Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
agent: watcher: fixes to make more robust
inotify/watchable-mount changes... - Allow up to 16 files. It isn't that uncommon to have 3 files in a secret. In Kubernetes, this results in 9 files in the mount (the presented files, which are symlinks to the latest files, which are symlinks to actual files which are in a seperate hidden directoy on the mount). Bumping from eight to 16 will help ensure we can support "most" secret/tokens, and is still a pretty small number to scan... - Now we will only replace the watched storage with a bindmount if we observe that there are too many files or if its too large. Since the scanning/updating is racy, we should expect that we'll occassionally run into errors (ie, a file deleted between scan / update). Rather than stopping and making a bind mount, continue updating, as the changes will be updated the next time check is called for that entry (every 2 seconds today). To facilitate the 'oversized' handling, we create specific errors for too large or too many files, and handle these specific errors when scanning the storage entry. - When handling an oversided mount, do not remove the prior files -- we'll just overwrite them with the bindmount. This'll help avoid the files disappearing from the user, avoid racy cleanup and simplifies the flow. Similarly, only mark it as a non-watched storage device after the bindmount is created successfully. - When creating bind mount, make sure destination exists. If we hadn't had a successful scan before, this wouldn't exist and the mount would fail. Update logic and unit test to cover this. - In several spots, we were returning when there was an error (both in scan and update). For update case, let's just log an warning and continue; since the scan/update is racy, we should expect that we'll have transient errors which should resolve the next time the watcher runs. Fixes: #2402 Signed-off-by: Eric Ernst <eric_ernst@apple.com>
- Loading branch information