New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove SYS_RESOURCE capability from launcher pod #2584
Conversation
/hold Need to consider calculating the exact limit size in handler (the formula is not trivial but we can do a reasonable estimate). |
heads up, we just merged a PR which introduces kubevirt specific SCCs instead of using the privileged SCC. The capability can be removed there as well I guess:
|
795ca3b
to
87dae49
Compare
Unit test coverage is somewhat down because the code dealing with processes / ulimits is not unit tested. But it should be enough to cover it for regressions with existing functional tests: as long as VMIs still start correctly and have SR-IOV interfaces inside the guest, it should be enough. There is little value in validating that the capability is indeed not present anymore because it's trivial to double check it's not referenced anywhere in the code anymore. |
/hold cancel |
|
||
func (s *socketBasedIsolationDetector) AdjustResources(vm *v1.VirtualMachineInstance) error { | ||
// bump memlock ulimit for libvirtd | ||
res, err := s.Detect(vm) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we use a more specific name than result?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(won't block the PR on this one, if you answer no no no to my comments, this PR is good to go)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's of "IsolationResult" type so I thought it's a good enough name. I am ok with renaming. What would be a better name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is being used only in this block and i don't really know. since the other comments are resolved, i wont bother
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/retest |
1 similar comment
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just a small comment
pkg/virt-handler/vm_test.go
Outdated
@@ -1286,6 +1288,24 @@ func (m *MockGracefulShutdown) TriggerShutdown(vmi *v1.VirtualMachineInstance) { | |||
Expect(err).NotTo(HaveOccurred()) | |||
} | |||
|
|||
type MockIsolationDetector struct{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be auto generated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK I've found a way to make it work without manually writing a fake.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me 👍
/retest |
/retest |
/test pull-kubevirt-e2e-k8s-multus-1.13.3 |
/approved |
/hold cancel Now the ulimit adjustment happens only for VFIO attached VMIs. Also rebased the branch to latest master in hope that some job failures go away. |
/retest |
@booxter Travis is red, please run make generate |
/retest I couldn't reproduce the sriov job failure locally; let's see if it is consistent or a fluke. |
/retest |
This syscall is implemented in libraries we use anyway, so we can easily avoid dealing with unsafe pointers etc.
Instead, set the (unlimited) limit for libvirtd from handler pod that is already privileged.
Instead of setting to unlimited, try to estimate the actual amount libvirtd may need for the VM. The actual formula in libvirtd code is very complex and hard to reproduce (it involves estimating necessary resources based on NUMA topology, number of CPUs, platform specific requirements for memory alignment etc.) We are not going to reproduce it in kubevirt, instead making our best conservative guess and then allowing libvirtd to set the actual calculated value (that should work as long as the value used by libvirtd is lower than the limit we set in kubevirt).
Libvirtd configures the limit in particular domain configurations only. This limit adjustment is of no use for VMIs not attached to VFIO.
/retest |
/lgtm |
/retest |
/retest |
3 similar comments
/retest |
/retest |
/retest |
Instead, set the (unlimited) limit for libvirtd from handler pod that
is already privileged.