queryformat=%{version} ${pkg})
PKG_RELEASE=$(rpm -q --queryformat=%{release} ${pkg})
else
_pkg=$(find ./repos -name "${pkg}*.rpm")
PKG_VERSION=$(rpm -qp --queryformat=%{version} ${_pkg})
PKG_RELEASE=$(rpm -qp --queryformat=%{release} ${_pkg})
fi
fi
case "${DISTRO}" in
*:0)
SUPPORT_LEVEL=l3
if [[ "$(uname -m)" != x86_64 ]]; then
SUPPORT_LEVEL=techpreview
fi
;;
*:1)
SUPPORT_LEVEL=unsupported
;;
esac

5
kubevirt_containers_meta.service Normal file
View File

@ -0,0 +1,5 @@
<service name="kubevirt_containers_meta">
<summary>Containers meta information for Kubevirt (build service)</summary>
<description>Provides meta information that is used during the build of
the Kubevirt container images.</description>
</service>