--
You received this message because you are subscribed to the Google Groups "kubevirt-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubevirt-dev...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/kubevirt-dev/CABBoX7MEk-hs2yE6mZvuKJ6UEsi7vjsDG%3D6JB3Ajkun%2BQq-8uA%40mail.gmail.com.
Hey Alice
I don't think it's a problem to add some capabilities to the builder (development only container), it just seems weird to me that we would need to do that.
Could you elaborate a little on how this functionality will help with testing the new component?
Will you be relying on the unshare in the unit tests? In that case, I strongly suggest that we inject some dependency to avoid the real calls.
add the capability CAP_SYS_ADMIN to the kubevirt-bazel-container
add the capability CAP_SYS_ADMIN to the kubevirt-bazel-containerIn that case, I am not sure how CAP_SYS_ADMIN on anything other than virt-handler will help?
So, you will be ~unit-testing this new component, and since the unit tests run in the builder container, this capability is needed?
To view this discussion visit https://groups.google.com/d/msgid/kubevirt-dev/CAHahevcgu%2BFMLK71rm7un-_trMP84aRHfa8f0TEuSRoB6x%3DiHg%40mail.gmail.com.
Excuse me for being a bit of a novice, Alice, but what are the downsides of enabling CAP_SYS_ADMIN like you suggest?E.g would it make it easier for a buggy/malicious kubevirt code to harm my dev laptop?On Mon, Dec 9, 2024 at 8:17 PM Alex Kalenyuk <akal...@redhat.com> wrote:So I don't see an issue with adding a capability into a development container,
but the testing setup does sound like it's increasing the complexity of the things we maintain.
Maybe https://github.com/opencontainers/runc exports something similar in golang, which is already tested?On Mon, Dec 9, 2024 at 6:13 PM Alice Frosi <afr...@redhat.com> wrote:On Mon, Dec 9, 2024 at 1:29 PM Alex Kalenyuk <akal...@redhat.com> wrote:So, you will be ~unit-testing this new component, and since the unit tests run in the builder container, this capability is needed?Exactly!
To view this discussion visit https://groups.google.com/d/msgid/kubevirt-dev/CAHOEP56-NH4f95aSLZ98RTgquzb-rRXjcTqvdivcEtqXjQ%3DMhA%40mail.gmail.com.
E.g would it make it easier for a buggy/malicious kubevirt code to harm my dev laptop?