From 8fd9ae1cd3ba515babac6e9669e3616bcef75d13 Mon Sep 17 00:00:00 2001
From: Codex <codex@openai.com>
Date: Fri, 8 May 2026 18:54:36 -0500
Subject: [PATCH] =?UTF-8?q?fix(ci1):=20revert=20NFS=20Path=20B=20+=20flip?=
 =?UTF-8?q?=20ISO=20cdrom=20bus=20sata=E2=86=92scsi?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

NFS Path B (commit fc2aca0) failed at storage layer: Synology export
`/volume1/ISOs` denies non-root client UIDs at the directory level.
qemu uid 107 cannot `ls /iso/` even though disk.img is mode 0777.

Diagnosed via uid-107 + uid-0 busybox probe pods on rke2-agent2:
- libvirt error: "Cannot access storage file ... Permission denied"
  (virStorageSourceReportBrokenChain:1281, virError Code=38 Domain=18)
- uid 107 pod: "ls: can't open '/iso/': Permission denied"
- uid 0 pod (same mount): "drwxrwxrwx 1 root root 16 ... disk.img"
- SELinux Enforcing + virt_use_nfs=on, no AVC denials → not SELinux
- File mode 0777 with owner 107:107 → not POSIX

Same export-only-root pattern as `/volume1/kubernetes`. Memory:
feedback_synology_iso_export_root_only_uid_107_denied.md

Existing CDI-uploaded Longhorn PVC `windows-server-2025-iso` (10Gi
Filesystem mode) verified to contain valid ISO bytes readable by
uid 107 (mode 0660 root:107, 9.85 GB sparse, 8.27 GB blocks ≈
original 7.7 GB ISO). Reverting to it.

The original OVMF SATA-CDROM read timeout that drove yesterday's
NFS pivot is now addressed by `cdrom: bus: scsi` (virtio-scsi has
a longer read window than the IDE/SATA emulator). Per user-prompt
diagnostic chain Step 5.

NFS PVC + PV (apps/kubevirt-vms/win2025-iso-nfs-pv.yaml) RETAINED
so Path B state is recoverable; can be pruned in follow-up once
SCSI boot is proven.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/kubevirt-vms/ci1.yaml | 35 ++++++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 11 deletions(-)

diff --git a/apps/kubevirt-vms/ci1.yaml b/apps/kubevirt-vms/ci1.yaml
index 2a1b7e3..2575aa4 100644
--- a/apps/kubevirt-vms/ci1.yaml
+++ b/apps/kubevirt-vms/ci1.yaml
@@ -396,10 +396,15 @@ spec:
             # Confirmed via debug pod: PVC content IS a real bootable ISO9660
             # (file: "ISO 9660 CD-ROM filesystem data ... (bootable)"), so the
             # only bug was boot priority.
+            # 2026-05-08 PM: cdrom bus flipped sata→scsi for windows-iso to address
+            # the OVMF SATA-CDROM read timeout (`BdsDxe: failed to start Boot0001 ...
+            # Time out`). The SCSI CDROM uses virtio-scsi controller which has a
+            # longer read window and works cleanly on Filesystem-backed PVCs.
+            # See diagnostic chain in HANDOFF.md / CODEX-STATUS.md "OPEN — ci1".
             - name: windows-iso
               bootOrder: 1
               cdrom:
-                bus: sata
+                bus: scsi
             - name: rootdisk
               bootOrder: 2
               disk:
@@ -430,17 +435,25 @@ spec:
           persistentVolumeClaim:
             claimName: ci1-rootdisk
         - name: windows-iso
-          # Path B (2026-05-08): mount ISO from Synology NFS instead of
-          # Longhorn Filesystem PVC. The Filesystem-PVC path was confirmed to
-          # contain a valid bootable ISO9660 image but caused OVMF's
-          # SATA-CDROM read window to time out:
-          #   BdsDxe: failed to start Boot0001 ... Time out
-          # Block-mode DataVolume was attempted as Path A but blocked by CDI
-          # v1.65.0's upload pod capability drop. NFS-mounted ISO bypasses
-          # both issues. See win2025-iso-nfs-pv.yaml header for full rationale
-          # and Synology layout.
+          # 2026-05-08 PM: REVERTED from NFS Path B back to the original CDI
+          # Longhorn Filesystem PVC. NFS Path B (commit fc2aca0) failed at the
+          # storage layer because the Synology export `/volume1/ISOs` denies
+          # non-root client UIDs at the directory level (qemu uid 107 cannot
+          # `ls /iso/` even with file mode 0777). Confirmed via uid-107 +
+          # uid-0 busybox probe pods on rke2-agent2 — same export-only-root
+          # pattern as `/volume1/kubernetes` documented in
+          # `feedback_synology_nfs_kubernetes_export_root_only`. Memory:
+          # `feedback_synology_iso_export_root_only_uid_107_denied.md`.
+          #
+          # The Longhorn PVC `windows-server-2025-iso` (CDI Filesystem mode,
+          # 10Gi) was confirmed to contain valid ISO bytes that uid 107 CAN
+          # read (mode 0660 root:107). The OVMF SATA-CDROM read timeout from
+          # the original Path A is now addressed by the `bus: scsi` swap on
+          # the disks block above. The NFS PVC + PV are RETAINED on disk so
+          # the Path B state is recoverable; they can be pruned in a
+          # follow-up commit once SCSI boot is proven.
           persistentVolumeClaim:
-            claimName: windows-server-2025-iso-nfs
+            claimName: windows-server-2025-iso
         - name: virtio-drivers
           containerDisk:
             # Pinned to v1.8.2 (latest stable as of 2026-05-08).