feat: Add privileged_client support to VirtualMachineInstance

[rnetser]

Summary

Add explicit privileged_client parameter support across VirtualMachineInstance methods to enable proper RBAC-aware client usage, replacing implicit reliance on self.client for privileged operations.

New public methods (replacing deprecated properties)

• get_virt_launcher_pod(privileged_client=...) — replaces virt_launcher_pod
• get_virt_handler_pod(privileged_client=...) — replaces virt_handler_pod
• get_node(privileged_client=...) — replaces node
• get_xml_dict(privileged_client=...) — replaces xml_dict

Modified methods with privileged_client parameter

• pause, unpause, reset
• get_xml, execute_virsh_command
• get_dommemstat, get_domstate
• wait_until_running
• api_request

New private helpers

• _get_pod_user_uid — extract runAsUser UID from pod security context
• _is_pod_root — check if pod runs as root
• _get_hypervisor_connection_uri — build hypervisor socket URI
• _build_virsh_cmd — construct virsh command list
• _resolve_privileged_client — resolve client with FutureWarning fallback
• _get_subresource_api_url — build subresource API URL with optional client

Deprecation strategy

• FutureWarning when privileged_client is omitted (falls back to self.client)
• DeprecationWarning on old property-based access (virt_launcher_pod, virt_handler_pod, node, xml_dict, etc.)

Consumer PR

• refactor: replace privileged_vmi property with granular methods openshift-virtualization-tests#3847

Summary by CodeRabbit

• New Features

  • Added methods for VM introspection: retrieve XML configuration, DOM state, memory statistics, node information, and execute virsh commands.
  • Support for privileged client context propagation across VM operations.

• Bug Fixes

  • Fixed pause/unpause methods to no longer return wait operation results.

• Deprecations

  • Several VM properties marked as deprecated; migrate to new get_* methods.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Refactored VirtualMachineInstance to add new public methods for virsh operations, XML/DOM state access, and pod retrieval with optional privileged context propagation. Deprecated wrappers maintain backward compatibility. Updated wait_until_running() to support privilege escalation. Modified pause/unpause to not return wait results. Reformatted api_request signature in resource.py.

Changes

Cohort / File(s)	Summary
VirtualMachineInstance virsh and pod operations ocp_resources/virtual_machine_instance.py	Added get_virt_launcher_pod(), get_virt_handler_pod() for pod retrieval; added execute_virsh_command(), get_xml(), get_xml_dict(), get_domstate(), get_dommemstat(), get_node() for virsh/XML operations; added virsh_cmd() and _build_virsh_cmd() for command construction.
VirtualMachineInstance static helpers and deprecation wrappers ocp_resources/virtual_machine_instance.py	Added static methods get_pod_user_uid(), is_pod_root(), get_hypervisor_connection_uri() for pod analysis; created deprecated properties virt_launcher_pod, virt_handler_pod, xml_dict delegating to new get_* methods with backward-compatibility warnings.
VirtualMachineInstance privileged context propagation ocp_resources/virtual_machine_instance.py	Updated wait_until_running() and all virsh/network-access methods to accept optional privileged_client parameter; modified pause()/unpause() to not return wait call results; socket type determination logic added for hypervisor URIs.
Resource signature formatting ocp_resources/resource.py	Reformatted api_request method signature across multiple lines; no behavioral or semantic changes.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 56.25% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding privileged_client parameter support to VirtualMachineInstance.
Description check	✅ Passed	The description provides comprehensive coverage of changes including new public methods, modified methods, private helpers, and deprecation strategy, addressing all key aspects of the PR.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch vm_priv_property

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[redhat-qe-bot2]

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

• Reviewer Assignment: Reviewers are automatically assigned based on the OWNERS file in the repository root
• Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are automatically applied based on changes
• Issue Creation: Disabled for this repository
• Branch Labeling: Branch-specific labels are applied to track the target branch
• Auto-verification: Auto-verified users have their PRs automatically marked as verified
• Labels: All label categories are enabled (default configuration)

📋 Available Commands

PR Status Management

• /wip - Mark PR as work in progress (adds WIP: prefix to title)
• /wip cancel - Remove work in progress status
• /hold - Block PR merging (approvers only)
• /hold cancel - Unblock PR merging
• /verified - Mark PR as verified
• /verified cancel - Remove verification status
• /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)
• /regenerate-welcome - Regenerate this welcome message

Review & Approval

• /lgtm - Approve changes (looks good to me)
• /approve - Approve PR (approvers only)
• /automerge - Enable automatic merging when all requirements are met (maintainers and approvers only)
• /assign-reviewers - Assign reviewers based on OWNERS file
• /assign-reviewer @username - Assign specific reviewer
• /check-can-merge - Check if PR meets merge requirements

Testing & Validation

• /retest tox - Run Python test suite with tox
• /retest python-module-install - Test Python package installation
• /retest conventional-title - Validate commit message format
• /retest all - Run all available tests

Cherry-pick Operations

• /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
  • Multiple branches: /cherry-pick branch1 branch2 branch3

Label Management

• /<label-name> - Add a label to the PR
• /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

1. Approval: /approve from at least one approver
2. LGTM Count: Minimum 0 /lgtm from reviewers
3. Status Checks: All required status checks must pass
4. No Blockers: No WIP, hold, conflict labels
5. Verified: PR must be marked as verified (if verification is enabled)

📊 Review Process

Approvers and Reviewers

Approvers:

• myakove
• rnetser

Reviewers:

• myakove
• rnetser

Available Labels

• hold
• verified
• wip
• lgtm
• approve
• automerge

💡 Tips

• WIP Status: Use /wip when your PR is not ready for review
• Verification: The verified label is automatically removed on each new commit
• Cherry-picking: Cherry-pick labels are processed when the PR is merged
• Permission Levels: Some commands require approver permissions
• Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

[rnetser]

/verified

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@ocp_resources/virtual_machine_instance.py`:
- Around line 574-596: _get_pod_user_uid is annotated as returning int but can
be None when spec.securityContext.runAsUser is unset, causing _is_pod_root to
misidentify pods as root; change _get_pod_user_uid's type hint to Optional[int]
(or at least allow None) and update _is_pod_root to explicitly check for UID ==
0 (return True only when _get_pod_user_uid(pod) == 0) and otherwise return
False, so absent runAsUser is treated as non-root; refer to
VirtualMachineInstance._get_pod_user_uid, VirtualMachineInstance._is_pod_root,
and Pod.instance.spec.securityContext.runAsUser when making the change.
- Around line 333-363: The current calls to api_request in pause/unpause/reset
always pass the resolved _client, causing api_request to always take the
privileged path; change those calls to pass the original privileged_client
parameter (not _client) so api_request can choose the non-privileged code path
when privileged_client is omitted (i.e., use privileged_client=privileged_client
in the api_request call inside pause, unpause, and reset). Optionally add a
one-line method comment on pause/unpause/reset documenting this deprecation
transition if you want to clarify intent.

🧹 Nitpick comments (1)

ocp_resources/virtual_machine_instance.py (1)

476-484: Consider self.logger.exception() for the error-path diagnostics (Ruff TRY400).

Lines 477-479 use self.logger.error() inside an except block. While the exception is re-raised, using self.logger.exception() (at least for the first call) would automatically attach the traceback to the log output, aiding debugging.

[rnetser]

/verifierd

[rnetser]

/verified

[rnetser]

/verified

[rnetser]

/verified

[rnetser]

/verified

[myakove]

/lgtm
/approve