feat(vm): run virt-launcher as non-root user

build/components/versions.yml

@@ -3,7 +3,7 @@ firmware:
   libvirt: v10.9.0
   edk2: stable202411
 core:
-  3p-kubevirt: v1.6.2-v12n.21
+  3p-kubevirt: feat/vm/rootless-virt-launcher
   3p-containerized-data-importer: v1.60.3-v12n.17
   distribution: 2.8.3
 package:

images/dvcr-artifact/pkg/registry/registry.go

@@ -202,8 +202,8 @@ func (p DataProcessor) inspectAndStreamSourceImage(
 		dirHeader := &tar.Header{
 			Name:       "disk",
 			Mode:       0o755,
-			Uid:        107,
-			Gid:        107,
+			Uid:        64535,
+			Gid:        64535,
 			AccessTime: now,
 			ChangeTime: now,
 			Typeflag:   tar.TypeDir,
@@ -217,8 +217,8 @@ func (p DataProcessor) inspectAndStreamSourceImage(
 			Name:       imagePath,
 			Size:       int64(sourceImageSize),
 			Mode:       0o644,
-			Uid:        107,
-			Gid:        107,
+			Uid:        64535,
+			Gid:        64535,
 			AccessTime: now,
 			ChangeTime: now,
 			Typeflag:   tar.TypeReg,

images/dvcr-artifact/werf.inc.yaml

@@ -23,6 +23,7 @@ packages:
 
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}-builder
 final: false
+fromCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}"
 fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/golang-alt-1.25" "builder/golang-alt-svace-1.25" }}
 secrets:
 - id: GOPROXY

images/virt-artifact/werf.inc.yaml

@@ -9,6 +9,7 @@
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}-src-artifact
 final: false
 fromImage: builder/src
+fromCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}"
 secrets:
 - id: SOURCE_REPO
   value: {{ $.SOURCE_REPO }}
@@ -43,6 +44,7 @@ packages:
 
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 final: false
+fromCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}"
 fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/golang-alt-1.25" "builder/golang-alt-svace-1.25" }}
 mount:
 - fromPath: ~/go-pkg-cache
@@ -98,15 +100,15 @@ shell:
     - echo "Create group file"
     - |
       GROUP_FILE=/kubevirt-config-files/group
-      echo "qemu:x:107:" > $GROUP_FILE
+      echo "deckhouse:x:64535:" > $GROUP_FILE
       echo "root:x:0:" >> $GROUP_FILE
       echo "nonroot-user:x:1001:" >> $GROUP_FILE
       chmod 0644 $GROUP_FILE
 
     - echo "Create passwd file"
     - |
       PASSWD_FILE=/kubevirt-config-files/passwd
-      echo "qemu:x:107:107:user:/home/qemu:/bin/bash" > $PASSWD_FILE
+      echo "deckhouse:x:64535:64535:deckhouse:/home/deckhouse:/sbin/nologin" > $PASSWD_FILE
       echo "root:x:0:0:root:/root:/bin/bash" >> $PASSWD_FILE
       echo "nonroot-user:x:1001:1001::/home/nonroot-user:/bin/bash" >> $PASSWD_FILE
       chmod 0644 $PASSWD_FILE

images/virt-handler/werf.inc.yaml

@@ -1,6 +1,7 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+fromCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}"
 git:
   {{- include "image mount points" . }}
 import:
@@ -81,6 +82,7 @@ packages:
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}-bins
 final: false
 fromImage: {{ .ModuleNamePrefix }}base-alt-p11-binaries
+fromCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}"
 import:
 - image: tools/util-linux
   add: /
@@ -113,8 +115,8 @@ shell:
     echo "root:x:0:" >> /relocate/etc/group
     echo "root:x:::::::" >> /relocate/etc/shadow
 
-    echo "qemu:x:107:107::/home/qemu:/bin/bash" >> /relocate/etc/passwd
-    echo "qemu:x:107:" >> /relocate/etc/group
-    mkdir -p /relocate/home/qemu
-    chown -R 107:107 /relocate/home/qemu
+    echo "deckhouse:x:64535:64535:deckhouse:/home/deckhouse:/sbin/nologin" >> /relocate/etc/passwd
+    echo "deckhouse:x:64535:" >> /relocate/etc/group
+    mkdir -p /relocate/home/deckhouse
+    chown -R 64535:64535 /relocate/home/deckhouse
 

images/virt-launcher/configs/qemu.conf

@@ -2,8 +2,8 @@ stdio_handler = "logd"
 vnc_listen = "0.0.0.0"
 vnc_tls = 0
 vnc_sasl = 0
-user = "qemu"
-group = "qemu"
+user = "deckhouse"
+group = "deckhouse"
 dynamic_ownership = 1
 remember_owner = 0
 namespaces = [ ]

images/virt-launcher/werf.inc.yaml

@@ -2,17 +2,14 @@
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 final: true
 fromImage: {{ .ModuleNamePrefix }}distroless
+fromCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}"
 git:
   {{- include "image mount points" . }}
 import:
   - image: {{ .ModuleNamePrefix }}{{ .ImageName }}-binaries
     add: /relocate
     to: /
     after: install
-  - image: tools/tini-v0.19.0
-    add: /usr/bin/tini
-    to: /usr/bin/tini
-    after: install
 imageSpec:
   config:
     user: 0
@@ -139,6 +136,7 @@ packages:
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}-binaries
 final: false
 fromImage: {{ .ModuleNamePrefix }}base-alt-p11-binaries
+fromCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}"
 git:
   # Add qemu and virtqemud configs
   - add: {{ .ModuleDir }}/images/{{ .ImageName }}/configs
@@ -158,6 +156,10 @@ git:
     includePaths:
     - nsswitch.conf
 import:
+- image: tools/tini-v0.19.0
+  add: /usr/bin/tini
+  to: /relocate/usr/bin/tini
+  before: setup
 # Libvirt and QEMU libraries and binaries
 - image: {{ .ModuleNamePrefix }}packages/libvirt
   add: /libvirt
@@ -325,10 +327,10 @@ shell:
     echo "root:x:0:" >> /relocate/etc/group
     echo "root:x:::::::" >> /relocate/etc/shadow
 
-    echo "qemu:x:107:107::/home/qemu:/bin/bash" >> /relocate/etc/passwd
-    echo "qemu:x:107:" >> /relocate/etc/group
-    mkdir -p /relocate/home/qemu
-    chown -R 107:107 /relocate/home/qemu
+    echo "deckhouse:x:64535:64535:deckhouse:/home/deckhouse:/sbin/nologin" >> /relocate/etc/passwd
+    echo "deckhouse:x:64535:" >> /relocate/etc/group
+    mkdir -p /relocate/home/deckhouse
+    chown -R 64535:64535 /relocate/home/deckhouse
 
   - |
     echo "Create symlinks for OVMF"
@@ -392,6 +394,10 @@ shell:
     echo "Create symlink for run -> var/run "
     ln -s var/run run
 
+  - |
+    setcap cap_net_bind_service=+ep /relocate/usr/bin/virt-launcher-monitor
+    setcap cap_net_bind_service=+ep /relocate/usr/bin/tini
+
   # /etc/libvirt-init will be copied back into /etc/libvirt at runtime. This is necessary because we configure libvirt to mount /etc/libvirt and set readOnlyRootFilesystem for other directories.
   # DO NOT REMOVE. node-labeler.sh uses /etc/libvirt.
   - |

images/virtualization-artifact/pkg/common/annotations/annotations.go

@@ -227,9 +227,9 @@ const (
 	AnnUSBIPAddress                = "usb.virtualization.deckhouse.io/usbip-address"
 
 	// DefaultUSBDeviceGroup is the default device group ID for USB devices.
-	DefaultUSBDeviceGroup = "107"
+	DefaultUSBDeviceGroup = "64535"
 	// DefaultUSBDeviceUser is the default device user ID for USB devices.
-	DefaultUSBDeviceUser = "107"
+	DefaultUSBDeviceUser = "64535"
 )
 
 // AddAnnotation adds an annotation to an object

images/virtualization-artifact/pkg/common/pod/pod.go

@@ -108,8 +108,8 @@ func IsPodComplete(pod *corev1.Pod) bool {
 	return pod != nil && pod.Status.Phase == corev1.PodSucceeded
 }
 
-// QemuSubGID is the gid used as the qemu group in fsGroup
-const QemuSubGID = int64(107)
+// QemuSubGID is the gid used as the deckhouse group in fsGroup
+const QemuSubGID = int64(64535)
 
 // SetRestrictedSecurityContext sets the pod security params to be compatible with restricted PSA
 func SetRestrictedSecurityContext(podSpec *corev1.PodSpec) {

templates/kubevirt/kubevirt.yaml

@@ -50,7 +50,6 @@ spec:
       - HotplugVolumes
       - Snapshot
       - ExpandDisks
-      - Root
       - CPUManager
       - Sidecar
       - VolumeSnapshotDataSource