Merge pull request kubevirt#10186 from vasiliy-ul/fix-pr-leftover-mount

Fix pr leftover mount

cmd/virt-chroot/BUILD.bazel

@@ -17,6 +17,7 @@ go_library(
         "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs:go_default_library",
         "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2:go_default_library",
         "//vendor/github.com/opencontainers/runc/libcontainer/configs:go_default_library",
+        "//vendor/github.com/opencontainers/selinux/go-selinux:go_default_library",
         "//vendor/github.com/spf13/cobra:go_default_library",
         "//vendor/github.com/vishvananda/netlink:go_default_library",
         "//vendor/golang.org/x/sys/unix:go_default_library",

cmd/virt-chroot/selinux.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/spf13/cobra"
 	"golang.org/x/sys/unix"
 
@@ -62,10 +63,15 @@ func RelabelCommand() *cobra.Command {
 			if err != nil {
 				return fmt.Errorf("could not open file %v. Reason: %v", safePath, err)
 			}
-
 			defer fd.Close()
 			filePath := fd.SafePath()
 
+			if fileInfo, err := safepath.StatAtNoFollow(safePath); err != nil {
+				return fmt.Errorf("could not stat file %v. Reason: %v", safePath, err)
+			} else if (fileInfo.Mode() & os.ModeSocket) != 0 {
+				return relabelUnixSocket(filePath, label)
+			}
+
 			writeableFD, err := os.OpenFile(filePath, os.O_APPEND|unix.S_IWRITE, os.ModePerm)
 			if err != nil {
 				return fmt.Errorf("error reopening file %s to write label %s. Reason: %v", filePath, label, err)
@@ -74,7 +80,7 @@ func RelabelCommand() *cobra.Command {
 
 			currentFileLabel, err := getLabel(writeableFD)
 			if err != nil {
-				return fmt.Errorf("faild to get selinux label for file %v: %v", filePath, err)
+				return fmt.Errorf("failed to get selinux label for file %v: %v", filePath, err)
 			}
 
 			if currentFileLabel != label {
@@ -108,3 +114,14 @@ func getLabel(file *os.File) (string, error) {
 	}
 	return string(buffer[:labelLength]), nil
 }
+
+func relabelUnixSocket(filePath, label string) error {
+	if currentLabel, err := selinux.FileLabel(filePath); err != nil {
+		return fmt.Errorf("could not retrieve label of file %s. Reason: %v", filePath, err)
+	} else if currentLabel != label {
+		if err := unix.Setxattr(filePath, xattrNameSelinux, []byte(label), 0); err != nil {
+			return fmt.Errorf("error relabeling file %s with label %s. Reason: %v", filePath, label, err)
+		}
+	}
+	return nil
+}

cmd/virt-handler/virt-handler.go

@@ -129,8 +129,6 @@ const (
 
 	// Default network-status downward API file path
 	defaultNetworkStatusFilePath = "/etc/podinfo/network-status"
-
-	unprivilegedContainerSELinuxLabel = "system_u:object_r:container_file_t:s0"
 )
 
 type virtHandlerApp struct {
@@ -420,7 +418,7 @@ func (app *virtHandlerApp) Run() {
 		if err != nil {
 			panic(err)
 		}
-		err = selinux.RelabelFiles(unprivilegedContainerSELinuxLabel, se.IsPermissive(), devTun, devNull)
+		err = selinux.RelabelFiles(util.UnprivilegedContainerSELinuxLabel, se.IsPermissive(), devTun, devNull)
 		if err != nil {
 			panic(fmt.Errorf("error relabeling required files: %v", err))
 		}
@@ -564,18 +562,7 @@ func (app *virtHandlerApp) shouldEnablePersistentReservation() {
 	if err != nil {
 		panic(err)
 	}
-	se, exists, err := selinux.NewSELinux()
-	if err == nil && exists {
-		err = selinux.RelabelFiles(unprivilegedContainerSELinuxLabel, se.IsPermissive(), prSockDir)
-		if err != nil {
-			panic(fmt.Errorf("error relabeling required files: %v", err))
-		}
-	} else if err != nil {
-		panic(fmt.Errorf("failed to detect the presence of selinux: %v", err))
-	}
-
 	log.DefaultLogger().Infof("set permission for %s", reservation.GetPrHelperHostSocketDir())
-
 }
 
 func (app *virtHandlerApp) runPrometheusServer(errCh chan error) {

pkg/storage/reservation/pr.go

@@ -1,7 +1,6 @@
 package reservation
 
 import (
-	"fmt"
 	"path/filepath"
 
 	v1 "kubevirt.io/api/core/v1"
@@ -20,15 +19,15 @@ func GetPrResourceName() string {
 }
 
 func GetPrHelperSocketDir() string {
-	return fmt.Sprintf(filepath.Join(sourceDaemonsPath, prHelperDir))
+	return filepath.Join(sourceDaemonsPath, prHelperDir)
 }
 
 func GetPrHelperHostSocketDir() string {
-	return fmt.Sprintf(filepath.Join(hostSourceDaemonsPath, prHelperDir))
+	return filepath.Join(hostSourceDaemonsPath, prHelperDir)
 }
 
 func GetPrHelperSocketPath() string {
-	return fmt.Sprintf(filepath.Join(GetPrHelperSocketDir(), prHelperSocket))
+	return filepath.Join(GetPrHelperSocketDir(), prHelperSocket)
 }
 
 func GetPrHelperSocket() string {

pkg/util/util.go

@@ -27,15 +27,17 @@ const (
 	HostRootMount                             = "/proc/1/root/"
 	CPUManagerOS3Path                         = HostRootMount + "var/lib/origin/openshift.local.volumes/cpu_manager_state"
 	CPUManagerPath                            = HostRootMount + "var/lib/kubelet/cpu_manager_state"
-)
 
-// Alphanums is the list of alphanumeric characters used to create a securely generated random string
-const Alphanums = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+	// Alphanums is the list of alphanumeric characters used to create a securely generated random string
+	Alphanums = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+
+	NonRootUID         = 107
+	NonRootUserString  = "qemu"
+	RootUser           = 0
+	memoryDumpOverhead = 100 * 1024 * 1024
 
-const NonRootUID = 107
-const NonRootUserString = "qemu"
-const RootUser = 0
-const memoryDumpOverhead = 100 * 1024 * 1024
+	UnprivilegedContainerSELinuxLabel = "system_u:object_r:container_file_t:s0"
+)
 
 func IsNonRootVMI(vmi *v1.VirtualMachineInstance) bool {
 	_, ok := vmi.Annotations[v1.DeprecatedNonRootVMIAnnotation]

pkg/virt-handler/device-manager/socket_device.go

@@ -40,6 +40,7 @@ import (
 	"kubevirt.io/kubevirt/pkg/safepath"
 	"kubevirt.io/kubevirt/pkg/util"
 	pluginapi "kubevirt.io/kubevirt/pkg/virt-handler/device-manager/deviceplugin/v1beta1"
+	"kubevirt.io/kubevirt/pkg/virt-handler/selinux"
 )
 
 type SocketDevicePlugin struct {
@@ -220,6 +221,14 @@ func (dpi *SocketDevicePlugin) Allocate(ctx context.Context, r *pluginapi.Alloca
 		return nil, fmt.Errorf("error setting the permission the socket %s/%s:%v", dpi.socketDir, dpi.socket, err)
 	}
 
+	if se, exists, err := selinux.NewSELinux(); err == nil && exists {
+		if err := selinux.RelabelFiles(util.UnprivilegedContainerSELinuxLabel, se.IsPermissive(), prSock); err != nil {
+			return nil, fmt.Errorf("error relabeling required files: %v", err)
+		}
+	} else if err != nil {
+		return nil, fmt.Errorf("failed to detect the presence of selinux: %v", err)
+	}
+
 	m := new(pluginapi.Mount)
 	m.HostPath = dpi.socketDir
 	m.ContainerPath = dpi.socketDir

pkg/virt-operator/resource/generate/components/BUILD.bazel

@@ -22,6 +22,7 @@ go_library(
         "//pkg/certificates/triple:go_default_library",
         "//pkg/certificates/triple/cert:go_default_library",
         "//pkg/storage/reservation:go_default_library",
+        "//pkg/util:go_default_library",
         "//pkg/virt-operator/util:go_default_library",
         "//staging/src/kubevirt.io/api/clone:go_default_library",
         "//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library",

pkg/virt-operator/resource/generate/components/daemonsets.go

@@ -13,6 +13,7 @@ import (
 	virtv1 "kubevirt.io/api/core/v1"
 
 	"kubevirt.io/kubevirt/pkg/storage/reservation"
+	"kubevirt.io/kubevirt/pkg/util"
 	operatorutil "kubevirt.io/kubevirt/pkg/virt-operator/util"
 )
 
@@ -41,6 +42,7 @@ func RenderPrHelperContainer(image string, pullPolicy corev1.PullPolicy) corev1.
 			},
 		},
 		SecurityContext: &corev1.SecurityContext{
+			RunAsUser:  pointer.Int64(util.NonRootUID),
 			Privileged: pointer.Bool(true),
 		},
 	}
@@ -274,9 +276,6 @@ func NewHandlerDaemonSet(namespace, repository, imagePrefix, version, launcherVe
 		{"kubelet-pods", kubeletPodsPath, kubeletPodsPath, &bidi},
 		{"node-labeller", "/var/lib/kubevirt-node-labeller", "/var/lib/kubevirt-node-labeller", nil},
 	}
-	if enablePrHelper {
-		volumes = append(volumes, volume{prVolumeName, reservation.GetPrHelperSocketDir(), reservation.GetPrHelperSocketDir(), &bidi})
-	}
 
 	for _, volume := range volumes {
 		container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{
@@ -326,6 +325,16 @@ func NewHandlerDaemonSet(namespace, repository, imagePrefix, version, launcherVe
 	}
 
 	if enablePrHelper {
+		directoryOrCreate := corev1.HostPathDirectoryOrCreate
+		pod.Volumes = append(pod.Volumes, corev1.Volume{
+			Name: prVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				HostPath: &corev1.HostPathVolumeSource{
+					Path: reservation.GetPrHelperSocketDir(),
+					Type: &directoryOrCreate,
+				},
+			},
+		})
 		pod.Containers = append(pod.Containers, RenderPrHelperContainer(prHelperImage, pullPolicy))
 	}
 	return daemonset, nil

tests/storage/BUILD.bazel

@@ -23,6 +23,7 @@ go_library(
         "//pkg/certificates/triple/cert:go_default_library",
         "//pkg/host-disk:go_default_library",
         "//pkg/pointer:go_default_library",
+        "//pkg/storage/reservation:go_default_library",
         "//pkg/storage/types:go_default_library",
         "//pkg/virt-config:go_default_library",
         "//pkg/virt-launcher/virtwrap/converter:go_default_library",

tests/storage/reservation.go

@@ -17,12 +17,14 @@ import (
 	v1 "kubevirt.io/api/core/v1"
 	"kubevirt.io/client-go/kubecli"
 
+	"kubevirt.io/kubevirt/pkg/storage/reservation"
 	virtconfig "kubevirt.io/kubevirt/pkg/virt-config"
 	"kubevirt.io/kubevirt/tests"
 	"kubevirt.io/kubevirt/tests/console"
 	"kubevirt.io/kubevirt/tests/exec"
 	"kubevirt.io/kubevirt/tests/flags"
 	"kubevirt.io/kubevirt/tests/framework/checks"
+	"kubevirt.io/kubevirt/tests/libnode"
 	"kubevirt.io/kubevirt/tests/libstorage"
 	"kubevirt.io/kubevirt/tests/libvmi"
 	"kubevirt.io/kubevirt/tests/libwait"
@@ -209,6 +211,10 @@ var _ = SIGDescribe("[Serial]SCSI persistent reservation", Serial, func() {
 			pv, pvc, err = tests.CreatePVandPVCwithSCSIDisk(node, device, util.NamespaceTestDefault, "scsi-disks", "scsipv", "scsipvc")
 			Expect(err).ToNot(HaveOccurred())
 			waitForVirtHandlerWithPrHelperReadyOnNode(node)
+			// Switching the PersistentReservation feature gate on/off
+			// causes redeployment of all KubeVirt components.
+			By("Ensuring all KubeVirt components are ready")
+			testsuite.EnsureKubevirtReady()
 		})
 
 		AfterEach(func() {
@@ -307,6 +313,21 @@ var _ = SIGDescribe("[Serial]SCSI persistent reservation", Serial, func() {
 				}
 				return len(ds.Spec.Template.Spec.Containers) == 1
 			}, time.Minute*5, time.Second*2).Should(BeTrue())
+
+			// Switching the PersistentReservation feature gate on/off
+			// causes redeployment of all KubeVirt components.
+			By("Ensuring all KubeVirt components are ready")
+			testsuite.EnsureKubevirtReady()
+
+			nodes := libnode.GetAllSchedulableNodes(virtClient)
+			for _, node := range nodes.Items {
+				output, err := tests.ExecuteCommandInVirtHandlerPod(node.Name, []string{"mount"})
+				Expect(err).ToNot(HaveOccurred())
+				Expect(output).ToNot(ContainSubstring("kubevirt/daemons/pr"))
+				output, err = tests.ExecuteCommandInVirtHandlerPod(node.Name, []string{"ls", reservation.GetPrHelperSocketDir()})
+				Expect(err).ToNot(HaveOccurred())
+				Expect(output).To(BeEmpty())
+			}
 		})
 	})