fix(vm): run virt-launcher as non-root

Signed-off-by: Isteb4k <[email protected]>

Author: Isteb4k

images/libvirt/install-libvirt.sh

@@ -18,7 +18,7 @@ usage() {
     cat <<EOF
     Usage: $0 [OPTIONS]
     Options:
-    
+
     Set the source base directory:      -s, --src-base PATH (example: /mysourcedir)
     Set the build base directory:       -b, --build-dir FOLDER (example: mybuildfolder)
     Set the destination base directory: -d, --dest-base PATH (example: /mydestdir)
@@ -103,9 +103,9 @@ fi
 lib_version=$(convert_version $VERSION_NUM)
 
 # List of files and destinations of libvirt
-# Commented lines - binary for additional features. 
+# Commented lines - binary for additional features.
 #
-# The specific format of the list, 'SOURCE_FILE to DESTINATION', 
+# The specific format of the list, 'SOURCE_FILE to DESTINATION',
 # is due to the output of the installation scripts. To make it easier to add them to this list.
 
 FILE_LIST=$(cat <<EOF
@@ -568,6 +568,11 @@ copy_file() {
     fi
     cp -p "$SOURCE_PATH" "$DEST_BASE$dest_dir"
     echo "Copied $SOURCE_PATH to $DEST_BASE$dest_dir"
+
+    if [[ "$SOURCE_PATH" == *virtqemud ]]; then
+        setcap cap_net_bind_service=eip "$DEST_BASE$dest_dir/virtqemud"
+        echo "SETCAP $SOURCE_PATH to $DEST_BASE$dest_dir"
+    fi
 }
 
 main() {
@@ -589,4 +594,4 @@ main() {
     done <<< "$FILE_LIST"
 }
 
-main
+main

images/libvirt/patches/001-disable-ro-and-admin-servers.patch

@@ -0,0 +1,47 @@
+diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
+index 9e82132654..fcc7514169 100644
+--- a/src/remote/remote_daemon.c
++++ b/src/remote/remote_daemon.c
+@@ -628,24 +628,24 @@ static void daemonRunStateInit(void *opaque)
+
+     /* Tie the non-privileged daemons to the session/shutdown lifecycle */
+     if (!virNetDaemonIsPrivileged(dmn)) {
+-
+-        sessionBus = virGDBusGetSessionBus();
+-        if (sessionBus != NULL)
+-            g_dbus_connection_add_filter(sessionBus,
+-                                         handleSessionMessageFunc, dmn, NULL);
+-
+-        systemBus = virGDBusGetSystemBus();
+-        if (systemBus != NULL)
+-            g_dbus_connection_signal_subscribe(systemBus,
+-                                               "org.freedesktop.login1",
+-                                               "org.freedesktop.login1.Manager",
+-                                               "PrepareForShutdown",
+-                                               NULL,
+-                                               NULL,
+-                                               G_DBUS_SIGNAL_FLAGS_NONE,
+-                                               handleSystemMessageFunc,
+-                                               dmn,
+-                                               NULL);
++        if (FALSE) {
++            sessionBus = virGDBusGetSessionBus();
++            if (sessionBus != NULL)
++                g_dbus_connection_add_filter(sessionBus,
++                                            handleSessionMessageFunc, dmn, NULL);
++            systemBus = virGDBusGetSystemBus();
++            if (systemBus != NULL)
++                g_dbus_connection_signal_subscribe(systemBus,
++                                                "org.freedesktop.login1",
++                                                "org.freedesktop.login1.Manager",
++                                                "PrepareForShutdown",
++                                                NULL,
++                                                NULL,
++                                                G_DBUS_SIGNAL_FLAGS_NONE,
++                                                handleSystemMessageFunc,
++                                                dmn,
++                                                NULL);
++        }
+     }
+
+     /* Only now accept clients from network */

images/libvirt/patches/001-podsadsadsapa.patch

@@ -0,0 +1,29 @@
+diff --git a/cmd/virt-launcher-monitor/virt-launcher-monitor.go b/cmd/virt-launcher-monitor/virt-launcher-monitor.go
+index f2a0ed86f5..90caff4265 100644
+--- a/cmd/virt-launcher-monitor/virt-launcher-monitor.go
++++ b/cmd/virt-launcher-monitor/virt-launcher-monitor.go
+@@ -35,8 +35,8 @@ import (
+ 	"time"
+ 
+ 	"github.com/spf13/pflag"
+-
+ 	"golang.org/x/sys/unix"
++
+ 	"kubevirt.io/client-go/log"
+ 
+ 	"kubevirt.io/kubevirt/pkg/util"
+@@ -177,10 +177,13 @@ func RunAndMonitor(containerDiskDir, uid string) (int, error) {
+ 	cmd.Stdout = os.Stdout
+ 	cmd.Stderr = os.Stderr
+ 
++	log.Log.Info("11111")
++
+ 	if err := cmd.Start(); err != nil {
+-		log.Log.Reason(err).Error("failed to run virt-launcher")
++		log.Log.Reason(err).With("cmd", cmd.String()).Error("[AAA] failed to run virt-launcher")
+ 		return 1, err
+ 	}
++	log.Log.Info("22222")
+ 
+ 	exitStatus := make(chan int, 10)
+ 	sigs := make(chan os.Signal, 10)

images/libvirt/patches/002-treat-getpeercon-eintval-as-success.patch

@@ -96,7 +96,8 @@ shell:
 
     - echo ============== Build virt-launcher-monitor ============
     # virt-launcher-monitor is wrapped in the final image. Add suffix here to prevent image size increasing as effect of file renaming.
-    - go build -ldflags="-s -w" -o /kubevirt-binaries/virt-launcher-monitor ./cmd/virt-launcher-monitor/
+    - CGO_ENABLED=0 go build -ldflags="-s -w" -o /kubevirt-binaries/virt-launcher-monitor ./cmd/virt-launcher-monitor/
+    - setcap cap_net_bind_service=eip /kubevirt-binaries/virt-launcher-monitor
 
     - echo ============== Build virt-tail ========================
     - go build -ldflags="-s -w" -o /kubevirt-binaries/virt-tail ./cmd/virt-tail/