Merge pull request #9635 from Burning1020/fix-cri-mounts
cri: Stat host sandbox files before adding them
This commit is contained in:
Fu Wei
GitHub
commit
4612201f87
@ -1008,34 +1008,47 @@ func (c *criService) linuxContainerMounts(sandboxID string, config *runtime.Cont
|
|||||||
}
|
}
|
||||||
|
|
||||||
if !isInCRIMounts(etcHosts, config.GetMounts()) {
|
if !isInCRIMounts(etcHosts, config.GetMounts()) {
|
||||||
|
hostpath := c.getSandboxHosts(sandboxID)
|
||||||
|
// /etc/hosts could be delegated to remote sandbox controller. That file isn't required to be existed
|
||||||
|
// in host side for some sandbox runtimes. Skip it if we don't need it.
|
||||||
|
if _, err := c.os.Stat(hostpath); err == nil {
|
||||||
mounts = append(mounts, &runtime.Mount{
|
mounts = append(mounts, &runtime.Mount{
|
||||||
ContainerPath: etcHosts,
|
ContainerPath: etcHosts,
|
||||||
HostPath: c.getSandboxHosts(sandboxID),
|
HostPath: hostpath,
|
||||||
Readonly: securityContext.GetReadonlyRootfs(),
|
Readonly: securityContext.GetReadonlyRootfs(),
|
||||||
SelinuxRelabel: true,
|
SelinuxRelabel: true,
|
||||||
UidMappings: uidMappings,
|
UidMappings: uidMappings,
|
||||||
GidMappings: gidMappings,
|
GidMappings: gidMappings,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Mount sandbox resolv.config.
|
// Mount sandbox resolv.config.
|
||||||
// TODO: Need to figure out whether we should always mount it as read-only
|
// TODO: Need to figure out whether we should always mount it as read-only
|
||||||
if !isInCRIMounts(resolvConfPath, config.GetMounts()) {
|
if !isInCRIMounts(resolvConfPath, config.GetMounts()) {
|
||||||
|
hostpath := c.getResolvPath(sandboxID)
|
||||||
|
// The ownership of /etc/resolv.conf could be delegated to remote sandbox controller. That file isn't
|
||||||
|
// required to be existed in host side for some sandbox runtimes. Skip it if we don't need it.
|
||||||
|
if _, err := c.os.Stat(hostpath); err == nil {
|
||||||
mounts = append(mounts, &runtime.Mount{
|
mounts = append(mounts, &runtime.Mount{
|
||||||
ContainerPath: resolvConfPath,
|
ContainerPath: resolvConfPath,
|
||||||
HostPath: c.getResolvPath(sandboxID),
|
HostPath: hostpath,
|
||||||
Readonly: securityContext.GetReadonlyRootfs(),
|
Readonly: securityContext.GetReadonlyRootfs(),
|
||||||
SelinuxRelabel: true,
|
SelinuxRelabel: true,
|
||||||
UidMappings: uidMappings,
|
UidMappings: uidMappings,
|
||||||
GidMappings: gidMappings,
|
GidMappings: gidMappings,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if !isInCRIMounts(devShm, config.GetMounts()) {
|
if !isInCRIMounts(devShm, config.GetMounts()) {
|
||||||
sandboxDevShm := c.getSandboxDevShm(sandboxID)
|
sandboxDevShm := c.getSandboxDevShm(sandboxID)
|
||||||
if securityContext.GetNamespaceOptions().GetIpc() == runtime.NamespaceMode_NODE {
|
if securityContext.GetNamespaceOptions().GetIpc() == runtime.NamespaceMode_NODE {
|
||||||
sandboxDevShm = devShm
|
sandboxDevShm = devShm
|
||||||
}
|
}
|
||||||
|
// The ownership of /dev/shm could be delegated to remote sandbox controller. That file isn't required
|
||||||
|
// to be existed in host side for some sandbox runtimes. Skip it if we don't need it.
|
||||||
|
if _, err := c.os.Stat(sandboxDevShm); err == nil {
|
||||||
mounts = append(mounts, &runtime.Mount{
|
mounts = append(mounts, &runtime.Mount{
|
||||||
ContainerPath: devShm,
|
ContainerPath: devShm,
|
||||||
HostPath: sandboxDevShm,
|
HostPath: sandboxDevShm,
|
||||||
@ -1054,6 +1067,7 @@ func (c *criService) linuxContainerMounts(sandboxID string, config *runtime.Cont
|
|||||||
// mappings and it should work fine.
|
// mappings and it should work fine.
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return mounts
|
return mounts
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -733,32 +733,21 @@ func TestLinuxContainerMounts(t *testing.T) {
|
|||||||
expectedMounts: nil,
|
expectedMounts: nil,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "should skip hostname mount if the old sandbox doesn't have hostname file",
|
desc: "should skip sandbox mounts if the old sandbox doesn't have sandbox file",
|
||||||
statFn: func(path string) (os.FileInfo, error) {
|
statFn: func(path string) (os.FileInfo, error) {
|
||||||
assert.Equal(t, filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hostname"), path)
|
sandboxRootDir := filepath.Join(testRootDir, sandboxesDir, testSandboxID)
|
||||||
|
sandboxStateDir := filepath.Join(testStateDir, sandboxesDir, testSandboxID)
|
||||||
|
switch path {
|
||||||
|
case filepath.Join(sandboxRootDir, "hostname"), filepath.Join(sandboxRootDir, "hosts"),
|
||||||
|
filepath.Join(sandboxRootDir, "resolv.conf"), filepath.Join(sandboxStateDir, "shm"):
|
||||||
return nil, errors.New("random error")
|
return nil, errors.New("random error")
|
||||||
|
default:
|
||||||
|
t.Fatalf("expected sandbox files, got: %s", path)
|
||||||
|
}
|
||||||
|
return nil, nil
|
||||||
},
|
},
|
||||||
securityContext: &runtime.LinuxContainerSecurityContext{},
|
securityContext: &runtime.LinuxContainerSecurityContext{},
|
||||||
expectedMounts: []*runtime.Mount{
|
expectedMounts: nil,
|
||||||
{
|
|
||||||
ContainerPath: "/etc/hosts",
|
|
||||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "hosts"),
|
|
||||||
Readonly: false,
|
|
||||||
SelinuxRelabel: true,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
ContainerPath: resolvConfPath,
|
|
||||||
HostPath: filepath.Join(testRootDir, sandboxesDir, testSandboxID, "resolv.conf"),
|
|
||||||
Readonly: false,
|
|
||||||
SelinuxRelabel: true,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
ContainerPath: "/dev/shm",
|
|
||||||
HostPath: filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
|
|
||||||
Readonly: false,
|
|
||||||
SelinuxRelabel: true,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
} {
|
} {
|
||||||
test := test
|
test := test
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user