On Wed, Nov 09, 2022 at 06:14:58PM +0000, Daniel P. Berrangé wrote: > On Fri, Nov 04, 2022 at 02:56:51PM -0400, Andrea Bolognani wrote: > > IIUC a specific profile (cri-containerd.apparmor.d) is used for > > unprivileged containers such as virt-launcher, but a privileged one > > such as virt-handler falls under the same profile as the host. > > > > This makes some amount of sense to me: unprivileged containers are > > already limited in what they can do by the usual restrictions on user > > processes. Privileged containers, on the other hand, are effectively > > root processes, so it's advisable to be significantly more cautious > > with them. > > I still consider that situation to be broken by design. If the > privileged container is running a completely differnt software > stack from the host OS, using the host OS apparmour profile > to confined the container binary is never going to be a reliable > setup. Either the privileged container has to run without > confinement, or it needs to be confined using policy provided > by the container (which is likely not viable anyway). > > > Note that this is just my current understanding of the situation, and > > I'm far from an expert when it comes to containers in general and > > their interactions with AppArmor in particular. I recommend taking a > > look at > > > > https://github.com/kubevirt/kubevirt/pull/8692 > > > > and the issues linked therein, which will provide more context coming > > from people who actually know what they're talking about :) > > I did read that and it didn't give me any more confidence that > this setup is sensible. Closing the loop on this one. After some discussion[1], we have reached the agreement that the proper way to solve this is to have the node-labeller run in an unprivileged container, just as the actual VM workload would. Since doing that requires reworking KubeVirt in non-trivial ways, I have filed an issue[2] to track this. In the meantime, the user guide now recommends[3] simply uninstalling libvirt from the host, which is a simple and effective workaround. tl;dr SNACK Thanks everyone for the input! [1] https://github.com/kubevirt/kubevirt/pull/8692#issuecomment-1305956638 [2] https://github.com/kubevirt/kubevirt/issues/8744 [3] https://github.com/kubevirt/user-guide/pull/618 -- Andrea Bolognani / Red Hat / Virtualization
