+

Signed-off-by: yaroslavborbat <[email protected]>
deckhouse · Dec 18, 2024 · 4ec7168 · 4ec7168
1 parent 03238e3
commit 4ec7168
Showing 1 changed file with 59 additions and 16 deletions.
diff --git a/images/virt-artifact/patches/028-hotplug-container-disk.patch b/images/virt-artifact/patches/028-hotplug-container-disk.patch
@@ -44,6 +44,40 @@ index 0000000000..e4f734a516
 +type Image struct {
 +	Name string `json:"name"`
 +}
+diff --git a/cmd/virt-chroot/main.go b/cmd/virt-chroot/main.go
+index e28daa07c7..bf15bc0b6e 100644
+--- a/cmd/virt-chroot/main.go
++++ b/cmd/virt-chroot/main.go
+@@ -20,6 +20,7 @@ var (
+ 	cpuTime      uint64
+ 	memoryBytes  uint64
+ 	targetUser   string
++	targetUserID int
+ )
+
+ func init() {
+@@ -51,7 +52,12 @@ func main() {
+
+ 			// Looking up users needs resources, let's do it before we set rlimits.
+ 			var u *user.User
+-			if targetUser != "" {
++			if targetUserID >= 0 {
++				_, _, errno := syscall.Syscall(syscall.SYS_SETUID, uintptr(targetUserID), 0, 0)
++				if errno != 0 {
++					return fmt.Errorf("failed to switch to user: %d. errno: %d", targetUserID, errno)
++				}
++			} else if targetUser != "" {
+ 				var err error
+ 				u, err = user.Lookup(targetUser)
+ 				if err != nil {
+@@ -116,6 +122,7 @@ func main() {
+ 	rootCmd.PersistentFlags().Uint64Var(&memoryBytes, "memory", 0, "memory in bytes for the process")
+ 	rootCmd.PersistentFlags().StringVar(&mntNamespace, "mount", "", "mount namespace to use")
+ 	rootCmd.PersistentFlags().StringVar(&targetUser, "user", "", "switch to this targetUser to e.g. drop privileges")
++	rootCmd.PersistentFlags().IntVar(&targetUserID, "userid", -1, "switch to this targetUser to e.g. drop privileges")
+
+ 	execCmd := &cobra.Command{
+ 		Use:   "exec",
 diff --git a/manifests/generated/kv-resource.yaml b/manifests/generated/kv-resource.yaml
 index 66d1b01dbf..43e36b7195 100644
 --- a/manifests/generated/kv-resource.yaml
@@ -499,10 +533,10 @@ index 0c4bfca389..142f4400a6 100644
  			pvcName := storagetypes.PVCNameFromVirtVolume(&volume)
 diff --git a/pkg/virt-handler/container-disk/hotplug.go b/pkg/virt-handler/container-disk/hotplug.go
 new file mode 100644
-index 0000000000..c1a9659a53
+index 0000000000..b146792688
 --- /dev/null
 +++ b/pkg/virt-handler/container-disk/hotplug.go
-@@ -0,0 +1,487 @@
+@@ -0,0 +1,486 @@
 +package container_disk
 +
 +import (
@@ -515,6 +549,8 @@ index 0000000000..c1a9659a53
 +	"sync"
 +	"time"
 +
++	"k8s.io/utils/ptr"
++
 +	hotplugdisk "kubevirt.io/kubevirt/pkg/hotplug-disk"
 +	"kubevirt.io/kubevirt/pkg/unsafepath"
 +
@@ -785,10 +821,7 @@ index 0000000000..c1a9659a53
 +				}
 +
 +				log.DefaultLogger().Object(vmi).Infof("Bind mounting container disk at %s to %s", sourceFile, target)
-+				opts := []string{
-+					"ro", "uid=107", "gid=107",
-+				}
-+				out, err := virt_chroot.MountChrootWithOptions(sourceFile, target, opts...).CombinedOutput()
++				out, err := virt_chroot.MountChrootWithOptions(sourceFile, target, true, ptr.To[int](107)).CombinedOutput()
 +				if err != nil {
 +					return nil, fmt.Errorf("failed to bindmount containerDisk %v: %v : %v", volume.Name, string(out), err)
 +				}
@@ -1114,25 +1147,35 @@ index f83f96ead4..5e38c6cedd 100644
  	ufile, err := sock.(*net.UnixConn).File()
  	if err != nil {
 diff --git a/pkg/virt-handler/virt-chroot/virt-chroot.go b/pkg/virt-handler/virt-chroot/virt-chroot.go
-index 4160212b7b..034f99037a 100644
+index 4160212b7b..a4f24bafa5 100644
 --- a/pkg/virt-handler/virt-chroot/virt-chroot.go
 +++ b/pkg/virt-handler/virt-chroot/virt-chroot.go
-@@ -48,6 +48,21 @@ func MountChroot(sourcePath, targetPath *safepath.Path, ro bool) *exec.Cmd {
+@@ -21,6 +21,7 @@ package virt_chroot
+
+ import (
+ 	"os/exec"
++	"strconv"
+ 	"strings"
+
+ 	"kubevirt.io/kubevirt/pkg/safepath"
+@@ -48,6 +49,23 @@ func MountChroot(sourcePath, targetPath *safepath.Path, ro bool) *exec.Cmd {
  	return UnsafeMountChroot(trimProcPrefix(sourcePath), trimProcPrefix(targetPath), ro)
  }
 
-+func MountChrootWithOptions(sourcePath, targetPath *safepath.Path, mountOptions ...string) *exec.Cmd {
-+	sp := trimProcPrefix(sourcePath)
-+	tp := trimProcPrefix(targetPath)
-+
++func MountChrootWithOptions(sourcePath, targetPath *safepath.Path, ro bool, switchUserID *int) *exec.Cmd {
 +	args := append(getBaseArgs(), "mount", "-o")
-+	optionArgs := "bind"
 +
-+	if len(mountOptions) > 0 {
-+		optionArgs = optionArgs + "," + strings.Join(mountOptions, ",")
++	mountOptions := "bind"
++	if ro {
++		mountOptions = "ro," + mountOptions
++	}
++	args = append(args, mountOptions)
++
++	if switchUserID != nil {
++		args = append(args, "--user", strconv.Itoa(*switchUserID))
 +	}
 +
-+	args = append(args, optionArgs, sp, tp)
++	args = append(args, trimProcPrefix(sourcePath), trimProcPrefix(targetPath))
 +	return exec.Command(binaryPath, args...)
 +}
 +