Skip to content

feat(vm): run virt-launcher as non-root user#2097

Draft
loktev-d wants to merge 18 commits intomainfrom
feat/vm/rootless-virt-launcher
Draft

feat(vm): run virt-launcher as non-root user#2097
loktev-d wants to merge 18 commits intomainfrom
feat/vm/rootless-virt-launcher

Conversation

@loktev-d
Copy link
Copy Markdown
Contributor

@loktev-d loktev-d commented Mar 12, 2026
edited
Loading

Description

  • Remove Root feature gate from KubeVirt config - all new VMIs will run virt-launcher as UID 107:107
  • Set file capabilities (cap_net_bind_service=+ep) on tini and virt-launcher-monitor binaries so they retain NET_BIND_SERVICE when running as non-root.

Why do we need it, and what problem does it solve?

What is the expected result?

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: vm
type: feature
summary: run virt-launcher as non-root user

@loktev-d
wip
d4a8a32 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d loktev-d requested a review from Isteb4k as a code owner March 12, 2026 07:30
@loktev-d loktev-d marked this pull request as draft March 12, 2026 07:44
loktev-d added 2 commits March 12, 2026 11:48
@loktev-d
wip
9597ee1 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
wip
770f195 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d loktev-d changed the title feat(vm): run virt-launcher as non-root user (107:107) feat(vm): run virt-launcher as non-root user Mar 12, 2026
loktev-d added 3 commits March 12, 2026 17:14
@loktev-d
wip
ae8f81c 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
wip
85284e8 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
wip
8910b80 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d loktev-d added the e2e/run Run e2e test on cluster of PR author label Mar 12, 2026
@deckhouse-BOaTswain
Copy link
Copy Markdown
Contributor

deckhouse-BOaTswain commented Mar 12, 2026
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Mar 12, 2026
loktev-d and others added 8 commits March 24, 2026 15:49
@loktev-d
Merge branch 'main' into feat/vm/rootless-virt-launcher
7605616 
Signed-off-by: Daniil Loktev <70405899+loktev-d@users.noreply.github.com>
@loktev-d
wip
b3a85a3 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
wip
495317d 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
wip
34b867b 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
wip
9734574 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
wip
06c5fe8 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
Merge branch 'main' into feat/vm/rootless-virt-launcher
cd6f2a2 
Signed-off-by: Daniil Loktev <70405899+loktev-d@users.noreply.github.com>
@loktev-d
fix linter errors
b44b96f 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d loktev-d added the e2e/run Run e2e test on cluster of PR author label Mar 30, 2026
@deckhouse-BOaTswain
Copy link
Copy Markdown
Contributor

deckhouse-BOaTswain commented Mar 30, 2026
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Mar 30, 2026
@loktev-d loktev-d added the e2e/run Run e2e test on cluster of PR author label Mar 30, 2026
@deckhouse-BOaTswain
Copy link
Copy Markdown
Contributor

deckhouse-BOaTswain commented Mar 30, 2026
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Mar 30, 2026
@loktev-d loktev-d added this to the v1.7.0 milestone Mar 31, 2026
@nevermarine nevermarine modified the milestones: v1.7.0, v1.8.0 Mar 31, 2026
@loktev-d
replace 107:107 with deckhouse:deckhouse
fec4f96 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d loktev-d added the e2e/run Run e2e test on cluster of PR author label Mar 31, 2026
@deckhouse-BOaTswain
Copy link
Copy Markdown
Contributor

deckhouse-BOaTswain commented Mar 31, 2026
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Mar 31, 2026
@loktev-d
wip
f261c42 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d loktev-d added the e2e/run Run e2e test on cluster of PR author label Apr 1, 2026
@deckhouse-BOaTswain
Copy link
Copy Markdown
Contributor

deckhouse-BOaTswain commented Apr 1, 2026
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Apr 1, 2026
loktev-d and others added 2 commits April 1, 2026 19:48
@loktev-d
wip
9ddf149 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
Merge branch 'main' into feat/vm/rootless-virt-launcher
cbc582c 
Signed-off-by: Daniil Loktev <70405899+loktev-d@users.noreply.github.com>
@loktev-d loktev-d added the e2e/run Run e2e test on cluster of PR author label Apr 1, 2026
@deckhouse-BOaTswain
Copy link
Copy Markdown
Contributor

deckhouse-BOaTswain commented Apr 1, 2026
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Apr 1, 2026
@loktev-d loktev-d added the e2e/run Run e2e test on cluster of PR author label Apr 2, 2026
@deckhouse-BOaTswain
Copy link
Copy Markdown
Contributor

deckhouse-BOaTswain commented Apr 2, 2026
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Apr 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

@universal-itengineer universal-itengineer Awaiting requested review from universal-itengineer universal-itengineer will be requested when the pull request is marked ready for review universal-itengineer is a code owner

@nevermarine nevermarine Awaiting requested review from nevermarine nevermarine will be requested when the pull request is marked ready for review nevermarine is a code owner

@yaroslavborbat yaroslavborbat Awaiting requested review from yaroslavborbat yaroslavborbat will be requested when the pull request is marked ready for review yaroslavborbat is a code owner

@diafour diafour Awaiting requested review from diafour diafour will be requested when the pull request is marked ready for review diafour is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@loktev-d loktev-d

Labels

None yet

Projects

None yet

Milestone

v1.8.0

Development

Successfully merging this pull request may close these issues.

3 participants

@loktev-d @deckhouse-BOaTswain @nevermarine