This patch adds comments to exported items that were missing them in
order to make the linter happy. Only code changes that were limited to
the scope of this package were made. There are other linting issues that
will effect callers, and that will be done a seperate patch.
This patch refactors pkg/util/mount to be more usable outside of
Kubernetes. This is done by refactoring mount.Interface to only contain
methods that are not K8s specific. Methods that are not relevant to
basic mount activities but still have OS-specific implementations are
now found in a mount.HostUtils interface.
Since pkg/util/mount is going to move out of k/k, this exported constant
that is Kubernetes specific needed to move somewhere else. Made sense to
move it to pkg/volume/util.
Update GetDeviceNameFromMount in the mount interface to now take a
pluginMountDir argument, which is volume plugin dir with the global
mount path appended to it already.
As part of moving pkg/util/mount out of tree, the NSEnter implementation
of mount.Interface needs to be relocated out of pkg/util/mount, as it is
K8s specific. This patch relocates that mounter implementation to
pkg/volume/util/nsenter.
Since the NSEnter mounter shares a lot of its logic with the Linux
mounter implementation, many of the previously private methods of the
Linux mounter are now made public to maintain that shared code.
Additionaly, it was observed that *all* mount.Interface implemenations
were using the same common method for IsNotMountPoint, so this patch
removes that method from the mount.Interface definition and just exports
the common implementation instead.
As part of wanting to move the mount library into staging and then
k8s.io/utils, there can be no dependencies on k/k code, and that
includes k/apimachinery.
This patch makes a small implementation change to no longer need
k8s.io/apimachinery/pkg/util/sets
Files in pkg/util/mount that contain significant code implementation for
subpaths are moved to a new package at pkg/volume/util/subpath. This
move is done in order to preserve git history.
- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
* github.com/kubernetes/repo-infra
* k8s.io/gengo/
* k8s.io/kube-openapi/
* github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods
Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
_netdev mount option is a userspace mount option and
isn't copied over when bind mount is created and remount
also does not copies it over and hence must be explicitly
used with bind mount
These are all flagged by Go 1.11's
more accurate printf checking in go vet,
which runs as part of go test.
Lubomir I. Ivanov <neolit123@gmail.com>
applied ammend for:
pkg/cloudprovider/provivers/vsphere/nodemanager.go
Automatic merge from submit-queue (batch tested with PRs 63348, 63839, 63143, 64447, 64567). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Containerized subpath
**What this PR does / why we need it**:
Containerized kubelet needs a different implementation of `PrepareSafeSubpath` than kubelet running directly on the host.
On the host we safely open the subpath and then bind-mount `/proc/<pidof kubelet>/fd/<descriptor of opened subpath>`.
With kubelet running in a container, `/proc/xxx/fd/yy` on the host contains path that works only inside the container, i.e. `/rootfs/path/to/subpath` and thus any bind-mount on the host fails.
Solution:
- safely open the subpath and gets its device ID and inode number
- blindly bind-mount the subpath to `/var/lib/kubelet/pods/<uid>/volume-subpaths/<name of container>/<id of mount>`. This is potentially unsafe, because user can change the subpath source to a link to a bad place (say `/run/docker.sock`) just before the bind-mount.
- get device ID and inode number of the destination. Typical users can't modify this file, as it lies on /var/lib/kubelet on the host.
- compare these device IDs and inode numbers.
**Which issue(s) this PR fixes**
Fixes#61456
**Special notes for your reviewer**:
The PR contains some refactoring of `doBindSubPath` to extract the common code. New `doNsEnterBindSubPath` is added for the nsenter related parts.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 64013, 63896, 64139, 57527, 62102). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Setup fsGroup for local volumes correctly
**What this PR does / why we need it**:
This pr fixes fsGroup check in local volume in containerized kubelet. Except this, it also fixes fsGroup check when volume source is a normal directory whether kubelet is running on the host or in a container.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#61741
**Special notes for your reviewer**:
Bind mounts are detected in `/proc/mounts`, but it does not contain root of mount for bind mounts. So `mount.GetMountRefsByDev()` cannot get all references if source is a normal directory. e.g.
```
# mkdir /tmp/src /mnt/dst
# mount --bind /tmp/src /tmp/src # required by local-volume-provisioner, see https://github.com/kubernetes-incubator/external-storage/pull/499
# mount --bind /tmp/src /mnt/dst
# grep -P 'src|dst' /proc/mounts
tmpfs /tmp/src tmpfs rw,nosuid,nodev,noatime,size=4194304k 0 0
tmpfs /mnt/dst tmpfs rw,nosuid,nodev,noatime,size=4194304k 0 0
# grep -P 'src|dst' /proc/self/mountinfo
234 409 0:42 /src /tmp/src rw,nosuid,nodev,noatime shared:30 - tmpfs tmpfs rw,size=4194304k
235 24 0:42 /src /mnt/dst rw,nosuid,nodev,noatime shared:30 - tmpfs tmpfs rw,size=4194304k
```
We need to compare root of mount and device in this case.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 64102, 63303, 64150, 63841). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
When creating ext3/ext4 volume, disable reserved blocks
**What this PR does / why we need it**:
When creating ext3/ext4 volume, `mkfs` defaults to reserving 5% of the volume for the super-user (root). This patch changes the `mkfs` to pass `-m0` to disable this setting.
Rationale: Reserving a percentage of the volume is generally a neither useful nor desirable feature for volumes that aren't used as root file systems for Linux distributions, since the reserved portion becomes unavailable for non-root users. For containers, the general case is to use the entire volume for data, without running as root. The case where one might want reserved blocks enabled is much rarer.
**Special notes for your reviewer**:
I also added some comments to describe the flags passed to `mkfs`.
**Release note**:
```release-note
Changes ext3/ext4 volume creation to not reserve any portion of the volume for the root user.
```
- getSubpathBindTarget() computes final target of subpath bind-mount.
- prepareSubpathTarget() creates target for bind-mount.
- safeOpenSubPath() checks symlinks in Subpath and safely opens it.
Kubelet should not resolve symlinks outside of mounter interface.
Only mounter interface knows, how to resolve them properly on the host.
As consequence, declaration of SafeMakeDir changes to simplify the
implementation:
from SafeMakeDir(fullPath string, base string, perm os.FileMode)
to SafeMakeDir(subdirectoryInBase string, base string, perm os.FileMode)
super-user-reserved blocks, which otherwise defaults to 5% of the
entire disk.
Rationale: Reserving a percentage of the volume is generally a neither
useful nor desirable feature for volumes that aren't used as root file
systems for Linux distributions, since the reserved portion becomes
unavailable for non-root users. For containers, the general case is to
use the entire volume for data, without running as root. The case where
one might want reserved blocks enabled is much rarer.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
passthrough readOnly to subpath
**What this PR does / why we need it**:
If a volume is mounted as readonly, or subpath volumeMount is configured as readonly, then the subpath bind mount should be readonly.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#62752
**Special notes for your reviewer**:
**Release note**:
```release-note
Fixes issue where subpath readOnly mounts failed
```
