From d4a8a32fbcc8aae42e9981ac883748e4348dbbe1 Mon Sep 17 00:00:00 2001 From: Daniil Loktev Date: Thu, 12 Mar 2026 10:29:43 +0300 Subject: [PATCH 01/12] wip Signed-off-by: Daniil Loktev --- templates/kubevirt/kubevirt.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/kubevirt/kubevirt.yaml b/templates/kubevirt/kubevirt.yaml index c57f981ce2..1b374931fb 100644 --- a/templates/kubevirt/kubevirt.yaml +++ b/templates/kubevirt/kubevirt.yaml @@ -54,7 +54,6 @@ spec: - HotplugVolumes - Snapshot - ExpandDisks - - Root - CPUManager - Sidecar - VolumeSnapshotDataSource From 9597ee1bd45eeaa8779b9294d8d64e94aac11fd5 Mon Sep 17 00:00:00 2001 From: Daniil Loktev Date: Thu, 12 Mar 2026 11:48:08 +0300 Subject: [PATCH 02/12] wip Signed-off-by: Daniil Loktev --- images/virt-launcher/werf.inc.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/images/virt-launcher/werf.inc.yaml b/images/virt-launcher/werf.inc.yaml index d238443408..8926586d46 100644 --- a/images/virt-launcher/werf.inc.yaml +++ b/images/virt-launcher/werf.inc.yaml @@ -392,6 +392,9 @@ shell: echo "Create symlink for run -> var/run " ln -s var/run run + - | + setcap cap_net_bind_service=+ep /relocate/usr/bin/virt-launcher-monitor + # /etc/libvirt-init will be copied back into /etc/libvirt at runtime. This is necessary because we configure libvirt to mount /etc/libvirt and set readOnlyRootFilesystem for other directories. # DO NOT REMOVE. node-labeler.sh uses /etc/libvirt. - | From 770f1958775a81c4ebcd7dd7709edf4998f7c1fc Mon Sep 17 00:00:00 2001 From: Daniil Loktev Date: Thu, 12 Mar 2026 16:32:17 +0300 Subject: [PATCH 03/12] wip Signed-off-by: Daniil Loktev --- build/components/versions.yml | 2 +- images/virt-launcher/werf.inc.yaml | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/build/components/versions.yml b/build/components/versions.yml index 74fb184558..0da9757136 100644 --- a/build/components/versions.yml +++ b/build/components/versions.yml @@ -3,7 +3,7 @@ firmware: libvirt: v10.9.0 edk2: stable202411 core: - 3p-kubevirt: v1.6.2-v12n.13 + 3p-kubevirt: feat/vm/rootless-virt-launcher 3p-containerized-data-importer: v1.60.3-v12n.16 distribution: 2.8.3 package: diff --git a/images/virt-launcher/werf.inc.yaml b/images/virt-launcher/werf.inc.yaml index 8926586d46..d238443408 100644 --- a/images/virt-launcher/werf.inc.yaml +++ b/images/virt-launcher/werf.inc.yaml @@ -392,9 +392,6 @@ shell: echo "Create symlink for run -> var/run " ln -s var/run run - - | - setcap cap_net_bind_service=+ep /relocate/usr/bin/virt-launcher-monitor - # /etc/libvirt-init will be copied back into /etc/libvirt at runtime. This is necessary because we configure libvirt to mount /etc/libvirt and set readOnlyRootFilesystem for other directories. # DO NOT REMOVE. node-labeler.sh uses /etc/libvirt. - | From ae8f81c8885a438709004e263bce6d6544cf829d Mon Sep 17 00:00:00 2001 From: Daniil Loktev Date: Thu, 12 Mar 2026 17:14:35 +0300 Subject: [PATCH 04/12] wip Signed-off-by: Daniil Loktev --- images/virt-artifact/werf.inc.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml index 45e1112e8d..dd8a43e51d 100644 --- a/images/virt-artifact/werf.inc.yaml +++ b/images/virt-artifact/werf.inc.yaml @@ -9,6 +9,7 @@ image: {{ .ModuleNamePrefix }}{{ .ImageName }}-src-artifact final: false fromImage: builder/src +fromCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}" secrets: - id: SOURCE_REPO value: {{ $.SOURCE_REPO }} @@ -44,6 +45,7 @@ packages: image: {{ .ModuleNamePrefix }}{{ .ImageName }} final: false fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/golang-alt-1.24" "builder/golang-alt-svace-1.24" }} +fromCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}" mount: - fromPath: ~/go-pkg-cache to: /go/pkg From 85284e8835dd24686143619073f79d3fac88e877 Mon Sep 17 00:00:00 2001 From: Daniil Loktev Date: Thu, 12 Mar 2026 18:02:17 +0300 Subject: [PATCH 05/12] wip Signed-off-by: Daniil Loktev --- images/virt-launcher/werf.inc.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/images/virt-launcher/werf.inc.yaml b/images/virt-launcher/werf.inc.yaml index d238443408..8926586d46 100644 --- a/images/virt-launcher/werf.inc.yaml +++ b/images/virt-launcher/werf.inc.yaml @@ -392,6 +392,9 @@ shell: echo "Create symlink for run -> var/run " ln -s var/run run + - | + setcap cap_net_bind_service=+ep /relocate/usr/bin/virt-launcher-monitor + # /etc/libvirt-init will be copied back into /etc/libvirt at runtime. This is necessary because we configure libvirt to mount /etc/libvirt and set readOnlyRootFilesystem for other directories. # DO NOT REMOVE. node-labeler.sh uses /etc/libvirt. - | From 8910b80e25dc7d8d4c84d7abe08d06cb2643ebd8 Mon Sep 17 00:00:00 2001 From: Daniil Loktev Date: Thu, 12 Mar 2026 19:00:34 +0300 Subject: [PATCH 06/12] wip Signed-off-by: Daniil Loktev --- images/virt-launcher/werf.inc.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/images/virt-launcher/werf.inc.yaml b/images/virt-launcher/werf.inc.yaml index 8926586d46..d238443408 100644 --- a/images/virt-launcher/werf.inc.yaml +++ b/images/virt-launcher/werf.inc.yaml @@ -392,9 +392,6 @@ shell: echo "Create symlink for run -> var/run " ln -s var/run run - - | - setcap cap_net_bind_service=+ep /relocate/usr/bin/virt-launcher-monitor - # /etc/libvirt-init will be copied back into /etc/libvirt at runtime. This is necessary because we configure libvirt to mount /etc/libvirt and set readOnlyRootFilesystem for other directories. # DO NOT REMOVE. node-labeler.sh uses /etc/libvirt. - | From b3a85a3c9b60a2e0fdf4e2cb76311f18021faa96 Mon Sep 17 00:00:00 2001 From: Daniil Loktev Date: Tue, 24 Mar 2026 15:51:05 +0300 Subject: [PATCH 07/12] wip Signed-off-by: Daniil Loktev --- images/virt-artifact/werf.inc.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml index dd8a43e51d..45e1112e8d 100644 --- a/images/virt-artifact/werf.inc.yaml +++ b/images/virt-artifact/werf.inc.yaml @@ -9,7 +9,6 @@ image: {{ .ModuleNamePrefix }}{{ .ImageName }}-src-artifact final: false fromImage: builder/src -fromCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}" secrets: - id: SOURCE_REPO value: {{ $.SOURCE_REPO }} @@ -45,7 +44,6 @@ packages: image: {{ .ModuleNamePrefix }}{{ .ImageName }} final: false fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/golang-alt-1.24" "builder/golang-alt-svace-1.24" }} -fromCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}" mount: - fromPath: ~/go-pkg-cache to: /go/pkg From 495317d98897c539a5a1d45685aa1e107754b9b7 Mon Sep 17 00:00:00 2001 From: Daniil Loktev Date: Tue, 24 Mar 2026 16:02:25 +0300 Subject: [PATCH 08/12] wip Signed-off-by: Daniil Loktev --- images/virt-launcher/werf.inc.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/images/virt-launcher/werf.inc.yaml b/images/virt-launcher/werf.inc.yaml index d238443408..8926586d46 100644 --- a/images/virt-launcher/werf.inc.yaml +++ b/images/virt-launcher/werf.inc.yaml @@ -392,6 +392,9 @@ shell: echo "Create symlink for run -> var/run " ln -s var/run run + - | + setcap cap_net_bind_service=+ep /relocate/usr/bin/virt-launcher-monitor + # /etc/libvirt-init will be copied back into /etc/libvirt at runtime. This is necessary because we configure libvirt to mount /etc/libvirt and set readOnlyRootFilesystem for other directories. # DO NOT REMOVE. node-labeler.sh uses /etc/libvirt. - | From 34b867b581f22dfd4e5adcee6472906cd5a018aa Mon Sep 17 00:00:00 2001 From: Daniil Loktev Date: Tue, 24 Mar 2026 16:30:13 +0300 Subject: [PATCH 09/12] wip Signed-off-by: Daniil Loktev --- images/virt-launcher/werf.inc.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/images/virt-launcher/werf.inc.yaml b/images/virt-launcher/werf.inc.yaml index 8926586d46..d0515d50ab 100644 --- a/images/virt-launcher/werf.inc.yaml +++ b/images/virt-launcher/werf.inc.yaml @@ -2,6 +2,7 @@ image: {{ .ModuleNamePrefix }}{{ .ImageName }} final: true fromImage: {{ .ModuleNamePrefix }}distroless +fromCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}" git: {{- include "image mount points" . }} import: @@ -139,6 +140,7 @@ packages: image: {{ .ModuleNamePrefix }}{{ .ImageName }}-binaries final: false fromImage: {{ .ModuleNamePrefix }}base-alt-p11-binaries +fromCacheVersion: "{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}" git: # Add qemu and virtqemud configs - add: {{ .ModuleDir }}/images/{{ .ImageName }}/configs From 97345741e3ed0b5d3ab918dd04aaf1af8cfe489a Mon Sep 17 00:00:00 2001 From: Daniil Loktev Date: Sat, 28 Mar 2026 01:43:35 +0300 Subject: [PATCH 10/12] wip Signed-off-by: Daniil Loktev --- images/virt-launcher/werf.inc.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/images/virt-launcher/werf.inc.yaml b/images/virt-launcher/werf.inc.yaml index d0515d50ab..e3a3221af9 100644 --- a/images/virt-launcher/werf.inc.yaml +++ b/images/virt-launcher/werf.inc.yaml @@ -10,10 +10,6 @@ import: add: /relocate to: / after: install - - image: tools/tini-v0.19.0 - add: /usr/bin/tini - to: /usr/bin/tini - after: install imageSpec: config: user: 0 @@ -160,6 +156,10 @@ git: includePaths: - nsswitch.conf import: +- image: tools/tini-v0.19.0 + add: /usr/bin/tini + to: /relocate/usr/bin/tini + before: setup # Libvirt and QEMU libraries and binaries - image: {{ .ModuleNamePrefix }}packages/libvirt add: /libvirt @@ -396,6 +396,7 @@ shell: - | setcap cap_net_bind_service=+ep /relocate/usr/bin/virt-launcher-monitor + setcap cap_net_bind_service=+ep /relocate/usr/bin/tini # /etc/libvirt-init will be copied back into /etc/libvirt at runtime. This is necessary because we configure libvirt to mount /etc/libvirt and set readOnlyRootFilesystem for other directories. # DO NOT REMOVE. node-labeler.sh uses /etc/libvirt. From 06c5fe8611ba12c6e0e1a537dd879a320d73280e Mon Sep 17 00:00:00 2001 From: Daniil Loktev Date: Mon, 30 Mar 2026 18:09:57 +0300 Subject: [PATCH 11/12] wip Signed-off-by: Daniil Loktev --- build/components/versions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/components/versions.yml b/build/components/versions.yml index beb156da4b..70581327f4 100644 --- a/build/components/versions.yml +++ b/build/components/versions.yml @@ -3,7 +3,7 @@ firmware: libvirt: v10.9.0 edk2: stable202411 core: - 3p-kubevirt: v1.6.2-v12n.16 + 3p-kubevirt: feat/vm/rootless-virt-launcher 3p-containerized-data-importer: v1.60.3-v12n.16 distribution: 2.8.3 package: From b44b96f34dacfc988b7f925c6530008d62299b5a Mon Sep 17 00:00:00 2001 From: Daniil Loktev Date: Mon, 30 Mar 2026 19:03:36 +0300 Subject: [PATCH 12/12] fix linter errors Signed-off-by: Daniil Loktev --- build/components/versions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/components/versions.yml b/build/components/versions.yml index 70581327f4..0da9757136 100644 --- a/build/components/versions.yml +++ b/build/components/versions.yml @@ -3,7 +3,7 @@ firmware: libvirt: v10.9.0 edk2: stable202411 core: - 3p-kubevirt: feat/vm/rootless-virt-launcher + 3p-kubevirt: feat/vm/rootless-virt-launcher 3p-containerized-data-importer: v1.60.3-v12n.16 distribution: 2.8.3 package: