Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Add CAP_SYS_ADMIN the bazel container

14 views
Skip to first unread message

Alice Frosi

unread,
Dec 6, 2024, 4:51:38 AM12/6/24
to kubevirt-dev, German Maglione
Hi everyone,

I have a request if it would be possible to add the capability CAP_SYS_ADMIN to the kubevirt-bazel-container. This capability is necessary in order to run unshare with the pid namespace. This option is a requirement for testing a new component added by [1] which configure the namespace and cgroup for virtiofs


Many thanks,
Alice

Alex Kalenyuk

unread,
Dec 9, 2024, 6:26:24 AM12/9/24
to Alice Frosi, kubevirt-dev, German Maglione
Hey Alice

I don't think it's a problem to add some capabilities to the builder (development only container), it just seems weird to me that we would need to do that.
Could you elaborate a little on how this functionality will help with testing the new component? 
Will you be relying on the unshare in the unit tests? In that case, I strongly suggest that we inject some dependency to avoid the real calls.

--
You received this message because you are subscribed to the Google Groups "kubevirt-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubevirt-dev...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/kubevirt-dev/CABBoX7MEk-hs2yE6mZvuKJ6UEsi7vjsDG%3D6JB3Ajkun%2BQq-8uA%40mail.gmail.com.

Alice Frosi

unread,
Dec 9, 2024, 6:39:04 AM12/9/24
to Alex Kalenyuk, kubevirt-dev, German Maglione
Hi Alex,

On Mon, Dec 9, 2024 at 12:26 PM Alex Kalenyuk <akal...@redhat.com> wrote:
Hey Alice

I don't think it's a problem to add some capabilities to the builder (development only container), it just seems weird to me that we would need to do that.
Could you elaborate a little on how this functionality will help with testing the new component? 
Will you be relying on the unshare in the unit tests? In that case, I strongly suggest that we inject some dependency to avoid the real calls.

The new component (the dispatcher) is a small binary which launches virtiofs in the unprivileged container. In order to test the component we need to create at least a pid namespace. We can do this using the unshare utility. However, it requires CAP_SYS_ADMIN, otherwise it fails with the permission denied error.

One additional thing, the new component is a C program, so it isn't so easy to mock eventual function.

You can see what is required to test the component in the PR [1].

Alex Kalenyuk

unread,
Dec 9, 2024, 6:44:03 AM12/9/24
to Alice Frosi, kubevirt-dev, German Maglione
add the capability CAP_SYS_ADMIN to the kubevirt-bazel-container
In that case, I am not sure how CAP_SYS_ADMIN on anything other than virt-handler will help? 

Alice Frosi

unread,
Dec 9, 2024, 7:20:02 AM12/9/24
to Alex Kalenyuk, kubevirt-dev, German Maglione
On Mon, Dec 9, 2024 at 12:44 PM Alex Kalenyuk <akal...@redhat.com> wrote:
add the capability CAP_SYS_ADMIN to the kubevirt-bazel-container
In that case, I am not sure how CAP_SYS_ADMIN on anything other than virt-handler will help? 

Well, the component will be used by virt-handler, but we want to test it standalone.

Alex Kalenyuk

unread,
Dec 9, 2024, 7:29:33 AM12/9/24
to Alice Frosi, kubevirt-dev, German Maglione
So, you will be ~unit-testing this new component, and since the unit tests run in the builder container, this capability is needed?

Alice Frosi

unread,
Dec 9, 2024, 11:13:03 AM12/9/24
to Alex Kalenyuk, kubevirt-dev, German Maglione
On Mon, Dec 9, 2024 at 1:29 PM Alex Kalenyuk <akal...@redhat.com> wrote:
So, you will be ~unit-testing this new component, and since the unit tests run in the builder container, this capability is needed?

Exactly! 

Alex Kalenyuk

unread,
Dec 9, 2024, 1:17:31 PM12/9/24
to Alice Frosi, kubevirt-dev, German Maglione
So I don't see an issue with adding a capability into a development container,
but the testing setup does sound like it's increasing the complexity of the things we maintain.

Maybe https://github.com/opencontainers/runc exports something similar in golang, which is already tested?

Dan Kenigsberg

unread,
Dec 10, 2024, 10:53:46 AM12/10/24
to Alex Kalenyuk, Alice Frosi, kubevirt-dev, German Maglione
Excuse me for being a bit of a novice, Alice, but what are the downsides of enabling CAP_SYS_ADMIN like you suggest?
E.g would it make it easier for a buggy/malicious kubevirt code to harm my dev laptop?

Edward Haas

unread,
Dec 11, 2024, 4:08:51 AM12/11/24
to Dan Kenigsberg, Alex Kalenyuk, Alice Frosi, kubevirt-dev, German Maglione
On Tue, Dec 10, 2024 at 5:53 PM Dan Kenigsberg <dan...@redhat.com> wrote:
Excuse me for being a bit of a novice, Alice, but what are the downsides of enabling CAP_SYS_ADMIN like you suggest?
E.g would it make it easier for a buggy/malicious kubevirt code to harm my dev laptop?

On Mon, Dec 9, 2024 at 8:17 PM Alex Kalenyuk <akal...@redhat.com> wrote:
So I don't see an issue with adding a capability into a development container,
but the testing setup does sound like it's increasing the complexity of the things we maintain.

Maybe https://github.com/opencontainers/runc exports something similar in golang, which is already tested?

On Mon, Dec 9, 2024 at 6:13 PM Alice Frosi <afr...@redhat.com> wrote:


On Mon, Dec 9, 2024 at 1:29 PM Alex Kalenyuk <akal...@redhat.com> wrote:
So, you will be ~unit-testing this new component, and since the unit tests run in the builder container, this capability is needed?

Exactly! 

Then I would not classify it as a unit test.
Network code has integration tests [1][2] that are touching the kernel but in an isolated manner.
(isolated by having a network namespace, so side effects are mostly cleaned)
The fact it is not classified as unit tests helps in not requiring all to run it, focusing them for only interested developers and CI.

If your tests can run there without any further elevated capabilities, it will be best.

Alex Kalenyuk

unread,
Dec 11, 2024, 4:26:00 AM12/11/24
to Edward Haas, Dan Kenigsberg, Alice Frosi, kubevirt-dev, German Maglione
I wasn't aware of this setup, it looks like a great fit here.

E.g would it make it easier for a buggy/malicious kubevirt code to harm my dev laptop?
I think the answer is yes, but this setup is already spinning up a `--privileged` builder container, which implies this capability and many more.

Alice Frosi

unread,
Dec 16, 2024, 4:08:58 AM12/16/24
to Alex Kalenyuk, Edward Haas, Dan Kenigsberg, kubevirt-dev, German Maglione
Sorry, I was on PTO last week, and I will take a look at the suggestions! Thanks!
Reply all
Reply to author
Forward
0 new messages