Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not make read-only mounts recursively read-only by default (also updates Docker client module to v25) #311

Merged
merged 4 commits into from
Mar 14, 2024
Merged

Do not make read-only mounts recursively read-only by default (also updates Docker client module to v25) #311

merged 4 commits into from
Mar 14, 2024

Conversation

AkihiroSuda
Copy link
Contributor

@AkihiroSuda AkihiroSuda commented Feb 4, 2024
edited

Docker v25 (API v1.44) treats read-only mounts as recursively read-only by default, but this appeared to be too much breaking for Kubernetes.

So cri-dockerd hasto disable RRO by setting BindOptions.ReadOnlyNonRecursive.

Fix #309

Should be merged after:

@AkihiroSuda AkihiroSuda changed the title Use new mount API (github.com/docker/docker/api/types/mount) Do not make read-only mounts recursively read-only Feb 4, 2024
This was referenced Feb 4, 2024
Closed
Merged
@AkihiroSuda AkihiroSuda force-pushed the new-mount-api branch 2 times, most recently from 4097700 to cee26e7 Compare February 4, 2024 11:05
thaJeztah
thaJeztah reviewed Feb 4, 2024
View reviewed changes
core/container_create.go
"github.com/docker/docker/api/types"
dockerbackend "github.com/docker/docker/api/types/backend"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm... this feels "wrong". Did we not expose the right options in the API types? I think the backend is not expected to be used externally (should we consider making that internal?).

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it's expected in cri-dockerd though if it's implementing API and Backend (but I honestly would have to look at how cri-dockerd is implemented). Thought I'd at least leave a comment that this stood out to me.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dockerbackend.ContainerCreateConfig is used here

cri-dockerd/libdocker/kube_docker_client.go

Lines 143 to 167 in 8ae7a0e

func (d *kubeDockerClient) CreateContainer(
opts dockertypes.ContainerCreateConfig,
) (*dockercontainer.CreateResponse, error) {
ctx, cancel := context.WithTimeout(context.Background(), d.timeout)
defer cancel()
// we provide an explicit default shm size as to not depend on docker daemon.
if opts.HostConfig != nil && opts.HostConfig.ShmSize <= 0 {
opts.HostConfig.ShmSize = defaultShmSize
}
createResp, err := d.client.ContainerCreate(
ctx,
opts.Config,
opts.HostConfig,
opts.NetworkingConfig,
nil,
opts.Name,
)
if ctxErr := contextError(ctx); ctxErr != nil {
return nil, ctxErr
}
if err != nil {
return nil, err
}
return &createResp, nil
}

I guess it is possible to remove this dependency, but it is beyond the topic of this PR.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it looks like the client (still) has this awkward signature to pass all those individual structs as separate arguments, but uses a local (non-exported) "ad-hoc" struct to create the equivalent for the request (grouping them in a single struct); https://github.com/moby/moby/blob/e61c425cc283ed85a6a87ab4750b52389aea4021/client/container_create.go#L15-L24

type configWrapper struct {
	*container.Config
	HostConfig       *container.HostConfig
	NetworkingConfig *network.NetworkingConfig
}

// ContainerCreate creates a new container based on the given configuration.
// It can be associated with a name, but it's not mandatory.
func (cli *Client) ContainerCreate(ctx context.Context, config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, platform *ocispec.Platform, containerName string) (container.CreateResponse, error) {
	var response container.CreateResponse

https://github.com/moby/moby/blob/e61c425cc283ed85a6a87ab4750b52389aea4021/client/container_create.go#L75-L81

	body := configWrapper{
		Config:           config,
		HostConfig:       hostConfig,
		NetworkingConfig: networkingConfig,
	}

	serverResp, err := cli.post(ctx, "/containers/create", query, body, **nil)

We should probably consider to either change that signature, and define a CreateOptions struct for the client, or (perhaps) for cri-dockerd to (for now) define a similar struct on its side for the time being

/cc @neersighted

@AkihiroSuda AkihiroSuda marked this pull request as ready for review February 7, 2024 16:49
@AkihiroSuda AkihiroSuda changed the title Do not make read-only mounts recursively read-only Do not make read-only mounts recursively read-only (also updates Docker client module to v25) Feb 7, 2024
@AkihiroSuda AkihiroSuda mentioned this pull request Feb 7, 2024
Closed
@AkihiroSuda
Copy link
Contributor Author

@nwneisen Could you take a look?

nwneisen
nwneisen approved these changes Mar 8, 2024
View reviewed changes
Copy link
Collaborator

@nwneisen nwneisen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nwneisen nwneisen mentioned this pull request Mar 8, 2024
Closed
@AkihiroSuda
Copy link
Contributor Author

rebased

@AkihiroSuda AkihiroSuda changed the title Do not make read-only mounts recursively read-only (also updates Docker client module to v25) Do not make read-only mounts recursively read-only by default (also updates Docker client module to v25) Mar 9, 2024
@AkihiroSuda
go mod tidy
77d8e43 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
Use new mount API (github.com/docker/docker/api/types/mount)
bf1a9b9 
Depended by issue 309, as `BindOptions.ReadOnlyNonRecursive` has to be
set for using API v1.44 (Docker v25)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
go.mod: github.com/docker/docker v25.0.4+incompatible
24a43e2 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
Do not make read-only mounts recursively read-only by default
a16ab45 
Docker v25 (API v1.44) treats read-only mounts as recursively read-only by default,
but this appeared to be too much breaking for Kubernetes.

So cri-dockerd has to disable RRO by setting `BindOptions.ReadOnlyNonRecursive`.

Fix issue 309

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@nwneisen nwneisen merged commit c2e3805 into Mirantis:master Mar 14, 2024
11 checks passed
@neersighted neersighted mentioned this pull request Apr 2, 2024
Open
brandond added a commit to brandond/cri-dockerd that referenced this pull request Apr 10, 2024
@brandond
Revert "Do not make read-only mounts recursively read-only by default…
4d11325 
… (also updates Docker client module to v25) (Mirantis#311)"

This reverts commit c2e3805.
brandond added a commit to brandond/cri-dockerd that referenced this pull request Apr 10, 2024
@brandond
Revert "Do not make read-only mounts recursively read-only by default…
6a85da4 
… (also updates Docker client module to v25) (Mirantis#311)"

This reverts commit c2e3805.
brandond added a commit to brandond/cri-dockerd that referenced this pull request Apr 10, 2024
@brandond
Revert "Do not make read-only mounts recursively read-only by default…
4995f33 
… (also updates Docker client module to v25) (Mirantis#311)"

This reverts commit c2e3805.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thaJeztah thaJeztah thaJeztah left review comments

@nwneisen nwneisen Awaiting requested review from nwneisen

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@AkihiroSuda @thaJeztah @nwneisen