missing docs: unprivileged_userfaultfd requirement for postcopy#1004
Conversation
kubevirt-bot
added
the
dco-signoff: yes
Aseeef
force-pushed
the
userfaultfd-fix
branch
2 times, most recently
from
c1de67b to
49205fc
Compare
jean-edouard
left a comment
jean-edouard
left a comment
There was a problem hiding this comment.
/approve
/hold
Just a couple comments, feel free to unhold.
| post-copy migration: | ||
|
|
||
| ``` | ||
| vm.unprivileged_userfaultfd=1 |
There was a problem hiding this comment.
Do you confirm that this is needed even with the seccomp policy deployed? If so, I don't understand how OpenShift cluster successfully run post-copy migrations today...
There was a problem hiding this comment.
Yes, this is needed. OpenShift clusters successfully runs post-copy because openshift/machine-config-operator#3724 modified the machine config operator to set this setting.
There was a problem hiding this comment.
So the instructions below to create the MachineConfig on OpenShift are not needed, are they?
There was a problem hiding this comment.
Technically no... Good point, I should update that.
| denied `userfaultfd` depending on the `container_t` policy in use. | ||
| Administrators may need to create a custom SELinux policy module to | ||
| permit this syscall for the virt-launcher context. Consult your | ||
| platform's documentation for the recommended approach. |
There was a problem hiding this comment.
You can add that nodes that deploy container-selinux v2.248+ have the necessary permission (kernel_userfaultfd_use(container_domain)).
There was a problem hiding this comment.
Is the updated paragraph fine?
kubevirt-bot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jean-edouard The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
|
/unhold |
kubevirt-bot
removed
the
do-not-merge/hold
On most modern distros, vm.unprivileged_userfaultfd is disabled by default preventing QEMU from capturing page faults during a postcopy migration on the receiving node. However this requirement is currently not documented anywhere. Second, some k8s cluster can choose to enable Seccomp. In this case, there is an additional layer that needs to be enabled in order to use post-copy. We document this information also. Signed-off-by: Aseef Imran <aimran@redhat.com> Assisted-by: Claude Opus 4.6 <claude@anthropic.com>
|
/lgtm |
5 participants
What this PR does / why we need it:
On most modern distros, vm.unprivileged_userfaultfd is disabled by default preventing QEMU from capturing page faults during a postcopy migration on the receiving node. However this requirement is currently not documented anywhere.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes kubevirt/kubevirt#17780
Special notes for your reviewer:
Checklist
This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.
Release note: