Skip to content

feat(vm): run virt-launcher as non-root user#2097

Draft
loktev-d wants to merge 16 commits intomainfrom
feat/vm/rootless-virt-launcher
Draft

feat(vm): run virt-launcher as non-root user#2097
loktev-d wants to merge 16 commits intomainfrom
feat/vm/rootless-virt-launcher

Conversation

@loktev-d
Copy link
Copy Markdown
Contributor

@loktev-d loktev-d commented Mar 12, 2026
edited
Loading

Description

  • Remove Root feature gate from KubeVirt config - all new VMIs will run virt-launcher as UID 107:107
  • Set file capabilities (cap_net_bind_service=+ep) on tini and virt-launcher-monitor binaries so they retain NET_BIND_SERVICE when running as non-root.

Why do we need it, and what problem does it solve?

What is the expected result?

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: vm
type: feature
summary: run virt-launcher as non-root user

@loktev-d
wip
d4a8a32 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d loktev-d requested a review from Isteb4k as a code owner March 12, 2026 07:30
@loktev-d loktev-d marked this pull request as draft March 12, 2026 07:44
loktev-d added 2 commits March 12, 2026 11:48
@loktev-d
wip
9597ee1 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
wip
770f195 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d loktev-d changed the title feat(vm): run virt-launcher as non-root user (107:107) feat(vm): run virt-launcher as non-root user Mar 12, 2026
loktev-d added 3 commits March 12, 2026 17:14
@loktev-d
wip
ae8f81c 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
wip
85284e8 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
wip
8910b80 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d loktev-d added the e2e/run Run e2e test on cluster of PR author label Mar 12, 2026
@deckhouse-BOaTswain
Copy link
Copy Markdown
Contributor

deckhouse-BOaTswain commented Mar 12, 2026
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Mar 12, 2026
loktev-d and others added 8 commits March 24, 2026 15:49
@loktev-d
Merge branch 'main' into feat/vm/rootless-virt-launcher
7605616 
Signed-off-by: Daniil Loktev <70405899+loktev-d@users.noreply.github.com>
@loktev-d
wip
b3a85a3 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
wip
495317d 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
wip
34b867b 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
wip
9734574 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
wip
06c5fe8 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d
Merge branch 'main' into feat/vm/rootless-virt-launcher
cd6f2a2 
Signed-off-by: Daniil Loktev <70405899+loktev-d@users.noreply.github.com>
@loktev-d
fix linter errors
b44b96f 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d loktev-d added the e2e/run Run e2e test on cluster of PR author label Mar 30, 2026
@deckhouse-BOaTswain
Copy link
Copy Markdown
Contributor

deckhouse-BOaTswain commented Mar 30, 2026
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Mar 30, 2026
@loktev-d loktev-d added the e2e/run Run e2e test on cluster of PR author label Mar 30, 2026
@deckhouse-BOaTswain
Copy link
Copy Markdown
Contributor

deckhouse-BOaTswain commented Mar 30, 2026
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Mar 30, 2026
@loktev-d loktev-d added this to the v1.7.0 milestone Mar 31, 2026
@nevermarine nevermarine modified the milestones: v1.7.0, v1.8.0 Mar 31, 2026
@loktev-d
replace 107:107 with deckhouse:deckhouse
fec4f96 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d loktev-d added the e2e/run Run e2e test on cluster of PR author label Mar 31, 2026
@deckhouse-BOaTswain
Copy link
Copy Markdown
Contributor

deckhouse-BOaTswain commented Mar 31, 2026
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Mar 31, 2026
@loktev-d
wip
f261c42 
Signed-off-by: Daniil Loktev <lokt.daniil@gmail.com>
@loktev-d loktev-d added the e2e/run Run e2e test on cluster of PR author label Apr 1, 2026
@deckhouse-BOaTswain
Copy link
Copy Markdown
Contributor

deckhouse-BOaTswain commented Apr 1, 2026

Workflow has started.
Follow the progress here: Workflow Run

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

@universal-itengineer universal-itengineer Awaiting requested review from universal-itengineer universal-itengineer will be requested when the pull request is marked ready for review universal-itengineer is a code owner

@nevermarine nevermarine Awaiting requested review from nevermarine nevermarine will be requested when the pull request is marked ready for review nevermarine is a code owner

@yaroslavborbat yaroslavborbat Awaiting requested review from yaroslavborbat yaroslavborbat will be requested when the pull request is marked ready for review yaroslavborbat is a code owner

@diafour diafour Awaiting requested review from diafour diafour will be requested when the pull request is marked ready for review diafour is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@loktev-d loktev-d

Labels

e2e/run Run e2e test on cluster of PR author

Projects

None yet

Milestone

v1.8.0

Development

Successfully merging this pull request may close these issues.

3 participants

@loktev-d @deckhouse-BOaTswain @nevermarine