Containerized subpath

[jsafrane]

What this PR does / why we need it:
Containerized kubelet needs a different implementation of PrepareSafeSubpath than kubelet running directly on the host.

On the host we safely open the subpath and then bind-mount /proc/<pidof kubelet>/fd/<descriptor of opened subpath>.

With kubelet running in a container, /proc/xxx/fd/yy on the host contains path that works only inside the container, i.e. /rootfs/path/to/subpath and thus any bind-mount on the host fails.

Solution:

• safely open the subpath and gets its device ID and inode number
• blindly bind-mount the subpath to /var/lib/kubelet/pods/<uid>/volume-subpaths/<name of container>/<id of mount>. This is potentially unsafe, because user can change the subpath source to a link to a bad place (say /run/docker.sock) just before the bind-mount.
• get device ID and inode number of the destination. Typical users can't modify this file, as it lies on /var/lib/kubelet on the host.
• compare these device IDs and inode numbers.

Which issue(s) this PR fixes
Fixes #61456

Special notes for your reviewer:

The PR contains some refactoring of doBindSubPath to extract the common code. New doNsEnterBindSubPath is added for the nsenter related parts.

Release note:

NONE

[jsafrane]

/test pull-kubernetes-cross
Calling explicitly to check Windows mounter

[jsafrane]

/sig storage
@msau42 PTAL
@cofyc, you've played with nsenter recently, would you mind taking a look?

BTW, we need real unit test for whole nsenter mounter.

[msau42]

/assign

[msau42]

returns the path name on the host

[msau42]

Instead of exposing KubeletPath as an interface, would it be better to expose Lstat as an interface, and have EvalSymlinks return container path?

[jsafrane]

Actually the code here is wrong. It resolves any symlinks in the hostPath in kubelet, which is not possible.

And that's Lstat is not easy - we need to resolve the symlinks on the host and then do os.Lstat("/rootfs/" + resolved_path) in kubelet

[jsafrane]

Fixed by some refactoring.

[jsafrane]

Pushed 2nd version.

kubelet_pods.go now passes all paths as paths on the host to mounter and mounter translates them by itself when it's needed.

I changed semantics of SafeMakeDir
from SafeMakeDir(*fullPath* string, base string, perm os.FileMode)
to SafeMakeDir(*subdirectoryInBase* string, base string, perm os.FileMode)
to simplify its implementation a bit.

@andyzhangx, I touched the Windows part a bit, please review.

[jsafrane]

@kubernetes/sig-storage-pr-reviews, any review is highly appreciated, we don't want more regressions in subpath!

[msau42]

Does this need to be public?

[jsafrane]

It does not need to be public if we introduce Nsenter.HostPath() as in https://github.com/kubernetes/kubernetes/pull/62903/files#diff-f6ffeca7a3b942208d644eaa4ec99642R129

[msau42]

I only see it being used in this file.

[msau42]

Does windows not need to eval symlinks?

[jsafrane]

good catch, fixed

[msau42]

Cleanup

[jsafrane]

Cleaned up

[msau42]

what was wrong with mounter.Lstat()?

[jsafrane]

Reworked mounter.Lstat() to return NotExist when the target does not exist (it returned some indistinguishable error before).

[msau42]

does this mean existing deployments will break if they upgrade to this fix and don't change this setting?

Previously, safemkdir still worked for non-hostpath types because it uses /var/lib/kubelet/.... instead of /rootfs/var/lib/kubelet

[jsafrane]

That's right, it will break.

I could pass podDir into SafeMakeDir() as a new parameter. NsenterMounter.SafeMakeDir could then check if the directory to create is subdir of podDir and add /rootfs only when it's not.

Any better ideas?

[jsafrane]

I added a new argument to NewNsenterMounter so the mounter knows what's location of /var/lib/kubelet and can do a shortcut in SafeMakeDir. That was the easiest way I could find out. PTAL.

[jsafrane]

And I removed changes in hack/local-up-cluster.sh

[msau42]

Do the paths need to be cleaned?

[jsafrane]

Added to doSafeMakeDir, just to be sure.

[msau42]

Add comment this is also used by nsenter

[jsafrane]

Comment added

[msau42]

should this be done first?

[jsafrane]

IMO it does not really matter if we do safeOpenSubPath or prepareSubpathTarget first, I wanted the defer that cleans up volumes to affect as little code as possible.

[msau42]

Check this first?

[cofyc]

I had added a similar function in https://github.com/kubernetes/kubernetes/pull/62903/files#diff-f6ffeca7a3b942208d644eaa4ec99642R127 as you and @msau42 suggested. How about merging #62903 first, then use Nsenter.HostPath to get the path name on the host after evaluating symlinks on the host (and adding mustExist parameter)?

[dims]

@jsafrane if you rebase to master, we can try the new e2e job

[liggitt]

The current e2e (non containerized) has hostpath test cases but not with an existing path with the kubelet image

if we support the containerized kubelet, it seems like we should exercise it in CI, especially given the complexity around how it has to be handled

[thockin]

It's weird that a seemingly generic interface in a generic lib (pkg/util) has any comprehension of "kubelet" at all. Can we decouple these layered ideas?

[jsafrane]

Kubelet is the only user of this API and it makes the whole picture more visible. It would be harder to go through all the layers and see how they fit together if they contain just generic comments.

We could move the big picture to a separate file / documentation, however, these tend to rot.

I filled #64603 for that.

[justinsb]

SafeFormatAndMount is a very delicate and tricky operation, and kops uses it (and this package). Another vote from me for keeping the layers well-factored here.

[msau42]

There is ongoing work to refactor the mount library to separate out k8s specific operations (like subpath processing), and general mounting/formatting utilities. #68513

[thockin]

I'm very grumpy that pkg/util contains the word "kubelet" at all. How can we fix this? I will approve the PR since it fixes a bug and doesn't make things worse, but that's a genericity problem.

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsafrane, msau42, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• cmd/kubelet/OWNERS [thockin]
• pkg/OWNERS [thockin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

[jsafrane]

/kind bug
/priority important-soon

[jsafrane]

@saad-ali @childsb, please approve for 1.11

[k8s-ci-robot]

@jsafrane: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-local-e2e	fdb50b589f2aa73c02ec33c4423b49d1ff7c2497	link	/test pull-kubernetes-local-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

[dims]

/status approved-for-milestone

[k8s-github-robot]

[MILESTONENOTIFIER] Milestone Pull Request: Up-to-date for process

@brendandburns @dchen1107 @jsafrane @lavalamp @msau42 @smarterclayton @thockin

Pull Request Labels

• sig/storage: Pull Request will be escalated to these SIGs if needed.
• priority/important-soon: Escalate to the pull request owners and SIG owner; move out of milestone after several unsuccessful escalation attempts.
• kind/bug: Fixes a bug discovered during the current release.

Help

• Additional instructions
• Commands for setting labels

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 63348, 63839, 63143, 64447, 64567). If you want to cherry-pick this change to another branch, please follow the instructions here.

[munnerz]

@msau42 I'm running kubelet under rkt using the kubelet wrapper, with kube 1.11.0.

To fix this, there is one new requirement in containerized kubelet deployment that /rootfs needs to be mounted rw

My systemd unit does not currently have rootfs mounted into the kubelet container, so I have attempted to add it in an attempt to take advantage of this patch. When doing so, kubelet then refuses to start with:

failed to run Kubelet: could not detect clock speed from output: ""

I'm wondering if I'm missing something obvious here? I am able to mount standard host path volumes fine, but when using the prometheus operator (which enforces a subPath be used), it will not work.

Is there any more detailed info on how I should configure this? I'd imagine (hope!) that tectonic doesn't suffer from this same problem, however I'm unsure where to dig into to find this out, and I'd prefer not to have to spin up an entire tectonic cluster just to find a couple of arguments! 😄

[jsafrane]

@munnerz, list of directories that must be in the container with kubelet is here:

kubernetes/hack/local-up-cluster.sh

Lines 825 to 832 in 7786bd8

	all_kubelet_volumes=(
	--volume=/:/rootfs:ro,rslave \
	--volume=/var/run:/var/run:rw \
	--volume=/sys:/sys:ro \
	--volume=/var/lib/docker/:/var/lib/docker:rslave \
	--volume=/var/lib/kubelet/:/var/lib/kubelet:rslave \
	--volume=/dev:/dev \
	--volume=/run/xtables.lock:/run/xtables.lock:rw \

Please report if there is anything missing.

[lichuqiang]

@jsafrane
I ran into a problem when running the unit test in "nsenter_mount_test.go",
and got error like this:

--- FAIL: TestNsenterExistsFile (0.01s)
    nsenter_mount_test.go:343: Test "simple non-accessible file": expected error, got none
    nsenter_mount_test.go:347: Test "simple non-accessible file": expected return value false, got true
E0719 09:26:23.220671   67952 mount_linux.go:495] format of disk "/dev/foo" failed: type:("ext4") target:("/tmp/mount681850900") options:(["defaults"])error:(formatting failed)
E0719 09:26:23.221027   67952 mount_linux.go:529] Could not determine if disk "/dev/foo" is formatted (exit 4)
FAIL
FAIL    k8s.io/kubernetes/pkg/util/mount    0.077s

I switched to a non root user, and it got passed.
Is it required to manually switch to other users to run the case?