New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix issue in evaluating symlink path for subpath #93707
Conversation
/test pull-kubernetes-e2e-windows-gce |
1 similar comment
/test pull-kubernetes-e2e-windows-gce |
/test pull-kubernetes-e2e-windows-gce |
2 similar comments
/test pull-kubernetes-e2e-windows-gce |
/test pull-kubernetes-e2e-windows-gce |
cc @msau42 |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC, since Get-Item isn't returning the proper path, we check until we find a parent directory that resolves correctly, and then append the rest of the path back. But doesn't this basically bypass the symlink resolution/verification?
@@ -62,6 +62,32 @@ func evalPath(path string) (linkedPath string, err error) { | |||
if isVolumePrefix(linkedPath) { | |||
return path, err | |||
} | |||
// The following is a workaround solution for issue https://github.com/kubernetes/kubernetes/issues/93759 | |||
if _, err = os.Lstat(linkedPath); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we specifically look for not exists error?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if the linkedPath really does exist because of name collision between the directory name of the subpath and a real directory in the system? For example, your subpath was "/var/lib/kubelet/..../volumes/x/programs", and "C://programs" actually does exist?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In that case, the following check will fail
if !mount.PathWithinBase(currentFullPath, volumePath) {
errorResult = fmt.Errorf("SubPath %q not within volume path %q", currentFullPath, volumePath)
break
}
https://github.com/kubernetes/kubernetes/blob/feaaf468ed83e214dd12a7d3c4fbf5177165c405/pkg/volume/util/subpath/subpath_windows.go#L170
/test pull-kubernetes-e2e-windows-gce |
1 similar comment
/test pull-kubernetes-e2e-windows-gce |
I think I didn't change the original flow. Basically instead of using a power shell command (which might take some time to execute), here use a few more commands to get the path. Even if user change symlink during or after this process, we only allow subpath which is under base path. The lock is implemented after we eval the subpath ?
|
My understanding is that we skip evaluating the parts of the path that don't resolve correctly, which means that the path that gets returned from this function could still contain symlinks? |
/test pull-kubernetes-e2e-windows-gce |
This PR tries to fix issue kubernetes#93759
/test pull-kubernetes-e2e-windows-gce |
/retest |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andyzhangx, jingxu97 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/priority important-soon |
/retest Review the full test history for this PR. Silence the bot with an |
3 similar comments
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
should consider to cherrypick to 1.18 |
After removing driver letter assignment during disk partition and formatting, we found an issue that golang filepath.EvalSymlnik no longer works. See bug golang/go#39786
We had used a simple powershell command (get-item -path %p).Target to get the symlink, but it does not address all the cases. If there is a subpath under symlink, this command does not resolve upper path symlink. During evaluating symlink, we need to make sure the returned target path does not contain any symlink.
This PR tries to recursively resolve symlink in the path until it checking all intermediate dirs.
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: