Hello everyone,For the past year, non-root VMs have been the default in KubeVirt [1].Rootful VMs are less secure, pose a maintenance burden and are not tested since March 2023 [2].We plan to drop support for rootful VMs in v1.2.0.Does anyone have any objections or concerns?
Your feedback is much appreciated,Orel
--
You received this message because you are subscribed to the Google Groups "kubevirt-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubevirt-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubevirt-dev/CALzEmMcCqZGc1cq3tPv9HLz2kzMjC2biaYz62iKfHveNEEkkTg%40mail.gmail.com.
On Mon, Oct 16, 2023 at 7:26 PM Orel Misan <omi...@redhat.com> wrote:Hello everyone,For the past year, non-root VMs have been the default in KubeVirt [1].Rootful VMs are less secure, pose a maintenance burden and are not tested since March 2023 [2].We plan to drop support for rootful VMs in v1.2.0.Does anyone have any objections or concerns?Nice, hope to see this happening.- Are there any known cons for not being able to run rootful VMs?
- Could you please clarify what are the implications on existing running root VMs?
- Is there a plan on what needs to be done to drop the support? (e.g. remove the FG)
On Tue, Oct 17, 2023 at 10:19 AM Edward Haas <edw...@redhat.com> wrote:On Mon, Oct 16, 2023 at 7:26 PM Orel Misan <omi...@redhat.com> wrote:Hello everyone,For the past year, non-root VMs have been the default in KubeVirt [1].Rootful VMs are less secure, pose a maintenance burden and are not tested since March 2023 [2].We plan to drop support for rootful VMs in v1.2.0.Does anyone have any objections or concerns?Nice, hope to see this happening.- Are there any known cons for not being able to run rootful VMs?Not that we are aware of at the moment.
- Could you please clarify what are the implications on existing running root VMs?Currently, there is a feature to migrate rootful VMs to be non-root (and vice versa).The plan is to remove at least the non-root to root path.The root to non-root could also potentially be removed, and it will require users to migrate the rootful VMs to non root before upgrading to v1.2.0.
On Tue, Oct 17, 2023 at 12:55 PM Orel Misan <omi...@redhat.com> wrote:On Tue, Oct 17, 2023 at 10:19 AM Edward Haas <edw...@redhat.com> wrote:On Mon, Oct 16, 2023 at 7:26 PM Orel Misan <omi...@redhat.com> wrote:Hello everyone,For the past year, non-root VMs have been the default in KubeVirt [1].Rootful VMs are less secure, pose a maintenance burden and are not tested since March 2023 [2].We plan to drop support for rootful VMs in v1.2.0.Does anyone have any objections or concerns?Nice, hope to see this happening.- Are there any known cons for not being able to run rootful VMs?Not that we are aware of at the moment.It would be useful to identify scenarios in which there is an effect.For example, would hook sidecars that depend on some "root" access be affected?
--- Could you please clarify what are the implications on existing running root VMs?Currently, there is a feature to migrate rootful VMs to be non-root (and vice versa).The plan is to remove at least the non-root to root path.The root to non-root could also potentially be removed, and it will require users to migrate the rootful VMs to non root before upgrading to v1.2.0.I guess this can be elaborated in the plan.Just note that we may need to keep existing (old) VMs running without disruption,
automate their migration somehow or simply block an upgrade.- Is there a plan on what needs to be done to drop the support? (e.g. remove the FG)There is a plan in the making, I will publish it soon.The "root" feature gate will be removed.--Your feedback is much appreciated,Orel
You received this message because you are subscribed to the Google Groups "kubevirt-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubevirt-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubevirt-dev/CALzEmMcCqZGc1cq3tPv9HLz2kzMjC2biaYz62iKfHveNEEkkTg%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "kubevirt-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubevirt-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubevirt-dev/CALmkdFTG1kF4cdp9-%2BmzfFdAcDD8GB59%3DbG9x_VnQPHYSJTeLQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubevirt-dev/CAH7ySct3dgppKbHey0q1Vg5sucEjqVM8L9U4C-LzCnwwnLU2Uw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubevirt-dev/CAO_S94gmMkBZQqsebguHDRGzZ7uYicpUrG2aBYx4cc-0%3DC-HLg%40mail.gmail.com.
{"component":"virt-launcher","level":"info","msg":"Connected to libvirt daemon","pos":"libvirt.go:504","timestamp":"2023-06-05T22:23:45.736904Z"}
{"component":"virt-launcher","level":"info","msg":"Starting metrics server","pos":"virt-launcher.go:510","timestamp":"2023-06-05T22:23:45.739317Z"}
{"component":"virt-launcher","level":"info","msg":"Registered libvirt event notify callback","pos":"client.go:537","timestamp":"2023-06-05T22:23:45.740266Z"}
{"component":"virt-launcher","level":"info","msg":"Marked as ready","pos":"virt-launcher.go:80","timestamp":"2023-06-05T22:23:45.740771Z"}
panic: timed out waiting for domain to be defined
goroutine 1 [running]:
main.waitForDomainUUID(0xc00010e5a0?, 0xc0003fea20, 0xc00033c3c0, {0x1cdf9a8, 0xc0003f40f0})
/workspace/cmd/virt-launcher/virt-launcher.go:251 +0x434
main.main()
/workspace/cmd/virt-launcher/virt-launcher.go:474 +0x117a
{"component":"virt-launcher-monitor","level":"info","msg":"Reaped pid 11 with status 512","pos":"virt-launcher-monitor.go:124","timestamp":"2023-06-05T22:29:17.748168Z"}
{"component":"virt-launcher-monitor","level":"error","msg":"dirty virt-launcher shutdown: exit-code 2","pos":"virt-launcher-monitor.go:142","timestamp":"2023-06-05T22:29:17.748343Z"}
To view this discussion on the web visit https://groups.google.com/d/msgid/kubevirt-dev/CALzEmMccYJoAbE0uTL%2Bi__Eczht80xzbw024fi_cUCMPL58Bzg%40mail.gmail.com.
Hi Orel,Good to know that! Would this automatically carry over when the k8s version updates?
On Mon, Oct 23, 2023 at 12:11 PM Zang Li <zan...@google.com> wrote:Hi Orel,Good to know that! Would this automatically carry over when the k8s version updates?We usually only target compatibility with the last three k8s releases. We would have to intentionally re-create new test lanes when 1.26 is retired.Thanks,ZangOn Sun, Oct 22, 2023 at 3:52 AM Orel Misan <omi...@redhat.com> wrote:Hi,Rootful lanes are still being executed in KubeVirt's CI system:Periodic rootful lanes:- periodic-kubevirt-e2e-k8s-1.26-sig-storage-root- periodic-kubevirt-e2e-k8s-1.26-sig-compute-root- periodic-kubevirt-e2e-k8s-1.26-sig-operator-rootTwo optional presubmit lanes were recently added by kubevirt/project-infra#3011 [1]:- pull-kubevirt-e2e-k8s-1.26-sig-storage-root
- pull-kubevirt-e2e-k8s-1.26-sig-compute-root
To view this discussion on the web visit https://groups.google.com/d/msgid/kubevirt-dev/CAH7yScs403U_NTX2BmdmYmON01PiK0LXmOb7CW6ROP%3Dy6h%3D5Hg%40mail.gmail.com.
If the intention is to go forward with this initiative, I suggest composing a suggestion with timelines.I think we raised the option to prolong the time until this is fully deprecated (e.g. 2 or 3 versions).Having in the middle some warnings raised about the targeted deprecation.
On Tue, Oct 24, 2023 at 7:00 AM Edward Haas <edw...@redhat.com> wrote:If the intention is to go forward with this initiative, I suggest composing a suggestion with timelines.I think we raised the option to prolong the time until this is fully deprecated (e.g. 2 or 3 versions).Having in the middle some warnings raised about the targeted deprecation.I fully agree. I think it is reasonable to raise deprecation now and preliminary set the removal to 1.3 release. During the 1.2 release, we can gather feedback and let users see if they can run with default (non root). If this timeline is found too aggressive during the 1.2 release we can push the removal even further.The deprecation will also help us in gathering feedback as users will be slowly switching to default.What do others think?
To view this discussion on the web visit https://groups.google.com/d/msgid/kubevirt-dev/CAFTR0GXPpGOO%2BDo8Csodxn1VKCZDrhbKVd_QKAKJYZZ1YnTfFw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubevirt-dev/CAAx_ZVVudLAvpKUCQ_KO4hSzW5tuwUMpeh4AZGHdYbq3yo4Dig%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubevirt-dev/CAO_S94ig_sqMT4k1_fohB3WVgpH2dVCWiZPpqwwZBNMnqCCkCQ%40mail.gmail.com.
Hey,I think its good opportunity to start adding deprecation notes in our release notes.How are release notes generated?
To view this discussion on the web visit https://groups.google.com/d/msgid/kubevirt-dev/CAJ38DpDXPeMazoJDFaSfaRGAOKLhE0gubPP5T23sy3hh5cJpxA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubevirt-dev/CABUdoDdU%2BpaeTRpkd_%2BGq3t8G%3D0aU5Gkw5WS007g017iRBQOKg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubevirt-dev/54edaf7d-51a4-48e8-bb5b-357294125bcen%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubevirt-dev/e6d33bb2-9905-452a-8135-b10ce35a142fn%40googlegroups.com.
Ryan, will you also take care of adding DRA support ot kubevirt itself?@Alice Frosi isn't there a related GSOC project?
The kubevirt gpu driver is still in its early stages so we don't have anything to show yet.
Drivers are vendor specific and there will be many. We need to align in the community on how KubeVirt can consume external drivers.
I can start a proposal.
On Fri, May 17, 2024 at 3:14 PM Ryan Hallisey <rhal...@nvidia.com> wrote:The kubevirt gpu driver is still in its early stages so we don't have anything to show yet.
Drivers are vendor specific and there will be many. We need to align in the community on how KubeVirt can consume external drivers.
I can start a proposal.Yes, I agree. We would like to have a basic understanding and a PoC of how a DRA plugin would look like before thinking of external plugins.I think, in kubevirt we could either have something integrated in virt-handler or maybe optionally installable. However, for basic PCI passthrough, we should, at least, guarantee that the device isn't released at every VM restarts. For more fancy device discovery and allocation, this would require, for sure, an external driver as it is the case for CSI plugins.