Make /var/lib/kubelet as shared during startup

[jsafrane]

This is part of kubernetes/community#589 kubernetes/community#659

We'd like kubelet to be able to consume mounts from containers in the future, therefore kubelet should make sure that /var/lib/kubelet has shared mount propagation to be able to see these mounts.

On most distros, root directory is already mounted with shared mount propagation and this code will not do anything. On older distros such as Debian Wheezy, this code detects that /var/lib/kubelet is a directory on / which has private mount propagation and kubelet bind-mounts /var/lib/kubelet as rshared.

Both "regular" linux mounter and NsenterMounter are updated here.

@kubernetes/sig-storage-pr-reviews @kubernetes/sig-node-pr-reviews
@vishh

Release note:

Kubelet re-binds /var/lib/kubelet directory with rshared mount propagation during startup if it is not shared yet.

[jsafrane]

I hope RunKubelet is the right place to do this startup initialization. Feel free to suggest a better one.

[jsafrane]

Answering to myself, setupDataDirs looks like a better place.

[jsafrane]

tested with KUBE_NODE_OS_DISTRIBUTION=gci go run hack/e2e.go -v --up and KUBE_NODE_OS_DISTRIBUTION=debian. The patch does not do anything on GCI and it bind-mounts /var/lib/kubelet on Debian and makes it rshared.

Surprisingly, something already bind-mounts /var/lib/kubelet as shared on GCI even though it's not necessary, / is already shared.

[jsafrane]

@k8s-bot pull-kubernetes-federation-e2e-gce test this

[vishh]

Just a few nits.

[vishh]

nit: Call it MakeRShared to reflect the fact that it shares recursively?

[jsafrane]

Renamed

[vishh]

I wish we could make this a generic utility for reading many kernel APIs that return data more than a page in size.

[jsafrane]

Done (with some refactoring of listProcMounts to use the same function).

[vishh]

Why not use the syscall package? Why exec?

[jsafrane]

huh? syscall.Exec will replace /usr/bin/kulebet in current process with /bin/mount and it won't ever return. We need fork()+exec() and that's exactly what os.Exec does.

[vishh]

https://golang.org/pkg/syscall/#Mount

[jsafrane]

I see. Reworked to use syscall.Mount.

[vishh]

nit: make-rshared

[jsafrane]

fixed

[vishh]

Can you add a test case with /var/lib/kubelet explicitly marked as shared?

[jsafrane]

added a test with /var/lib/foo that is a mount point and is shared.

[jsafrane]

@vishh, thanks for the review, I'll update the PR tomorrow.

I played with this PR and with #41683 to make kubelet mount stuff from containers and it looks like /var/lib/kubelet is not enough and https://github.com/kubernetes/kubernetes/pulls/jsafrane is still needed on machines without systemd. See kubernetes/community#648 for details.

[ncdc]

/unassign
/assign @derekwaynecarr @sjenning

[sjenning]

Doesn't seem like this would work for nsenter mounter i.e. containerized kubelet. The container itself will have already bind mounted /var/lib/kubelet as private. nsentering the host and changing the mount propagation after container start isn't going to change the fact that the containerized kubelet has a private /var/lib/kubelet right?

[sjenning]

not seeing where root is ever used

[vishh]

+1.

[jsafrane]

removed

[sjenning]

I'm also not seeing the code for "if / is already rshared, do nothing". Really the rule should be:

for dir in /var/lib/kubelet /var/lib /var /; do
  if dir exists in mountpoints
    if dir is private; then
      remount /var/lib/kubelet as rshared
    fi
    return
  fi
done

If you get to the end without a remount, it means the /var/lib/kubelet is under / and is reshared already. You only need to remount if /var/lib/kubelet or one of its parents directories is 1) is a mountpoint and 2) is private. I think 😄

[jsafrane]

/retest
#51692

[vishh]

Is a remount flag (MS_REMOUNT) required here?

[jsafrane]

No, remount is not required. mount --make-rshared uses only the fags above as implied by the man page and checked with strace.

[vishh]

I'd like to see a node e2e test that verifies this feature. This may prevent regressions. e2es can land even after code freeze I think.

[jsafrane]

I have e2e test for whole propagation in my queue, waiting for #46444 to merge. And if it runs on wheezy we can be quite sure that this PR works as expected.

[vishh]

/lgtm
/approve

[jsafrane]

/assign @smarterclayton @thockin
for approval. PTAL.

[jsafrane]

/retest

[smarterclayton]

/approve

[jsafrane]

/approve no-issue
(just checking... :-)

[smarterclayton]

/approve no-issue

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsafrane, sjenning, smarterclayton, vishh

Associated issue requirement bypassed by: smarterclayton

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/OWNERS [smarterclayton]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue

[k8s-ci-robot]

@jsafrane: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-e2e-kops-aws	d950010	link	/test pull-kubernetes-e2e-kops-aws

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.