[libvirt] Allow to initialize virtualization modules

Add init-modules libvirt container which allows to initialize libvirt modules during start. The script is provided via .Values.init_modules.script data structure Change-Id: I9d5c48448b23b6b6cc18d273c9187a0a79db4af9
2024-09-16 14:16:43 +00:00 · 2024-09-16 14:16:43 +00:00 · 865287258a
commit 865287258a
parent ea3c04a7d9
5 changed files with 65 additions and 1 deletions
--- a/libvirt/Chart.yaml
+++ b/libvirt/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm libvirt
 name: libvirt
-version: 0.1.34
+version: 0.1.35
 home: https://libvirt.org
 sources:
  - https://libvirt.org/git/?p=libvirt.git;a=summary
--- a/libvirt/templates/configmap-bin.yaml
+++ b/libvirt/templates/configmap-bin.yaml
@ -36,4 +36,5 @@ data:
  ceph-admin-keyring.sh: |
 {{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
 {{- end }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.init_modules.script "key" "libvirt-init-modules.sh") | indent 2 }}
 {{- end }}
--- a/libvirt/templates/daemonset-libvirt.yaml
+++ b/libvirt/templates/daemonset-libvirt.yaml
@ -79,6 +79,27 @@ spec:
      initContainers:
 {{ tuple $envAll "pod_dependency" $mounts_libvirt_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
 {{ dict "envAll" $envAll | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" | indent 8 }}
+{{- if .Values.conf.init_modules.enabled }}
+        - name: libvirt-init-modules
+{{ tuple $envAll "libvirt" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "libvirt" "container" "libvirt_init_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          terminationMessagePath: /var/log/termination-log
+          command:
+            - /tmp/libvirt-init-modules.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etc-modprobe-d
+              mountPath: /etc/modprobe.d_host
+            - name: host-rootfs
+              mountPath: /mnt/host-rootfs
+              mountPropagation: HostToContainer
+              readOnly: true
+            - name: libvirt-bin
+              mountPath: /tmp/libvirt-init-modules.sh
+              subPath: libvirt-init-modules.sh
+              readOnly: true
+{{- end }}
 {{- if eq .Values.conf.qemu.vnc_tls "1" }}
        - name: cert-init-vnc
 {{ tuple $envAll "kubectl" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -353,6 +374,13 @@ spec:
        - name: etc-libvirt-qemu
          hostPath:
            path: /etc/libvirt/qemu
+        - name: etc-modprobe-d
+          hostPath:
+            path: /etc/modprobe.d
+        - name: host-rootfs
+          hostPath:
+            path: /
+            type: Directory
 {{ dict "envAll" $envAll "component" "libvirt" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" | indent 8 }}
 {{ if $mounts_libvirt.volumes }}{{ toYaml $mounts_libvirt.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/libvirt/values.yaml
+++ b/libvirt/values.yaml
@ -137,6 +137,34 @@ conf:
      - rdma
      - misc
      - pids
+  init_modules:
+    enabled: false
+    script: |
+      #!/bin/bash
+
+      set -ex
+      export HOME=/tmp
+      KVM_QEMU_CONF_HOST="/etc/modprobe.d_host/qemu-system-x86.conf"
+
+      if [[ ! -f "${KVM_QEMU_CONF_HOST}" ]]; then
+        if grep vmx /proc/cpuinfo; then
+          cat << EOF > ${KVM_QEMU_CONF_HOST}
+      options kvm_intel nested=1
+      options kvm_intel enable_apicv=1
+      options kvm_intel ept=1
+      EOF
+          modprobe -r kvm_intel || true
+          modprobe kvm_intel nested=1
+        elif grep svm /proc/cpuinfo; then
+          cat << EOF > ${KVM_QEMU_CONF_HOST}
+      options kvm_amd nested=1
+      EOF
+          modprobe -r kvm_amd || true
+          modprobe kvm_amd nested=1
+        else
+          echo "Nested virtualization is not supported"
+        fi
+      fi
  vencrypt:
    # Issuer to use for the vencrypt certs.
    issuer:
@ -220,6 +248,12 @@ pod:
          readOnlyRootFilesystem: false
        libvirt_exporter:
          privileged: true
+        libvirt_init_modules:
+          readOnlyRootFilesystem: true
+          privileged: true
+          capabilities:
+            drop:
+              - ALL
  sidecars:
    libvirt_exporter: false

--- a/releasenotes/notes/libvirt.yaml
+++ b/releasenotes/notes/libvirt.yaml
@ -35,4 +35,5 @@ libvirt:
  - 0.1.32 Enable a flag to parse Libvirt Nova metadata in libvirt exporter
  - 0.1.33 Handle cgroupv2 correctly
  - 0.1.34 Remove hugepages creation test
+  - 0.1.35 Allow to initialize virtualization modules
 ...