-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use pod + nsenter instead of SSH in mount propagation tests #82424
Use pod + nsenter instead of SSH in mount propagation tests #82424
Conversation
0fcade4
to
633bcea
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/assign @tallclair
/test pull-kubernetes-integration
/lgtm
This looks good to me, but would love an additional pair of eyes from the approver.
@@ -102,8 +105,8 @@ var _ = SIGDescribe("Mount propagation", func() { | |||
// running in parallel. | |||
hostDir := "/var/lib/kubelet/" + f.Namespace.Name | |||
defer func() { | |||
cleanCmd := fmt.Sprintf("sudo rm -rf %q", hostDir) | |||
e2essh.IssueSSHCommand(cleanCmd, framework.TestContext.Provider, node) | |||
cleanCmd := fmt.Sprintf("rm -rf %q", hostDir) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For my own understanding, can you share why we no longer need to use sudo?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we're definitely root now (the pod is root)
/cc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple questions about generalizing this, but otherwise lgtm
@@ -85,6 +85,9 @@ var _ = SIGDescribe("Mount propagation", func() { | |||
// tmpfs to a subdirectory there. We check that these mounts are | |||
// propagated to the right places. | |||
|
|||
hostExec := utils.NewHostExec(f) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just an observation for generalizing this - I think the hostexec pod should set hostNetwork
, hostIPC
, and hostPID
to true
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It depends how far do we want to go.
For storage, we're fine if the host exec pod does nsenter to host mount namespace, so we can check mounts and what's in /var/lib/kubelet without potential mount propagation hiccups.
Do we have tests that actually need host pid or network namespace? Would it be better to add them to nsenter command line instead?
kubernetes/test/e2e/storage/utils/host_exec.go
Lines 96 to 106 in 5262633
args := []string{ | |
"exec", | |
fmt.Sprintf("--namespace=%v", pod.Namespace), | |
pod.Name, | |
"--", | |
"nsenter", | |
"--mount=/rootfs/proc/1/ns/mnt", | |
"--", | |
"sh", | |
"-c", | |
cmd, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[I think we can leave generalizing for a follow up] ?
@@ -102,8 +105,8 @@ var _ = SIGDescribe("Mount propagation", func() { | |||
// running in parallel. | |||
hostDir := "/var/lib/kubelet/" + f.Namespace.Name | |||
defer func() { | |||
cleanCmd := fmt.Sprintf("sudo rm -rf %q", hostDir) | |||
e2essh.IssueSSHCommand(cleanCmd, framework.TestContext.Provider, node) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we remove e2essh.IssueSSHCommand
, or just have it call hostexec under the hood?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that most tests that use ssh should move to hostexec, however, there may be some that need real ssh.
What does kubectl exec <hostesxec pod> nsenter [...] systemctl restart kubelet
do when kubelet is restarted in the middle of kubectl exec? Our disruptive tests do that. systemctl restart
(in host mount namespace) should work, it writes to a socket and it reaches the real systemd on the host. I am not sure about the kubectl exec
part and interrupted connection to kubelet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd assume just like real SSH we will need to handle re-connect?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, there are solutions, but they are far more risky than good old ssh. I'd prefer gradual move to hostexec
.
/priority important-longterm thanks for doing this |
633bcea
to
d659e11
Compare
rebased |
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: BenTheElder, jsafrane The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@BenTheElder @tallclair, can ve move forward with this PR? Or do you insist on generalization? |
I would like to move forward and follow on with generalization later. If this pattern works well for some tests it would be great to move everything over but we shouldn't block on that. |
/hold cancel |
@BenTheElder: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest Review the full test history for this PR. Silence the bot with an |
1 similar comment
/retest Review the full test history for this PR. Silence the bot with an |
Not all Kubernetes clusters allow ssh to nodes during test.
d659e11
to
5dba3cb
Compare
rebased |
5dba3cb
to
0c3293a
Compare
/lgtm |
Not all Kubernetes clusters allow ssh to nodes during test.
What type of PR is this?
/kind cleanup
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/sig storage
/sig node
cc @msau42 @derekwaynecarr, PTAL