Dynamic Flexvolume plugin discovery proposal.

[verult]

This lays out the design for the improved deployment story of Flexvolume, making it easier to work with out-of-tree volume plugins before CSI comes to fruition.

[verult]

/assign @chakri-nelluri @msau42 @saad-ali
/cc @thockin

[k8s-ci-robot]

@verult: GitHub didn't allow me to assign the following users: chakri-nelluri.

Note that only kubernetes members can be assigned.

In response to this:

/assign @chakri-nelluri @msau42 @saad-ali
/cc @thockin

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[msau42]

/sig storage

[msau42]

nit: split this up into smaller paragraphs to make it easier to read and comment on.

[msau42]

Maybe split this up into steps per persona.

Could you add an example of an image Dockerfile and DaemonSet?

[msau42]

Can you describe exactly "what is desired"

[msau42]

How are failures shown to the user?

[verult]

Not sure what's the best way. I'll add that to Open Questions.

[chakri-nelluri]

Can we use the exit status from Daemonset to notify the error?

[thockin]

I don't understand the "are restored" ? A driver should never ever touch anything that isn't it's own.

The install process, for most drivers, should be:

while true; do 
  if [ -f /flexvolume/myvendor~mydriver/mydriver ]; then
    sleep 60
  else
    mkdir /flexvolume/myvendor~mydriver
    cp -a /mydriver /flexvolume/myvendor~mydriver
  fi
done

[verult]

The model in the current design is the entire Flexvolume directory containing all drivers get replaced, so when a copy fails, the backup of the entire directory is restored.

After moving to the single-driver install model, this will be changed to backing up a single driver instead.

[thockin]

I think the hard line is at "you should never ever touch something you don't own".

[msau42]

Split this up into steps instead of one giant block of text

[msau42]

Who creates this interface?

[msau42]

Maybe also have a section for the public deployment base image.

[msau42]

There are some parts of the volume code that iterate through all the volume plugins. This will also need to deal with synchronization with those calls.

[kokhang]

Also how does this work in conjunction with kubernetes/enhancements#278? It seems that we can utilize the base image to install/add mount tools to be available in the host.

[kokhang]

If the flexvolume implements attach/detach interface, how are you going to extend the controller-manager (assuming you are using a daemonset)?

[verult]

What do you mean by "extend"?

If you are asking how the drivers get deployed through DaemonSet to a master: DaemonSet will add a pod to the master node regardless of whether the node is set to schedulable.

If you are asking how the controller-manager picks up the newly added attach/detach procedures when the driver is replaced: during plugin probe a FlexVolumeAttachablePlugin is created, which replaces the previous plugin. The attachable plugin will enable attach/detach calls from AttachDetachController.

[jsafrane]

DaemonSet will add a pod to the master node

Not all masters run kubelet. E.g. GKE.

[kokhang]

Can we use affinity/placement to target all nodes? Although you would still have issues if new nodes are added to the k8s cluster.

[verult]

That's a good point, I'll add it to the doc. Yes like you said, with Jobs you have to specify how many pods you'd like to see running to completion, which is a problem when new nodes come up.

[kokhang]

I agree. Flexvolume drivers are not something that will be added or modified often.

[thockin]

Why is probe called so often?

[verult]

It's called for every FindPluginBy*(), because currently it iterates through all plugins and errors out when multiple plugins are found. As for why FindPluginBy*() is called often, I don't know. I can only tell that from logs.

[thockin]

we should track that backwards - it is surprising to me.

[verult]

Seems like there are (at least) two reasons:

1. In every DSW populator loop, it's called for volumes of every existing pod, in order to re-associate each pod with its required volumes.

2. Certain volume types are set to constantly remount, triggering a Probe every time the remount occurs.

[verult]

Just to clarify: the containerized mounts feature doesn't install mount utilities on the host directly; rather, it keeps them in a container, and volume plugins need to do a container exec to access them.

The deployment script in this design can be composed with the mount utility container, and the DaemonSet spec here can be combined with the containerized mounts DaemonSet spec. The Flexvolume drivers will have to be able to perform the container execs to access containerized mount utilities, but otherwise it should just work.

[gnufied]

Why does the flexvolume content have to be copied to every pod? Assuming non-containarized kubelet, shouldn't this just be on host?

[verult]

I meant to say every DaemonSet pod. Will clarify.

[gnufied]

if the PluginStub is an instance of PluginProber

I thought both PluginStub and PluginProber were interfaces. Do you mean if plugin in InitPlugins loop is an instance of PluginProber ? I assume all Volume plugins will be instance of PluginStub since it would be the type that would be extended by VolumePlugin.

[gnufied]

okay, so the idea is, each time any function on VolumePluginMgr is executed, we call Probe on plugin and if that returns true we rescan the directories and return with updated plugin list. I am wondering, if we have can simply rescan the directory always whenever a call to VolumePluginMgr is made, that is keep the polling on-demand rather than periodic and we won't need inotify etc hook.

[verult]

Do you mean if plugin in InitPlugins loop is an instance of PluginProber ? I assume all Volume plugins will be instance of PluginStub since it would be the type that would be extended by VolumePlugin.

Yes that's correct. Will clarify.

I am wondering, if we have can simply rescan the directory always whenever a call to VolumePluginMgr is made

This is discussed in Alternative Designs (2).

[liggitt]

it might simplify this proposal to focus it on dynamic discovery of new plugins, and reprobing of plugins from the kubelet/controllermanager, etc. Deployment via daemonset could be one mechanism, but shouldn't be prescriptive.

[chakri-nelluri]

Daemonset has to be privileged to copy the driver.

[php-coder]

@chakri-nelluri Could you clarify which exactly operations require privileged mode?

[verult]

@php-coder Kubelet executes Flexvolume drivers outside the container's namespace, so driver files have to be copied into the hostpath volume in privileged mode.

[liggitt]

in order to add a new driver without removing existing ones, existing drivers must also appear in /flexvolume

that is unexpected. I'd expect a flexvolume deployment to be focused on installing a single driver, e.g. populating one driver under /usr/libexec/kubernetes/kubelet-plugins/volume/exec/<vendor>~<driver>/<driver>

[thockin]

Yeah, I think it has to be possible to install multiple of these

[liggitt]

deployment method should be a separated out of this proposal, IMO. The core need is for kubelet and controller manager to detect and use added flex plugins without restart. If that requirement is met, you can use all sorts of methods for installing/maintaining the drivers.

[thockin]

Agree. We should provide an example. That's all.

[chakri-nelluri]

+1 for this approach.

[chakri-nelluri]

Also, what happens if the probe fails or the plugin fails to initialize?
We might have to document how to revert to an working older version.

[chakri-nelluri]

Please add this is a recommended way. Users are free to innovate :)

[msau42]

We're planning to provide a driver installation mechanism as part of this proposal, but like @liggitt mentioned, it can be separated out.

[thockin]

Yeah, I think it has to be possible to install multiple of these

[thockin]

I don't understand the "are restored" ? A driver should never ever touch anything that isn't it's own.

The install process, for most drivers, should be:

while true; do 
  if [ -f /flexvolume/myvendor~mydriver/mydriver ]; then
    sleep 60
  else
    mkdir /flexvolume/myvendor~mydriver
    cp -a /mydriver /flexvolume/myvendor~mydriver
  fi
done

[thockin]

why use notify, if you are just going to cache the results?

[verult]

This is discussed in Alternative Design (3).

[thockin]

If probe() were called a reasonable amount of times per second, would you reconsider this point? Just trying to bound complexity.

[verult]

Yes definitely. Unfortunately I was seeing bursts of tens of milliseconds between calls. If we change the Find*() logic so that if there's already a match then don't check Flex, then we don't need a watch.

[thockin]

I don't think anything related to flex should leak outside the flex directory. It should just be part of the initial handshake to figure out if each thing is a plugin or a meta-plugin. Meta-plugins are probed later.

[thockin]

Why is probe called so often?

[thockin]

Agree. We should provide an example. That's all.

[jsafrane]

So, mere presence of a new directory means that there is a new flex driver there? File copy is not an atomic operation and it may happen that only part of the driver script was copied there. You should wait until whole driver has been copied there. And big question is how do you recognize that...

IMO, installation of a new driver (or driver update) should be atomic operation on the fs, e.g. link(2).

[thockin]

Jan, excellent point. The only atomic file op is rename, so we should be sure that flex EXPLICITLY ignores files that start with a .. The installer must copy to flex/.../.mydriver and then rename that to mydriver. Let's make this as explicit as possible.

[jsafrane]

That assumes that the driver is a single file. The installer must rename multiple files one by one (and rename does not work well with directories).

I am ok with requiring the driver to be a single file, with no helper scripts around, but it must be clearly defined somewhere in flex documentation and a release note.

[jsafrane]

This is very important question and I'd like to see some answer. Especially kubelet must not ever execute a half-copied driver - running partly copied shell script as root sounds scary to me.

[thockin]

Rename, as described above, should not suffer this problem, I think.

[verult]

Other than the scenario Jan mentioned, there are two other possible bad scenarios:

1. When a driver command is called, part of the driver command is loaded into memory and is being executed. The driver gets modified, and the remaining part of the command (which is new) gets executed. I'm not sure if this could happen.
2. The driver gets modified while the command is read into memory, before execution even occurs. This could definitely happen.

I don't think renaming solves either of these issues. A write should never happen while an execution is underway. Ideally the solution fixes both the issues above and Jan's scenario.

My first thought is a RWLock implementation, but I'd like to avoid locking if possible.

[thockin]

1. should get an ETXTBUSY for the person trying to modify the binary

I don't understand 2?

In any case, rename is atomic. As soon as I open the file descriptor, if anyone renames another file over this file, I still get the old file. It is pinned until I close that fd. Happy to explain more - it's a good trick to have in your toolbox.

[verult]

That's really neat. In that case yes renaming will solve both of these scenarios.

What I tried to describe in (2) is: before the driver gets executed, part of its commands are read into memory, then the remaining commands are modified, and lastly the modified commands are read in.

[thockin]

Rename does work with symlinks, though. It's ugly but doable. mydriver -> .mydriver/mydriver

…

On Wed, Jul 26, 2017 at 10:06 AM, Jan Šafránek ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In contributors/design-proposals/flexvolume-deployment.md <#833 (comment)>: > + volumeMounts: + - mountPath: /flexmnt + name: flexvolume-mount + volumes: + - name: flexvolume-mount + hostPath: + path: <host_driver_directory> +``` + +### Dynamic Plugin Discovery + +In the volume plugin code, introduce a `PluginStub` interface containing a single method `Init()`, and have `VolumePlugin` extend it. Create a `PluginProber` type which extends `PluginStub` and includes methods `Init()` and `Probe()`. + +`Init()` initializes fsnotify, creates a watch on the driver directory as well as its subdirectories (if any), and spawn a goroutine listening to the signal. When the goroutine receives signal that a new directory is created, create a watch for the directory so that driver changes can be seen. + +`Probe()` scans the driver directory only when the goroutine sets a flag. If the flag is set, return true (indicating that new plugins are available) and the list of plugins. Otherwise, return false and nil. After the scan, the watch is refreshed to include the new list of subdirectories. The goroutine should only record a signal if there has been a 1-second delay since the last signal (see [Security Considerations](#security-considerations)). Because inotify (used by fsnotify) can only be used to watch an existing directory, the goroutine needs to maintain the invariant that the driver directory always exists. That assumes that the driver is a single file. The installer must rename multiple files one by one (and rename does not work well with directories). I am ok with requiring the driver to be a single file, with no helper scripts around, but it must be clearly defined somewhere in flex documentation and a release note. — You are receiving this because your review was requested. Reply to this email directly, view it on GitHub <#833 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFVgVDz5L99Pw55PF7KMdOgDOOXDpX2Wks5sR3IJgaJpZM4OgFHi> .

[verult]

If we go with the route of having a separate credentials file, then like @jsafrane and @thockin mentioned before, we need to make sure that driver command execution doesn't interleave with driver installation. The deployment script in this proposal assumes there is a single file inside the driver directory.

This problem only comes up if the crendentials file needs to be changed. One solution is to install each file individually (copy to .dot file & rename) rather than installing the entire directory all at once.

By the way, the credentials file doesn't have to have a .dot prefix. The Flexvolume plugin uses the driver directory name to compute the name of the driver file.

[verult]

@kokhang Have you tried using the master IP directly?

/cc @MrHohn

[MrHohn]

I tried doing this but i got an error because the K8S API IP was a in-network service IP and not routable by the host.

Kubernetes service VIP should be routable on the host as well, assuming you have kube-proxy running on the same host?

[kokhang]

@verult @MrHohn How do i know what the master IP is?
I have been testing on Minikube. What i tried was constructing the kubeconfig file using information from the daemonset that contains the flex driver. I tried getting the serviceaccount certs, the kubernetes host and port by doing something similar to https://github.com/kubernetes/client-go/blob/master/rest/config.go#L310.

However on minikube, the IP i get from the KUBERNETES_SERVICE_HOST env is not routable.

[MrHohn]

How do i know what the master IP is?

@kokhang For Minikube, probably try minikube ip.

[liggitt]

How do i know what the master IP is?

@kokhang For Minikube, probably try minikube ip.

The point is that flex plugins need a reliable way to know how to reach the API server. If they have to try to figure out what type of kube deployment they are on, they'll do it inconsistently at best and fail to handle some kube deployments at worst.

In-process volume plugins are given an API client (via the host interface) as part of their Init() call. Passing information about the API server to the flexplugin's init() call seems like a parallel to that. I could see the following possibilities:

• no api server info (kubelet is running in standalone mode)
• full path to a kubeconfig file containing api server address, CA, credentials, etc.

for now, the kubeconfig file could be the same as the one the kubelet uses, but if a need for a separate identity came up in the future, a different kubeconfig could be fed to the plugin

[saad-ali]

We had a productive meeting today.

We identified three problems for the Rook Flex Driver:

1. Discovery of k8s API endpoint by Rook Flex Drive
2. Credentials Rook Flex Driver should use against k8s API endpoint.
3. Discovery of Flex directory that deployment DeamonSet pod should drop the Rook Flex Driver in (since this directory is configurable).

Agreed upon solution:

• Rook has a "proxy" pod deployed as a DeamonSet that proxies calls between the Flex volume driver and the k8s API server. The proxy exposes a Unix Domain Socket via HostPath to the host that the Flex Driver talks to.
  • With this approach, inside the pod, the Rook driver can do DNS lookup (kube DNS) to discover k8s API endpoint in a reliable manner, and it can the pod can run with a service account that has the correct permission to create CRDs.
• Rook will investigate using the node API to read kubelet configz and extract the Flex driver path for kubelets.

Once @verult's dynamic discovery of Flex drivers work is merged, we should add E2E test for Flex to prevent regressions (accidental changes to the Flex API).

[verult]

A PR for e2e Flexvolume test was recently merged and is in the process of being added to the testgrid: kubernetes/kubernetes#48366

Currently it uses kubelet restart. Once dynamic discovery is finished, this can be changed to make the test non-disruptive.

[adelton]

This is the first time DaemonSet was mentioned and it caught me by surprise that it is being referred to as the DaemonSet.

Could the proposal be extended to describe that DaemonSet is expected to be the mechanism to run on every node something which will then copy scripts to the host, before discussing the race condition?

[liggitt]

Or avoid discussing specific deployment mechanisms here and just say "…possibility that a Flexvolume command execution occurs at the same time as the driver is updated…"

[verult]

Updated. Thanks for catching this!

[fabiand]

To me the solution proposed by @jsafrane can provide the same functionality, but

1. aligns better with the mount-utils delivery work
2. does not touch the host, which avoids to keep track of the host sided things

To me these are two pretty strong points.

Just my 2ct

[verult]

I think @jsafrane 's proposal would be a natural evolution of Flex. The dynamic plugin discover work here will build towards that goal, offering the ability to discover unix domain socket on the fly.

[saad-ali]

Merging this.

[saad-ali]

/lgtm

[k8s-github-robot]

Automatic merge from submit-queue