flexvolume prober: trigger plugin init only for the relevant plugin

[linyouchong]

What this PR does / why we need it:
The automatic discovery trigger init only to the specific plugin directory that was updated, and not to all the plugins in the flexvolume plugin directory.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #58352

Special notes for your reviewer:
NONE

Release note:

flexvolume: trigger plugin init only for the relevant plugin while probe

[linyouchong]

/sig storage
@verult PTAL

[verult]

/ok-to-test

[verult]

Thanks a lot for the PR! My biggest concern is around how plugins are instantiated and how Probe() is implemented.

Probe() is called by the volume plugin manager to discover Flexvolume plugins, so the bulk of probing logic should be in here. Most of the heavy-lifting involving file operations should be in Probe(). This includes things like scanning the plugin directory and instantiating a probed plugin (NewFlexVolumePlugin() calls Init() on the Flexvolume driver, which ultimately executes the driver file and can take arbitrarily long depending on driver implementation). On the other hand, filesystem watcher handler should be kept fast, and I provided some justifications inline with the handler code.

[verult]

Is this necessary?

[linyouchong]

if Op is Remove, PluginName will be set, and Plugin is nil

[verult]

Name should be more specific. Maybe "ProbeOperation"?

[verult]

nit: Prefer to keep Flex probing-related constructs close to the DynamicPluginProber interface.

[verult]

Parameter name should be more specific, maybe ProbeAddOrUpdate

[verult]

This check isn't necessary

[verult]

I'd advise against modifying a map while iterating over it.

[linyouchong]

I think it is safe to do this in golang.
https://stackoverflow.com/questions/23229975/is-it-safe-to-remove-selected-keys-from-golang-map-within-a-range-loop

[verult]

Why is rate limiting removed?

[linyouchong]

for two reasons:

1. watchEventInterval is used in func updateProbeNeeded(), but probeNeeded is removed
2. In my approach, we can't miss any event, because probe() will not scan the whole pluginDir except the first time it is invoked

[verult]

Rate limiting is still necessary to prevent a malicious actor from overwhelming controller-manager / kubelet with frequent probes. For example, someone could constantly write to a dummy file inside a driver directory and cause every Probe() call to scan that directory. It's designed to drop events exceeding the quota.

But since the rate limiting logic would be quite different with this change, we could add it in a separate PR and remove it here for the time being.

[linyouchong]

I thought for a long time, and couldn't find any remedy after missing some event. I think we only need to consider the normal situation, malicious attacks as a security issue should be resolved from a higher level.

[verult]

Plugin should not be initialized inside the filesystem watch handler, for two reasons:

1. The handler has to be very light, and ideally it only provides a status update for the main Probe() goroutine to process. A heavy handler delays the processing of inotify events.
2. Typically multiple inotify events are triggered when a file is created or modified. This will cause a driver to be initialized multiple times.

[linyouchong]

@verult fixed, PTAL

[verult]

The bulk of the logic is good. Three themes in my comments:

• If there's a file change in any of the subdirectories of a driver directory (regardless of how nested it is), the driver should be re-initialized
• Keep locking to a minimum
• More unit tests for new functionality

[verult]

nit: Consider logging an error if event.Op is not matched.

[verult]

Is event.Plugin going to be nil? If so, please also include comments in the ProbeEvent struct describing this behavior for remove events

[verult]

Could you add some test cases / assertions for existing test cases to make sure the events are correct?

[verult]

Rate limiting is still necessary to prevent a malicious actor from overwhelming controller-manager / kubelet with frequent probes. For example, someone could constantly write to a dummy file inside a driver directory and cause every Probe() call to scan that directory. It's designed to drop events exceeding the quota.

But since the rate limiting logic would be quite different with this change, we could add it in a separate PR and remove it here for the time being.

[verult]

Keep locking to a minimum. Currently the filesystem watcher would block waiting for a probe to finish, which is unnecessary. I recommend separating all map and probeAllNeed operations into separate functions and only lock in those functions.

[verult]

I'd recommend separating out the logic here to a function, too

[verult]

I think it's safer to include Chmod as well, i.e. everything besides Remove

[verult]

If anything inside a driver directory changes, even if it's many levels of subdirectories in, the driver should re-initialize. With your logic, newly added subdirectories inside a driver directory won't be watched. I believe the existing logic already works, please correct me if I'm wrong.

[linyouchong]

Yes, you are right.

[verult]

Comment no longer applies

[verult]

Shouldn't it be 1, since it's the same driver?

[linyouchong]

initTestEnvironment(t) create one driver

[linyouchong]

@verult Thank you very much for your reviews, I learned a lot.
I have fixed them, and PTAL!

[shay-berman]

Hello

what is the status of this PR?
on which k8s version its going to be merged?

thanks

[verult]

Sorry I haven't had the chance to review it; will get to it soon. The current plan is to cherry-pick this back to all PRs since dynamic plugin discovery was introduced, which I believe was 1.8.

[verult]

The unit tests are great, most of the logic looks good

[verult]

"should return 0 event"

[linyouchong]

fixed

[verult]

Is testAndSetProbeAllNeeded() still necessary? Init() and Probe() are never executed at the same time

[linyouchong]

I try to remove testAndSetProbeNeeded, but pull-kubernetes-bazel-test complaints race detected during execution of test

[verult]

OK, I'm guessing it's because updateEventMap() reads probeAllNeeded.

[verult]

I think locking the entire map is OK for now. In the future I'd like to use something like a concurrent map, where only operations on individual elements are locked, rather than the entire map. If you could leave a TODO that'd help a lot.

Locking the entire map will delay other inotify events from being processed.

[linyouchong]

TODO added

[verult]

Why is this check necessary? Upon prober initialization and every time the pluginDir is recreated, a recursive watch is added in all of pluginDir

[linyouchong]

If a driver directory is created under pluginDir after prober initialization, I think we should add a watch, according to the original code: https://github.com/kubernetes/kubernetes/blob/master/pkg/volume/flexvolume/probe.go#L146

[verult]

But it already does without this check: the check at line 193 (if eventOpIs(event, fsnotify.Create)) applies for a newly created driver directory, since the pluginDir is always under watch.

[linyouchong]

oh ,got it !

[verult]

What about strings.Split(eventRelPathToPluginDir, os.PathSeparator)[0]?

[linyouchong]

good idea!

[verult]

I don't think this check is necessary - pluginDirAbs always exists

[linyouchong]

Yes, the check will be removed

[verult]

nit: Could you separate the logic to compute the path to the executable in a separate helper function? Easier to read that way

[linyouchong]

done!

[verult]

I'm surprised op isn't ProbeAddOrUpdate, because the driverPath event is triggered last. If this is the case, maybe delete the executable, probe and test, delete the driver dir and probe again

[linyouchong]

driverPath event handling returns fast, and will not trigger updateEventsMap
https://github.com/linyouchong/kubernetes/blob/0c4d0421bd693a4a28bbb9f72091ca6bd4368ce0/pkg/volume/flexvolume/probe.go#L189

if parentPathAbs == pluginDirAbs {
......................
return nil
}

[verult]

Gotcha. What if the driver directory gets renamed? The plugin name would change so we'd want to trigger an ProbeAddOrUpdate event. IMO it's safer to not return fast, what do you think?

[linyouchong]

I think we should trigger ProbeRemove event in 2 cases:

1. The driverDir is removed
2. The driver executable is removed
   other case we should trigger ProbeAddOrUpdate event

[verult]

I'm OK with either this or the previous logic (only trigger ProbeRemove when executable is removed). If the dir is removed, the executable will be removed too. This logic would trigger two ProbeRemove events, which is OK.

[verult]

nit: It's not necessary to test functions written in the test

[verult]

Thanks for adding this test!

[verult]

nit: You could also do the join here and return the abs path :)

[linyouchong]

Done!
PTAL

[verult]

/lgtm

PTAL @chakri-nelluri @jingxu97

@linyouchong we'll eventually need an e2e test to test the driver isolation behavior (here). If you are interested, it'd be very helpful to add it either here or as a separate PR.

[linyouchong]

@verult I will add an e2e test as a separate PR.
Does this PR need to be squash?

[verult]

Sounds good, and yes please squash the commits. Thanks!

[verult]

/lgtm

[verult]

/assign @thockin
for review of pkg/volume/plugins.go

[thockin]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: linyouchong, thockin, verult

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/volume/OWNERS [thockin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 60073, 58519, 61860). If you want to cherry-pick this change to another branch, please follow the instructions here.

[verult]

@linyouchong after the e2e test is added, please cherry-pick this to 1.8, 1.9, 1.10 as well (instructions here)

[linyouchong]

@verult ok, I am working on it

[shay-berman]

thanks for fixing this issue
i guess it will be part of k8s v1.11?

btw is the fix relevant only for flexvolume plugins or its generic for all plugins?

[verult]

Yep it'll be part of 1.11. @linyouchong any update on the e2e tests?

This is only relevant for Flexvolume - other plugins don't have a filesystem watch for scanning plugins

[linyouchong]

@verult I am very sorry for the delay, for some reason, I can't commit my test code right now.
May be one or two weeks later.

[verult]

No problem, thanks for the update!

[linyouchong]

@verult, e2e test is added, PTAL
#66206