Commit 1cd06e5
committed
builder/daemonless: pass through
Currently, if `devices.kubevirt.io/kvm` resources are requested in the
build object, the resource request makes it to the build pod, but it
doesn't really have any visible effect because the nested build process
itself doesn't have access to it.
The only reason we'd have `/dev/kvm` in our pod is if the user wants to
use it in their build. So just pass it through if we find it.
The use case for this is being able to build artifacts which would
normally require privileges.
One example includes base bootable container (bootc) images.
Building these currently requires privileges because it itself uses
containerization features.
In the future, this should work with user namespacing, currently in Tech
Preview. However, because we need not just uid 0 but `CAP_SYS_ADMIN`,
and capabilities would still be restricted by default, we would still
require access to non-default SCCs. (And of course, the builder would
also have to be adapted to pass through the capabilities.)
Another example is building disk images and shipping them in container
images. This is done for example by Kubevirt and podman-machine. Two
common ways to build disk images currently are via loopback devices or
virtualization. The former can't be used because loopback devices are
not namespaced and require privileges. This patch enables the latter.
Using virtualization enables us to build these artifacts all while using
the _default_ OpenShift restricted SCC./dev/kvm if present1 parent 42fe165 commit 1cd06e5
1 file changed
+8
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
298 | 298 | | |
299 | 299 | | |
300 | 300 | | |
| 301 | + | |
| 302 | + | |
| 303 | + | |
| 304 | + | |
| 305 | + | |
| 306 | + | |
| 307 | + | |
301 | 308 | | |
302 | 309 | | |
303 | 310 | | |
| |||
334 | 341 | | |
335 | 342 | | |
336 | 343 | | |
| 344 | + | |
337 | 345 | | |
338 | 346 | | |
339 | 347 | | |
| |||
0 commit comments