#8208 communishift: allow exposing /dev/kvm to containers
Opened a month ago by dustymabe. Modified 17 days ago

I have a project where I'd like to expose /dev/kvm to the running containers so that I can use unprivileged qemu-kvm to achieve some tasks. I've been told in OCP 4.1 land that this is achievable by using a kvm kubernetes device plugin. The docs for that are here. There is a daemonset we can use to set it up and then we can request /dev/kvm in our pod manifests by including:

spec:
  containers:
  - name: demo
    ...
    resources:
      requests:
              devices.kubevirt.io/kvm: "1"
      limits:
              devices.kubevirt.io/kvm: "1"

Can we investigate adding the ability to expose /dev/kvm to our containers?


cc @fabiand - in case he has any new information here beyond what is documented on that page.

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

a month ago

Yes, KubeVirt is using a daemonset with a DP to expose kvm as a resource, and provide it to (unprivileged) containers.
The issue is that this DP is part of our node agent (virt-handler) thus not usable standalone.

What's your use-case for running a VM in a containre?
Aka why can't you use KubeVirt?

I can't speak for @dustymabe but our support tooling is not designed for KubeVirt and we'd rather spend our time elsewhere. The other users of that support tooling end up using privileged containers and are not affected in the same way.

Yes, KubeVirt is using a daemonset with a DP to expose kvm as a resource, and provide it to (unprivileged) containers.
The issue is that this DP is part of our node agent (virt-handler) thus not usable standalone.
What's your use-case for running a VM in a containre?
Aka why can't you use KubeVirt?

We're basically running unprivileged qemu commands (some invoked directly and some indirectly via libguestfs) to build Fedora CoreOS (via coreos-assembler) in an OpenShift environment. Previously we have been using the oci-kvm-hook rpm for this but now in the CoreOS world (where you can't easily just add an rpm to the host) we're looking for the new way of doing things. I was pointed at this doc for that.

So if we just wanted to be able to create pods that have /dev/kvm mounted in is that doc the best way to do it these days?

Yes. It's a litlte bit outdated but should work.
The other option is to use a privileged pod or hostPath

Metadata Update from @cverna:
- Issue tagged with: backlog

17 days ago

Login to comment on this ticket.

Metadata