Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
builder/daemonless: pass through
/dev/kvm if present
Currently, if `devices.kubevirt.io/kvm` resources are requested in the build object, the resource request makes it to the build pod, but it doesn't really have any visible effect because the nested build process itself doesn't have access to it. The only reason we'd have `/dev/kvm` in our pod is if the user wants to use it in their build. So just pass it through if we find it. The use case for this is being able to build artifacts which would normally require privileges. One example includes base bootable container (bootc) images. Building these currently requires privileges because it itself uses containerization features. In the future, this should work with user namespacing, currently in Tech Preview. However, because we need not just uid 0 but `CAP_SYS_ADMIN`, and capabilities would still be restricted by default, we would still require access to non-default SCCs. (And of course, the builder would also have to be adapted to pass through the capabilities.) Another example is building disk images and shipping them in container images. This is done for example by Kubevirt and podman-machine. Two common ways to build disk images currently are via loopback devices or virtualization. The former can't be used because loopback devices are not namespaced and require privileges. This patch enables the latter. Using virtualization enables us to build these artifacts all while using the _default_ OpenShift restricted SCC.
- Loading branch information
