From 9d48e998988e6fdc385c2b0dc5d951e8287ec519 Mon Sep 17 00:00:00 2001 From: Ivan Mikheykin Date: Thu, 4 Sep 2025 19:39:56 +0300 Subject: [PATCH 1/4] chore(module): rename containers to support integrity checks 1. Rename containers of kubevirt Pods, cdi Pods and dvcr Pods created in non-system namespaces (namespaces without d8- prefix). 2. Mount container-disk binary into /var/run in container with user uploaded image (support attaching cvi, vi to vm). Related PRs: https://github.com/deckhouse/3p-kubevirt/pull/19 https://github.com/deckhouse/3p-containerized-data-importer/pull/17 Signed-off-by: Ivan Mikheykin --- .werf/defines/images.tmpl | 2 +- build/components/versions.yml | 6 ++++-- .../pkg/audit/events/vm/vm_control.go | 3 ++- .../pkg/audit/events/vm/vm_control_test.go | 4 ++-- images/virtualization-artifact/pkg/common/consts.go | 6 +++--- images/virtualization-artifact/pkg/common/vm/vm.go | 10 ++++++++++ .../pkg/controller/powerstate/shutdown_reason.go | 10 ++++------ .../pkg/controller/vm/internal/statistic.go | 2 +- .../pkg/controller/vm/internal/statistic_test.go | 2 +- 9 files changed, 28 insertions(+), 17 deletions(-) diff --git a/.werf/defines/images.tmpl b/.werf/defines/images.tmpl index 86f19cf68b..51152c5e52 100644 --- a/.werf/defines/images.tmpl +++ b/.werf/defines/images.tmpl @@ -46,4 +46,4 @@ Result: {{- end }} {{- end -}} {{- end }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/build/components/versions.yml b/build/components/versions.yml index 14060aa565..6088b6469d 100644 --- a/build/components/versions.yml +++ b/build/components/versions.yml @@ -3,8 +3,10 @@ firmware: libvirt: v10.9.0 edk2: stable202411 core: - 3p-kubevirt: v1.3.1-v12n.11 - 3p-containerized-data-importer: v1.60.3-v12n.9 + #3p-kubevirt: v1.3.1-v12n.12 + 3p-kubevirt: dvp/chore/support-containerd-integrity-checks + #3p-containerized-data-importer: v1.60.3-v12n.10 + 3p-containerized-data-importer: dvp/chore/support-containerd-integrity-check-for-containers distribution: 2.8.3 package: acl: v2.3.1 diff --git a/images/virtualization-artifact/pkg/audit/events/vm/vm_control.go b/images/virtualization-artifact/pkg/audit/events/vm/vm_control.go index a58c3fe818..4f5ef8abe6 100644 --- a/images/virtualization-artifact/pkg/audit/events/vm/vm_control.go +++ b/images/virtualization-artifact/pkg/audit/events/vm/vm_control.go @@ -25,6 +25,7 @@ import ( "github.com/deckhouse/deckhouse/pkg/log" "github.com/deckhouse/virtualization-controller/pkg/audit/events" "github.com/deckhouse/virtualization-controller/pkg/audit/util" + vmutil "github.com/deckhouse/virtualization-controller/pkg/common/vm" ) func NewVMControl(options events.EventLoggerOptions) *VMControl { @@ -73,7 +74,7 @@ func (m *VMControl) Fill() error { var terminatedStatuses string for _, status := range pod.Status.ContainerStatuses { - if status.Name == "compute" && status.State.Terminated != nil { + if vmutil.IsComputeContainer(status.Name) && status.State.Terminated != nil { terminatedStatuses = status.State.Terminated.Message } } diff --git a/images/virtualization-artifact/pkg/audit/events/vm/vm_control_test.go b/images/virtualization-artifact/pkg/audit/events/vm/vm_control_test.go index 87e81d9744..8c41e18abf 100644 --- a/images/virtualization-artifact/pkg/audit/events/vm/vm_control_test.go +++ b/images/virtualization-artifact/pkg/audit/events/vm/vm_control_test.go @@ -86,7 +86,7 @@ var _ = Describe("VMOP Events", func() { Spec: corev1.PodSpec{ Containers: []corev1.Container{ { - Name: "compute", + Name: "d8v-compute", Image: "test-image", }, }, @@ -95,7 +95,7 @@ var _ = Describe("VMOP Events", func() { Status: corev1.PodStatus{ ContainerStatuses: []corev1.ContainerStatus{ { - Name: "compute", + Name: "d8v-compute", State: corev1.ContainerState{Terminated: &corev1.ContainerStateTerminated{Message: "guest-shutdown"}}, }, }, diff --git a/images/virtualization-artifact/pkg/common/consts.go b/images/virtualization-artifact/pkg/common/consts.go index 8aedc71927..1a78a19bf3 100644 --- a/images/virtualization-artifact/pkg/common/consts.go +++ b/images/virtualization-artifact/pkg/common/consts.go @@ -23,11 +23,11 @@ const ( OwnerUID = "OWNER_UID" // BounderContainerName provides a constant to use as a name for bounder Container - BounderContainerName = "bounder" + BounderContainerName = "d8v-dvcr-bounder" // ImporterContainerName provides a constant to use as a name for importer Container - ImporterContainerName = "importer" + ImporterContainerName = "d8v-dvcr-importer" // UploaderContainerName provides a constant to use as a name for uploader Container - UploaderContainerName = "uploader" + UploaderContainerName = "d8v-dvcr-uploader" // UploaderPortName provides a constant to use as a port name for uploader Service UploaderPortName = "uploader" // UploaderPort provides a constant to use as a port for uploader Service diff --git a/images/virtualization-artifact/pkg/common/vm/vm.go b/images/virtualization-artifact/pkg/common/vm/vm.go index 4eeca7b6ce..d246617be7 100644 --- a/images/virtualization-artifact/pkg/common/vm/vm.go +++ b/images/virtualization-artifact/pkg/common/vm/vm.go @@ -17,9 +17,15 @@ limitations under the License. package vm import ( + "strings" + virtv2 "github.com/deckhouse/virtualization/api/core/v1alpha2" ) +// VMContainerNameSuffix - a name suffix for container with virt-launcher, libvirt and qemu processes. +// Container name is "d8v-compute", but previous versions may have "compute" container. +const VMContainerNameSuffix = "compute" + // CalculateCoresAndSockets calculates the number of sockets and cores per socket needed to achieve // the desired total number of CPU cores. // The function tries to minimize the number of sockets while ensuring the desired core count. @@ -59,3 +65,7 @@ func ApprovalMode(vm *virtv2.VirtualMachine) virtv2.RestartApprovalMode { } return vm.Spec.Disruptions.RestartApprovalMode } + +func IsComputeContainer(name string) bool { + return strings.HasSuffix(name, VMContainerNameSuffix) +} diff --git a/images/virtualization-artifact/pkg/controller/powerstate/shutdown_reason.go b/images/virtualization-artifact/pkg/controller/powerstate/shutdown_reason.go index a06fec4d32..cbc49ae3bc 100644 --- a/images/virtualization-artifact/pkg/controller/powerstate/shutdown_reason.go +++ b/images/virtualization-artifact/pkg/controller/powerstate/shutdown_reason.go @@ -22,14 +22,13 @@ import ( corev1 "k8s.io/api/core/v1" kvv1 "kubevirt.io/api/core/v1" + + vmutil "github.com/deckhouse/virtualization-controller/pkg/common/vm" ) type GuestSignalReason string const ( - // DefaultVMContainerName - a container name with virt-launcher, libvirt and qemu processes. - DefaultVMContainerName = "compute" - // GuestResetReason - a reboot command was issued from inside the VM. GuestResetReason GuestSignalReason = "guest-reset" @@ -65,10 +64,9 @@ func ShutdownReason(kvvmi *kvv1.VirtualMachineInstance, kvPods *corev1.PodList) return ShutdownInfo{} } - // Extract termination mesage from the "compute" container. + // Extract termination message from the container with VM. for _, contStatus := range recentPod.Status.ContainerStatuses { - // "compute" is a default container name for VM Pod. - if contStatus.Name != DefaultVMContainerName { + if !vmutil.IsComputeContainer(contStatus.Name) { continue } msg := "" diff --git a/images/virtualization-artifact/pkg/controller/vm/internal/statistic.go b/images/virtualization-artifact/pkg/controller/vm/internal/statistic.go index 4c4a4e672b..15d0e293ef 100644 --- a/images/virtualization-artifact/pkg/controller/vm/internal/statistic.go +++ b/images/virtualization-artifact/pkg/controller/vm/internal/statistic.go @@ -125,7 +125,7 @@ func (h *StatisticHandler) syncResources(changed *virtv2.VirtualMachine, } var ctr corev1.Container for _, container := range pod.Spec.Containers { - if container.Name == "compute" { + if vm.IsComputeContainer(container.Name) { ctr = container } } diff --git a/images/virtualization-artifact/pkg/controller/vm/internal/statistic_test.go b/images/virtualization-artifact/pkg/controller/vm/internal/statistic_test.go index 05a0340518..a68885634a 100644 --- a/images/virtualization-artifact/pkg/controller/vm/internal/statistic_test.go +++ b/images/virtualization-artifact/pkg/controller/vm/internal/statistic_test.go @@ -89,7 +89,7 @@ var _ = Describe("TestStatisticHandler", func() { NodeName: nodeName, Containers: []corev1.Container{ { - Name: "compute", + Name: "d8v-compute", Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ corev1.ResourceCPU: resource.MustParse(requestCPU), From e449ad1ea199894daaf8027598af27ef3732b242 Mon Sep 17 00:00:00 2001 From: Ivan Mikheykin Date: Thu, 11 Sep 2025 15:56:48 +0300 Subject: [PATCH 2/4] ++ rebuild cdi,kubevirt Signed-off-by: Ivan Mikheykin --- images/cdi-artifact/werf.inc.yaml | 1 + images/virt-artifact/werf.inc.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/images/cdi-artifact/werf.inc.yaml b/images/cdi-artifact/werf.inc.yaml index fd731f6ff4..112e0e2b64 100644 --- a/images/cdi-artifact/werf.inc.yaml +++ b/images/cdi-artifact/werf.inc.yaml @@ -31,6 +31,7 @@ secrets: value: {{ $.SOURCE_REPO }} shell: install: + - echo "Rebuild 11.09.2025" - | echo "Git clone CDI repository..." git clone --depth 1 --branch {{ $version }} $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml index f76dcf3163..8b31bf7c24 100644 --- a/images/virt-artifact/werf.inc.yaml +++ b/images/virt-artifact/werf.inc.yaml @@ -13,6 +13,7 @@ secrets: value: {{ $.SOURCE_REPO }} shell: install: + - echo "Rebuild 11.09.2025" - git clone --depth=1 $(cat /run/secrets/SOURCE_REPO)/deckhouse/3p-kubevirt --branch {{ $tag }} /kubevirt --- From 715e169a4840bd689174a0ca2b5449bb00fd98e2 Mon Sep 17 00:00:00 2001 From: Ivan Mikheykin Date: Thu, 11 Sep 2025 16:32:20 +0300 Subject: [PATCH 3/4] ++ rebuild kubevirt Signed-off-by: Ivan Mikheykin --- images/virt-artifact/werf.inc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml index 8b31bf7c24..9dbf9e3ab3 100644 --- a/images/virt-artifact/werf.inc.yaml +++ b/images/virt-artifact/werf.inc.yaml @@ -13,7 +13,7 @@ secrets: value: {{ $.SOURCE_REPO }} shell: install: - - echo "Rebuild 11.09.2025" + - echo "Rebuild 11.09.2025-2" - git clone --depth=1 $(cat /run/secrets/SOURCE_REPO)/deckhouse/3p-kubevirt --branch {{ $tag }} /kubevirt --- From 53d3194ed2468da2a939d86d78a8f899f5650d69 Mon Sep 17 00:00:00 2001 From: Ivan Mikheykin Date: Mon, 15 Sep 2025 16:46:04 +0300 Subject: [PATCH 4/4] ++ use tagged versions of 3p-kubevirt and cdi Signed-off-by: Ivan Mikheykin --- build/components/versions.yml | 6 ++---- images/cdi-artifact/werf.inc.yaml | 1 - images/virt-artifact/werf.inc.yaml | 1 - 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/build/components/versions.yml b/build/components/versions.yml index 6088b6469d..9b97376680 100644 --- a/build/components/versions.yml +++ b/build/components/versions.yml @@ -3,10 +3,8 @@ firmware: libvirt: v10.9.0 edk2: stable202411 core: - #3p-kubevirt: v1.3.1-v12n.12 - 3p-kubevirt: dvp/chore/support-containerd-integrity-checks - #3p-containerized-data-importer: v1.60.3-v12n.10 - 3p-containerized-data-importer: dvp/chore/support-containerd-integrity-check-for-containers + 3p-kubevirt: v1.3.1-v12n.12 + 3p-containerized-data-importer: v1.60.3-v12n.10 distribution: 2.8.3 package: acl: v2.3.1 diff --git a/images/cdi-artifact/werf.inc.yaml b/images/cdi-artifact/werf.inc.yaml index 112e0e2b64..fd731f6ff4 100644 --- a/images/cdi-artifact/werf.inc.yaml +++ b/images/cdi-artifact/werf.inc.yaml @@ -31,7 +31,6 @@ secrets: value: {{ $.SOURCE_REPO }} shell: install: - - echo "Rebuild 11.09.2025" - | echo "Git clone CDI repository..." git clone --depth 1 --branch {{ $version }} $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /src/containerized-data-importer diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml index 9dbf9e3ab3..f76dcf3163 100644 --- a/images/virt-artifact/werf.inc.yaml +++ b/images/virt-artifact/werf.inc.yaml @@ -13,7 +13,6 @@ secrets: value: {{ $.SOURCE_REPO }} shell: install: - - echo "Rebuild 11.09.2025-2" - git clone --depth=1 $(cat /run/secrets/SOURCE_REPO)/deckhouse/3p-kubevirt --branch {{ $tag }} /kubevirt ---