KDMP backups and restores with KubeVirt VMs
On all SELinux enabled clusters, KubeVirt deviates from the default behavior of setting security context MCS levels on the files. On an OCP cluster, each pod runs with scc.mcs levels that are configured in the project or namespace that it runs in. However, the same is not applicable in the OpenShift Virtualization environment. The virt-launcher pod that spins up the VMs run on their own scc.mcs levels to ensure right protection or isolation is implemented between the VMs running in the same project or namespace.
This behavior of KubeVirt limits the Portworx Backup functionality of volume backup creation through direct KDMP and not through native snapshot class. When direct KDMP backup is triggered, the KDMP pod runs in the project or namespace scc.mcs levels and updates the files of the VM volumes to project or namespace levels during mount.fs phase. This causes the VM to give up its rights on the volume and goes into a paused state. As a workaround, restart the VMs to bring them back to running state.
KDMP backups are not supported in SELinux enabled clusters and on the OpenShift clusters (because SeLinux is enabled by default) with OpenShift Virtualization.
To avoid encountering this scenario or as a workaround, make sure that you:
-
Refrain from taking KDMP (generic) backups of KubeVirt VMs that are in running state that use RWO volumes.
-
Restart the VMs in paused state using
virtctlCLI or Openshift web console if KubeVirt VMs go to paused state due to the backup process, after the backup is successful.
Following table depicts the KDMP backup support compatibility matrix on known StorageClass/provisioner in KubeVirt environment:
| StorageClass/Provisioner | Volume Mode | KDMP backup supported |
|---|---|---|
| Portworx/CSI | RWX | Yes |
| RWO | No | |
| Portworx/non-CSI | RWX | |
| RWO | ||
| Thin CSI/CSI | RWX | |
| RWO | ||
| csi.vsphere.vmware.com | RWX | |
| RWO | ||
| Thin/non CSI | RWX | |
| RWO | ||
| kubernetes.io/vsphere-volume | RWX | |
| RWO | ||
| CephFS/ CSI | RWX | |
| RWO |
Portworx by PureStorage does not recommend initiating a KDMP backup in your KubeVirt VM environment on SeLinux enabled clusters (includes OpenShift Virtualization environments). If there is a need to initiate a KDMP backup for Portworx backed volumes ensure that you have a CSI provisioner with the volume mode configured to ReadWriteMany (RWX). For all other scenarios tabulated above where KDMP backup is not supported, refrain from taking a KDMP backup.