Accepting request 1102850 from Virtualization

OBS-URL: https://build.opensuse.org/request/show/1102850
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/kubevirt?expand=0&rev=63

0009-tests-Run-helper-pod-as-qemu-107-user.patch

@@ -0,0 +1,40 @@
+From 1cfcbff44f6310628769445fad570a8ccd18fe22 Mon Sep 17 00:00:00 2001
+From: Vasiliy Ulyanov <vulyanov@suse.de>
+Date: Thu, 3 Aug 2023 13:43:51 +0200
+Subject: [PATCH] tests: Run helper pod as qemu (107) user
+
+The helper pod needs permissions to access the PVC data. In most cases,
+it is owned by the qemu (107) user.
+
+Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
+---
+ tests/libstorage/pvc.go | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tests/libstorage/pvc.go b/tests/libstorage/pvc.go
+index f2dbdf8d3..b9157eac1 100644
+--- a/tests/libstorage/pvc.go
++++ b/tests/libstorage/pvc.go
+@@ -52,7 +52,7 @@ const (
+ 
+ func RenderPodWithPVC(name string, cmd []string, args []string, pvc *k8sv1.PersistentVolumeClaim) *k8sv1.Pod {
+ 	volumeName := "disk0"
+-	nonRootUser := int64(1042)
++	nonRootUser := int64(107)
+ 
+ 	// Change to 'pod := RenderPod(name, cmd, args)' once we have a libpod package
+ 	pod := &k8sv1.Pod{
+@@ -102,6 +102,10 @@ func RenderPodWithPVC(name string, cmd []string, args []string, pvc *k8sv1.Persi
+ 	if volumeMode != nil && *volumeMode == k8sv1.PersistentVolumeBlock {
+ 		pod.Spec.Containers[0].VolumeDevices = addVolumeDevices(volumeName)
+ 	} else {
++		if pod.Spec.SecurityContext == nil {
++			pod.Spec.SecurityContext = &k8sv1.PodSecurityContext{}
++		}
++		pod.Spec.SecurityContext.FSGroup = &nonRootUser
+ 		pod.Spec.Containers[0].VolumeMounts = addVolumeMounts(volumeName)
+ 	}
+ 
+-- 
+2.41.0
+

0010-Fix-PR-leftover-mount-and-perms.patch

@@ -0,0 +1,574 @@
+From dd782727364aaa2f2914b86ab21bd6ed34c8db7e Mon Sep 17 00:00:00 2001
+From: Vasiliy Ulyanov <vulyanov@suse.de>
+Date: Thu, 27 Jul 2023 09:15:31 +0200
+Subject: [PATCH 1/8] Drop redundant use of fmt.Sprintf
+
+Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
+---
+ pkg/storage/reservation/pr.go | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/pkg/storage/reservation/pr.go b/pkg/storage/reservation/pr.go
+index 5ab0dec4c..afda2c8b4 100644
+--- a/pkg/storage/reservation/pr.go
++++ b/pkg/storage/reservation/pr.go
+@@ -1,7 +1,6 @@
+ package reservation
+ 
+ import (
+-	"fmt"
+ 	"path/filepath"
+ 
+ 	v1 "kubevirt.io/api/core/v1"
+@@ -20,15 +19,15 @@ func GetPrResourceName() string {
+ }
+ 
+ func GetPrHelperSocketDir() string {
+-	return fmt.Sprintf(filepath.Join(sourceDaemonsPath, prHelperDir))
++	return filepath.Join(sourceDaemonsPath, prHelperDir)
+ }
+ 
+ func GetPrHelperHostSocketDir() string {
+-	return fmt.Sprintf(filepath.Join(hostSourceDaemonsPath, prHelperDir))
++	return filepath.Join(hostSourceDaemonsPath, prHelperDir)
+ }
+ 
+ func GetPrHelperSocketPath() string {
+-	return fmt.Sprintf(filepath.Join(GetPrHelperSocketDir(), prHelperSocket))
++	return filepath.Join(GetPrHelperSocketDir(), prHelperSocket)
+ }
+ 
+ func GetPrHelperSocket() string {
+-- 
+2.41.0
+
+
+From b0e7d191686d90a61143beb73dd97e773d5d21de Mon Sep 17 00:00:00 2001
+From: Vasiliy Ulyanov <vulyanov@suse.de>
+Date: Thu, 27 Jul 2023 09:18:36 +0200
+Subject: [PATCH 2/8] Run pr-helper container as qemu (107) user
+
+The ownership of the /var/run/kubevirt/daemons/pr directory is currently
+set to 107:107 while by default the container is run under a non-root
+user 1001 (which does not have write permissions to that directory).
+Since the container is privileged, qemu-pr-helper initially has the
+capabilities to create the socket in that directory. However, after the
+daemon has been initialized, it drops the capabilities and this
+eventually leads to 'Permission denied' error when the daemon tries to
+remove the socket during termination. Running the container under qemu
+user ensures the cleanup is done properly.
+
+Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
+---
+ pkg/virt-operator/resource/generate/components/BUILD.bazel   | 1 +
+ pkg/virt-operator/resource/generate/components/daemonsets.go | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/pkg/virt-operator/resource/generate/components/BUILD.bazel b/pkg/virt-operator/resource/generate/components/BUILD.bazel
+index 0f4625a44..4f0046de0 100644
+--- a/pkg/virt-operator/resource/generate/components/BUILD.bazel
++++ b/pkg/virt-operator/resource/generate/components/BUILD.bazel
+@@ -22,6 +22,7 @@ go_library(
+         "//pkg/certificates/triple:go_default_library",
+         "//pkg/certificates/triple/cert:go_default_library",
+         "//pkg/storage/reservation:go_default_library",
++        "//pkg/util:go_default_library",
+         "//pkg/virt-operator/util:go_default_library",
+         "//staging/src/kubevirt.io/api/clone:go_default_library",
+         "//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library",
+diff --git a/pkg/virt-operator/resource/generate/components/daemonsets.go b/pkg/virt-operator/resource/generate/components/daemonsets.go
+index 9066fd23a..c254f1ff2 100644
+--- a/pkg/virt-operator/resource/generate/components/daemonsets.go
++++ b/pkg/virt-operator/resource/generate/components/daemonsets.go
+@@ -13,6 +13,7 @@ import (
+ 	virtv1 "kubevirt.io/api/core/v1"
+ 
+ 	"kubevirt.io/kubevirt/pkg/storage/reservation"
++	"kubevirt.io/kubevirt/pkg/util"
+ 	operatorutil "kubevirt.io/kubevirt/pkg/virt-operator/util"
+ )
+ 
+@@ -41,6 +42,7 @@ func RenderPrHelperContainer(image string, pullPolicy corev1.PullPolicy) corev1.
+ 			},
+ 		},
+ 		SecurityContext: &corev1.SecurityContext{
++			RunAsUser:  pointer.Int64(util.NonRootUID),
+ 			Privileged: pointer.Bool(true),
+ 		},
+ 	}
+-- 
+2.41.0
+
+
+From 3ddd3d783dcab7100041f8434157adf98042978c Mon Sep 17 00:00:00 2001
+From: Vasiliy Ulyanov <vulyanov@suse.de>
+Date: Thu, 27 Jul 2023 10:38:52 +0200
+Subject: [PATCH 3/8] Do not mount pr-helper-socket-vol to virt-handler
+
+It turns out that having two host path volumes originating at the same
+root (e.g. /var/run/kubevirt and /var/run/kubevirt/daemons/pr) in a pod
+and bind-mounted with bidirectional propagation to a container leads to
+side effects. That creates additional mount points on the host that are
+not cleaned up afterward:
+
+$ mount | grep daemon
+tmpfs on /run/kubevirt/daemons/pr type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
+tmpfs on /run/kubevirt/daemons/pr type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
+tmpfs on /run/kubevirt/daemons/pr type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
+
+Since the virt-handler container already has the host path volume
+/var/run/kubevirt mounted, it can be used to access the pr-helper
+socket at /var/run/kubevirt/daemons/pr.
+
+Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
+---
+ .../resource/generate/components/daemonsets.go      | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/pkg/virt-operator/resource/generate/components/daemonsets.go b/pkg/virt-operator/resource/generate/components/daemonsets.go
+index c254f1ff2..229b8e24e 100644
+--- a/pkg/virt-operator/resource/generate/components/daemonsets.go
++++ b/pkg/virt-operator/resource/generate/components/daemonsets.go
+@@ -276,9 +276,6 @@ func NewHandlerDaemonSet(namespace, repository, imagePrefix, version, launcherVe
+ 		{"kubelet-pods", kubeletPodsPath, kubeletPodsPath, &bidi},
+ 		{"node-labeller", "/var/lib/kubevirt-node-labeller", "/var/lib/kubevirt-node-labeller", nil},
+ 	}
+-	if enablePrHelper {
+-		volumes = append(volumes, volume{prVolumeName, reservation.GetPrHelperSocketDir(), reservation.GetPrHelperSocketDir(), &bidi})
+-	}
+ 
+ 	for _, volume := range volumes {
+ 		container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{
+@@ -328,6 +325,16 @@ func NewHandlerDaemonSet(namespace, repository, imagePrefix, version, launcherVe
+ 	}
+ 
+ 	if enablePrHelper {
++		directoryOrCreate := corev1.HostPathDirectoryOrCreate
++		pod.Volumes = append(pod.Volumes, corev1.Volume{
++			Name: prVolumeName,
++			VolumeSource: corev1.VolumeSource{
++				HostPath: &corev1.HostPathVolumeSource{
++					Path: reservation.GetPrHelperSocketDir(),
++					Type: &directoryOrCreate,
++				},
++			},
++		})
+ 		pod.Containers = append(pod.Containers, RenderPrHelperContainer(prHelperImage, pullPolicy))
+ 	}
+ 	return daemonset, nil
+-- 
+2.41.0
+
+
+From dd7807a4b3f03cee76965e5273e1ea5381b41b7a Mon Sep 17 00:00:00 2001
+From: Vasiliy Ulyanov <vulyanov@suse.de>
+Date: Thu, 27 Jul 2023 11:15:19 +0200
+Subject: [PATCH 4/8] tests: Ensure proper cleanup (scsi reservation)
+
+Check that after PersistentReservation feature gate is disabled, no
+mount points or socket files are left behind.
+
+Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
+---
+ tests/storage/BUILD.bazel    |  1 +
+ tests/storage/reservation.go | 12 ++++++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/tests/storage/BUILD.bazel b/tests/storage/BUILD.bazel
+index f605404fc..21414efbd 100644
+--- a/tests/storage/BUILD.bazel
++++ b/tests/storage/BUILD.bazel
+@@ -22,6 +22,7 @@ go_library(
+         "//pkg/apimachinery/patch:go_default_library",
+         "//pkg/certificates/triple/cert:go_default_library",
+         "//pkg/host-disk:go_default_library",
++        "//pkg/storage/reservation:go_default_library",
+         "//pkg/storage/types:go_default_library",
+         "//pkg/virt-config:go_default_library",
+         "//pkg/virt-launcher/virtwrap/converter:go_default_library",
+diff --git a/tests/storage/reservation.go b/tests/storage/reservation.go
+index a09853060..e233e53e4 100644
+--- a/tests/storage/reservation.go
++++ b/tests/storage/reservation.go
+@@ -17,12 +17,14 @@ import (
+ 	v1 "kubevirt.io/api/core/v1"
+ 	"kubevirt.io/client-go/kubecli"
+ 
++	"kubevirt.io/kubevirt/pkg/storage/reservation"
+ 	virtconfig "kubevirt.io/kubevirt/pkg/virt-config"
+ 	"kubevirt.io/kubevirt/tests"
+ 	"kubevirt.io/kubevirt/tests/console"
+ 	"kubevirt.io/kubevirt/tests/exec"
+ 	"kubevirt.io/kubevirt/tests/flags"
+ 	"kubevirt.io/kubevirt/tests/framework/checks"
++	"kubevirt.io/kubevirt/tests/libnode"
+ 	"kubevirt.io/kubevirt/tests/libstorage"
+ 	"kubevirt.io/kubevirt/tests/libvmi"
+ 	"kubevirt.io/kubevirt/tests/libwait"
+@@ -295,6 +297,16 @@ var _ = SIGDescribe("[Serial]SCSI persistent reservation", Serial, func() {
+ 				}
+ 				return len(ds.Spec.Template.Spec.Containers) == 1
+ 			}, time.Minute*5, time.Second*2).Should(BeTrue())
++
++			nodes := libnode.GetAllSchedulableNodes(virtClient)
++			for _, node := range nodes.Items {
++				output, err := tests.ExecuteCommandInVirtHandlerPod(node.Name, []string{"mount"})
++				Expect(err).ToNot(HaveOccurred())
++				Expect(output).ToNot(ContainSubstring("kubevirt/daemons/pr"))
++				output, err = tests.ExecuteCommandInVirtHandlerPod(node.Name, []string{"ls", reservation.GetPrHelperSocketDir()})
++				Expect(err).ToNot(HaveOccurred())
++				Expect(output).To(BeEmpty())
++			}
+ 		})
+ 	})
+ 
+-- 
+2.41.0
+
+
+From fac107640550d1b9a10150ed355087b0d8a39540 Mon Sep 17 00:00:00 2001
+From: Vasiliy Ulyanov <vulyanov@suse.de>
+Date: Thu, 27 Jul 2023 13:42:42 +0200
+Subject: [PATCH 5/8] tests: Ensure KubeVirt is ready (scsi reservation)
+
+Switching the PersistentReservation feature gate on/off causes
+redeployment of all the components. Ensure KubeVirt is ready before
+moving on.
+
+Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
+---
+ tests/storage/reservation.go | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/tests/storage/reservation.go b/tests/storage/reservation.go
+index e233e53e4..ef775baed 100644
+--- a/tests/storage/reservation.go
++++ b/tests/storage/reservation.go
+@@ -208,6 +208,10 @@ var _ = SIGDescribe("[Serial]SCSI persistent reservation", Serial, func() {
+ 			pv, pvc, err = tests.CreatePVandPVCwithSCSIDisk(node, device, util.NamespaceTestDefault, "scsi-disks", "scsipv", "scsipvc")
+ 			Expect(err).ToNot(HaveOccurred())
+ 			waitForVirtHandlerWithPrHelperReadyOnNode(node)
++			// Switching the PersistentReservation feature gate on/off
++			// causes redeployment of all KubeVirt components.
++			By("Ensuring all KubeVirt components are ready")
++			testsuite.EnsureKubevirtReady()
+ 		})
+ 
+ 		AfterEach(func() {
+@@ -298,6 +302,11 @@ var _ = SIGDescribe("[Serial]SCSI persistent reservation", Serial, func() {
+ 				return len(ds.Spec.Template.Spec.Containers) == 1
+ 			}, time.Minute*5, time.Second*2).Should(BeTrue())
+ 
++			// Switching the PersistentReservation feature gate on/off
++			// causes redeployment of all KubeVirt components.
++			By("Ensuring all KubeVirt components are ready")
++			testsuite.EnsureKubevirtReady()
++
+ 			nodes := libnode.GetAllSchedulableNodes(virtClient)
+ 			for _, node := range nodes.Items {
+ 				output, err := tests.ExecuteCommandInVirtHandlerPod(node.Name, []string{"mount"})
+-- 
+2.41.0
+
+
+From bb55f6403e8714e116e97f6cfeff3ca086863286 Mon Sep 17 00:00:00 2001
+From: Vasiliy Ulyanov <vulyanov@suse.de>
+Date: Tue, 1 Aug 2023 12:47:22 +0200
+Subject: [PATCH 6/8] Support relabeling of unix sockets
+
+An attempt to open a UNIX domain socket returns ENXIO making it hard to
+obtain a file descriptor. Instead, manage the selinux label attributes
+using the functions that work with file paths.
+
+Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
+---
+ cmd/virt-chroot/BUILD.bazel |  1 +
+ cmd/virt-chroot/selinux.go  | 21 +++++++++++++++++++--
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/cmd/virt-chroot/BUILD.bazel b/cmd/virt-chroot/BUILD.bazel
+index 250a25bf2..fd26041a0 100644
+--- a/cmd/virt-chroot/BUILD.bazel
++++ b/cmd/virt-chroot/BUILD.bazel
+@@ -17,6 +17,7 @@ go_library(
+         "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs:go_default_library",
+         "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2:go_default_library",
+         "//vendor/github.com/opencontainers/runc/libcontainer/configs:go_default_library",
++        "//vendor/github.com/opencontainers/selinux/go-selinux:go_default_library",
+         "//vendor/github.com/spf13/cobra:go_default_library",
+         "//vendor/github.com/vishvananda/netlink:go_default_library",
+         "//vendor/golang.org/x/sys/unix:go_default_library",
+diff --git a/cmd/virt-chroot/selinux.go b/cmd/virt-chroot/selinux.go
+index b8bb3976f..e2c4a4aba 100644
+--- a/cmd/virt-chroot/selinux.go
++++ b/cmd/virt-chroot/selinux.go
+@@ -6,6 +6,7 @@ import (
+ 	"os"
+ 	"path/filepath"
+ 
++	"github.com/opencontainers/selinux/go-selinux"
+ 	"github.com/spf13/cobra"
+ 	"golang.org/x/sys/unix"
+ 
+@@ -62,10 +63,15 @@ func RelabelCommand() *cobra.Command {
+ 			if err != nil {
+ 				return fmt.Errorf("could not open file %v. Reason: %v", safePath, err)
+ 			}
+-
+ 			defer fd.Close()
+ 			filePath := fd.SafePath()
+ 
++			if fileInfo, err := safepath.StatAtNoFollow(safePath); err != nil {
++				return fmt.Errorf("could not stat file %v. Reason: %v", safePath, err)
++			} else if (fileInfo.Mode() & os.ModeSocket) != 0 {
++				return relabelUnixSocket(filePath, label)
++			}
++
+ 			writeableFD, err := os.OpenFile(filePath, os.O_APPEND|unix.S_IWRITE, os.ModePerm)
+ 			if err != nil {
+ 				return fmt.Errorf("error reopening file %s to write label %s. Reason: %v", filePath, label, err)
+@@ -74,7 +80,7 @@ func RelabelCommand() *cobra.Command {
+ 
+ 			currentFileLabel, err := getLabel(writeableFD)
+ 			if err != nil {
+-				return fmt.Errorf("faild to get selinux label for file %v: %v", filePath, err)
++				return fmt.Errorf("failed to get selinux label for file %v: %v", filePath, err)
+ 			}
+ 
+ 			if currentFileLabel != label {
+@@ -108,3 +114,14 @@ func getLabel(file *os.File) (string, error) {
+ 	}
+ 	return string(buffer[:labelLength]), nil
+ }
++
++func relabelUnixSocket(filePath, label string) error {
++	if currentLabel, err := selinux.FileLabel(filePath); err != nil {
++		return fmt.Errorf("could not retrieve label of file %s. Reason: %v", filePath, err)
++	} else if currentLabel != label {
++		if err := unix.Setxattr(filePath, xattrNameSelinux, []byte(label), 0); err != nil {
++			return fmt.Errorf("error relabeling file %s with label %s. Reason: %v", filePath, label, err)
++		}
++	}
++	return nil
++}
+-- 
+2.41.0
+
+
+From 2867dd61c3cdb65c7a195e37c2064a23b285bcee Mon Sep 17 00:00:00 2001
+From: Vasiliy Ulyanov <vulyanov@suse.de>
+Date: Tue, 1 Aug 2023 13:04:25 +0200
+Subject: [PATCH 7/8] Relabel PR helper socket in device plugin
+
+This will ensure that a proper selinux label is set on the socket when
+it is allocated to a VM pod.
+
+Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
+---
+ cmd/virt-handler/virt-handler.go                 | 15 +--------------
+ pkg/util/util.go                                 | 16 +++++++++-------
+ pkg/virt-handler/device-manager/socket_device.go |  9 +++++++++
+ 3 files changed, 19 insertions(+), 21 deletions(-)
+
+diff --git a/cmd/virt-handler/virt-handler.go b/cmd/virt-handler/virt-handler.go
+index f0e379b7f..6a915d9ba 100644
+--- a/cmd/virt-handler/virt-handler.go
++++ b/cmd/virt-handler/virt-handler.go
+@@ -129,8 +129,6 @@ const (
+ 
+ 	// Default network-status downward API file path
+ 	defaultNetworkStatusFilePath = "/etc/podinfo/network-status"
+-
+-	unprivilegedContainerSELinuxLabel = "system_u:object_r:container_file_t:s0"
+ )
+ 
+ type virtHandlerApp struct {
+@@ -420,7 +418,7 @@ func (app *virtHandlerApp) Run() {
+ 		if err != nil {
+ 			panic(err)
+ 		}
+-		err = selinux.RelabelFiles(unprivilegedContainerSELinuxLabel, se.IsPermissive(), devTun, devNull)
++		err = selinux.RelabelFiles(util.UnprivilegedContainerSELinuxLabel, se.IsPermissive(), devTun, devNull)
+ 		if err != nil {
+ 			panic(fmt.Errorf("error relabeling required files: %v", err))
+ 		}
+@@ -564,18 +562,7 @@ func (app *virtHandlerApp) shouldEnablePersistentReservation() {
+ 	if err != nil {
+ 		panic(err)
+ 	}
+-	se, exists, err := selinux.NewSELinux()
+-	if err == nil && exists {
+-		err = selinux.RelabelFiles(unprivilegedContainerSELinuxLabel, se.IsPermissive(), prSockDir)
+-		if err != nil {
+-			panic(fmt.Errorf("error relabeling required files: %v", err))
+-		}
+-	} else if err != nil {
+-		panic(fmt.Errorf("failed to detect the presence of selinux: %v", err))
+-	}
+-
+ 	log.DefaultLogger().Infof("set permission for %s", reservation.GetPrHelperHostSocketDir())
+-
+ }
+ 
+ func (app *virtHandlerApp) runPrometheusServer(errCh chan error) {
+diff --git a/pkg/util/util.go b/pkg/util/util.go
+index dbf14064a..fef626f9f 100644
+--- a/pkg/util/util.go
++++ b/pkg/util/util.go
+@@ -27,15 +27,17 @@ const (
+ 	HostRootMount                             = "/proc/1/root/"
+ 	CPUManagerOS3Path                         = HostRootMount + "var/lib/origin/openshift.local.volumes/cpu_manager_state"
+ 	CPUManagerPath                            = HostRootMount + "var/lib/kubelet/cpu_manager_state"
+-)
+ 
+-// Alphanums is the list of alphanumeric characters used to create a securely generated random string
+-const Alphanums = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
++	// Alphanums is the list of alphanumeric characters used to create a securely generated random string
++	Alphanums = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
++
++	NonRootUID         = 107
++	NonRootUserString  = "qemu"
++	RootUser           = 0
++	memoryDumpOverhead = 100 * 1024 * 1024
+ 
+-const NonRootUID = 107
+-const NonRootUserString = "qemu"
+-const RootUser = 0
+-const memoryDumpOverhead = 100 * 1024 * 1024
++	UnprivilegedContainerSELinuxLabel = "system_u:object_r:container_file_t:s0"
++)
+ 
+ func IsNonRootVMI(vmi *v1.VirtualMachineInstance) bool {
+ 	_, ok := vmi.Annotations[v1.DeprecatedNonRootVMIAnnotation]
+diff --git a/pkg/virt-handler/device-manager/socket_device.go b/pkg/virt-handler/device-manager/socket_device.go
+index fdac11662..53308b648 100644
+--- a/pkg/virt-handler/device-manager/socket_device.go
++++ b/pkg/virt-handler/device-manager/socket_device.go
+@@ -40,6 +40,7 @@ import (
+ 	"kubevirt.io/kubevirt/pkg/safepath"
+ 	"kubevirt.io/kubevirt/pkg/util"
+ 	pluginapi "kubevirt.io/kubevirt/pkg/virt-handler/device-manager/deviceplugin/v1beta1"
++	"kubevirt.io/kubevirt/pkg/virt-handler/selinux"
+ )
+ 
+ type SocketDevicePlugin struct {
+@@ -220,6 +221,14 @@ func (dpi *SocketDevicePlugin) Allocate(ctx context.Context, r *pluginapi.Alloca
+ 		return nil, fmt.Errorf("error setting the permission the socket %s/%s:%v", dpi.socketDir, dpi.socket, err)
+ 	}
+ 
++	if se, exists, err := selinux.NewSELinux(); err == nil && exists {
++		if err := selinux.RelabelFiles(util.UnprivilegedContainerSELinuxLabel, se.IsPermissive(), prSock); err != nil {
++			return nil, fmt.Errorf("error relabeling required files: %v", err)
++		}
++	} else if err != nil {
++		return nil, fmt.Errorf("failed to detect the presence of selinux: %v", err)
++	}
++
+ 	m := new(pluginapi.Mount)
+ 	m.HostPath = dpi.socketDir
+ 	m.ContainerPath = dpi.socketDir
+-- 
+2.41.0
+
+
+From 128599fb4d138723991dd46e741f86dc1561488f Mon Sep 17 00:00:00 2001
+From: Alice Frosi <afrosi@redhat.com>
+Date: Fri, 4 Aug 2023 13:27:40 +0200
+Subject: [PATCH 8/8] pr-helper: set user to root
+
+The image is built with user 1000 by default and the container is
+created automatically with this user. Setting explicitly the user to
+root, it avoids permission conflicts.
+
+Signed-off-by: Alice Frosi <afrosi@redhat.com>
+---
+ cmd/virt-handler/BUILD.bazel                  |  1 -
+ cmd/virt-handler/virt-handler.go              | 19 -------------------
+ .../device-manager/socket_device.go           |  1 -
+ .../generate/components/daemonsets.go         |  2 +-
+ 4 files changed, 1 insertion(+), 22 deletions(-)
+
+diff --git a/cmd/virt-handler/BUILD.bazel b/cmd/virt-handler/BUILD.bazel
+index 4299bc688..88e684e9a 100644
+--- a/cmd/virt-handler/BUILD.bazel
++++ b/cmd/virt-handler/BUILD.bazel
+@@ -19,7 +19,6 @@ go_library(
+         "//pkg/monitoring/workqueue/prometheus:go_default_library",
+         "//pkg/safepath:go_default_library",
+         "//pkg/service:go_default_library",
+-        "//pkg/storage/reservation:go_default_library",
+         "//pkg/util:go_default_library",
+         "//pkg/util/ratelimiter:go_default_library",
+         "//pkg/util/tls:go_default_library",
+diff --git a/cmd/virt-handler/virt-handler.go b/cmd/virt-handler/virt-handler.go
+index 6a915d9ba..f07623453 100644
+--- a/cmd/virt-handler/virt-handler.go
++++ b/cmd/virt-handler/virt-handler.go
+@@ -33,7 +33,6 @@ import (
+ 	"syscall"
+ 	"time"
+ 
+-	"kubevirt.io/kubevirt/pkg/storage/reservation"
+ 	kvtls "kubevirt.io/kubevirt/pkg/util/tls"
+ 	"kubevirt.io/kubevirt/pkg/virt-handler/seccomp"
+ 	"kubevirt.io/kubevirt/pkg/virt-handler/vsock"
+@@ -315,7 +314,6 @@ func (app *virtHandlerApp) Run() {
+ 	app.clusterConfig.SetConfigModifiedCallback(app.shouldChangeLogVerbosity)
+ 	app.clusterConfig.SetConfigModifiedCallback(app.shouldChangeRateLimiter)
+ 	app.clusterConfig.SetConfigModifiedCallback(app.shouldInstallKubevirtSeccompProfile)
+-	app.clusterConfig.SetConfigModifiedCallback(app.shouldEnablePersistentReservation)
+ 
+ 	if err := app.setupTLS(factory); err != nil {
+ 		glog.Fatalf("Error constructing migration tls config: %v", err)
+@@ -548,23 +546,6 @@ func (app *virtHandlerApp) shouldInstallKubevirtSeccompProfile() {
+ 
+ }
+ 
+-func (app *virtHandlerApp) shouldEnablePersistentReservation() {
+-	enabled := app.clusterConfig.PersistentReservationEnabled()
+-	if !enabled {
+-		log.DefaultLogger().Info("Persistent Reservation is not enabled")
+-		return
+-	}
+-	prSockDir, err := safepath.JoinAndResolveWithRelativeRoot("/", reservation.GetPrHelperHostSocketDir())
+-	if err != nil {
+-		panic(err)
+-	}
+-	err = safepath.ChownAtNoFollow(prSockDir, util.NonRootUID, util.NonRootUID)
+-	if err != nil {
+-		panic(err)
+-	}
+-	log.DefaultLogger().Infof("set permission for %s", reservation.GetPrHelperHostSocketDir())
+-}
+-
+ func (app *virtHandlerApp) runPrometheusServer(errCh chan error) {
+ 	mux := restful.NewContainer()
+ 	webService := new(restful.WebService)
+diff --git a/pkg/virt-handler/device-manager/socket_device.go b/pkg/virt-handler/device-manager/socket_device.go
+index 53308b648..14e9f86df 100644
+--- a/pkg/virt-handler/device-manager/socket_device.go
++++ b/pkg/virt-handler/device-manager/socket_device.go
+@@ -220,7 +220,6 @@ func (dpi *SocketDevicePlugin) Allocate(ctx context.Context, r *pluginapi.Alloca
+ 	if err != nil {
+ 		return nil, fmt.Errorf("error setting the permission the socket %s/%s:%v", dpi.socketDir, dpi.socket, err)
+ 	}
+-
+ 	if se, exists, err := selinux.NewSELinux(); err == nil && exists {
+ 		if err := selinux.RelabelFiles(util.UnprivilegedContainerSELinuxLabel, se.IsPermissive(), prSock); err != nil {
+ 			return nil, fmt.Errorf("error relabeling required files: %v", err)
+diff --git a/pkg/virt-operator/resource/generate/components/daemonsets.go b/pkg/virt-operator/resource/generate/components/daemonsets.go
+index 229b8e24e..fccc4161a 100644
+--- a/pkg/virt-operator/resource/generate/components/daemonsets.go
++++ b/pkg/virt-operator/resource/generate/components/daemonsets.go
+@@ -42,7 +42,7 @@ func RenderPrHelperContainer(image string, pullPolicy corev1.PullPolicy) corev1.
+ 			},
+ 		},
+ 		SecurityContext: &corev1.SecurityContext{
+-			RunAsUser:  pointer.Int64(util.NonRootUID),
++			RunAsUser:  pointer.Int64(util.RootUser),
+ 			Privileged: pointer.Bool(true),
+ 		},
+ 	}
+-- 
+2.41.0
+

kubevirt.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Aug  8 06:02:05 UTC 2023 - Vasily Ulyanov <vasily.ulyanov@suse.com>
+
+- Run helper pod as qemu user
+  0009-tests-Run-helper-pod-as-qemu-107-user.patch
+- SCSI reservation: fix leftover mount and resource permissions
+  0010-Fix-PR-leftover-mount-and-perms.patch
+
 -------------------------------------------------------------------
 Thu Aug  3 06:27:57 UTC 2023 - Vasily Ulyanov <vasily.ulyanov@suse.com>
 

kubevirt.spec

@@ -36,6 +36,8 @@ Patch5:         0005-Support-multiple-watchdogs-in-the-domain-schema.patch
 Patch6:         0006-isolation-close-file-when-exits.patch
 Patch7:         0007-Fix-volume-detach-on-hotplug-attachment-pod-delete.patch
 Patch8:         0008-fix-ticker-leak.patch
+Patch9:         0009-tests-Run-helper-pod-as-qemu-107-user.patch
+Patch10:        0010-Fix-PR-leftover-mount-and-perms.patch
 BuildRequires:  glibc-devel-static
 BuildRequires:  golang-packaging
 BuildRequires:  pkgconfig