add absent_mount_sources_to_reject option #4844

haircommander · 2021-05-04T18:29:41Z

What type of PR is this?

/kind feature

What this PR does / why we need it:

To match docker behavior, a directory is created when the src of a mount does not exist.

This causes issues when the src should not be a directory (/etc/hostname is a prime example).

Instead of relying on correct user behavior, we should urge them to do the right thing by erroring in this case (if a configured mount source is added but does not exist)

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Add support for `absent_mount_sources_to_reject`, which allows admins to configure paths that, when mounted into a container despite not existing on the host, causes a container creation request to fail. This is useful for paths like `/etc/hostname`, which causes trouble as a directory, but possibly shouldn't be created as a file either (in the case of a dynamic hostname).

codecov · 2021-05-04T18:46:14Z

Codecov Report

Merging #4844 (61960b7) into master (1f2639c) will decrease coverage by 0.00%.
The diff coverage is 36.84%.

❗ Current head 61960b7 differs from pull request most recent head 8703525. Consider uploading reports for the commit 8703525 to get more accurate results

@@            Coverage Diff             @@
##           master    #4844      +/-   ##
==========================================
- Coverage   42.98%   42.98%   -0.01%     
==========================================
  Files         107      107              
  Lines        9792     9809      +17     
==========================================
+ Hits         4209     4216       +7     
- Misses       5132     5142      +10     
  Partials      451      451

haircommander · 2021-05-04T19:56:31Z

/retest

saschagrunert

LGTM

saschagrunert · 2021-05-05T07:25:44Z

server/container_create_linux.go

+			} else if filepath.Clean(src) == "/etc/hostname" {
+				// special-case /etc/hostname, as we don't want it to be created as a directory
+				// This can cause issues with node reboot.
+				return nil, nil, errors.New("Cannot mount /etc/hostname: path does not exist and will cause issues as a directory. Consider mounting /proc/sys/kernel/hostname, or creating a static /etc/hostname")


nit:

Suggested change

return nil, nil, errors.New("Cannot mount /etc/hostname: path does not exist and will cause issues as a directory. Consider mounting /proc/sys/kernel/hostname, or creating a static /etc/hostname")

return nil, nil, errors.New("cannot mount /etc/hostname: path does not exist and will cause issues as a directory. Consider mounting /proc/sys/kernel/hostname, or creating a static /etc/hostname")

TomSweeneyRedHat · 2021-05-05T18:19:05Z

LGTM

mrunalp

/lgtm

openshift-ci-robot · 2021-05-05T19:55:04Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander, mrunalp, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [haircommander,mrunalp,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-bot · 2021-05-05T20:02:58Z

/retest

Please review the full test history for this PR and help us cut down flakes.

Signed-off-by: Peter Hunt <[email protected]>

To match docker behavior, a directory is created when the src of a mount does not exist. This causes issues when the src should not be a directory (/etc/hostname is a prime example). Instead of relying on correct user behavior, we should urge them to do the right thing by erroring in this case (if a configured mount source is added but does not exist) Signed-off-by: Peter Hunt <[email protected]>

Signed-off-by: Peter Hunt <[email protected]>

haircommander · 2021-05-05T20:35:44Z

/retest

mrunalp · 2021-05-05T20:39:42Z

/lgtm

openshift-bot · 2021-05-05T21:15:02Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-05T21:26:58Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-05T21:39:02Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-05T21:50:57Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-05T23:15:58Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-05T23:28:58Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-05T23:40:58Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-05T23:52:59Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-06T00:04:59Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-06T00:28:59Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-06T00:40:58Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-06T00:52:58Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-06T01:04:59Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-06T01:17:57Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-ci · 2021-05-06T01:25:00Z

@haircommander: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/e2e_crun_cgroupv2	`8703525`	link	`/test e2e_cgroupv2`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-bot · 2021-05-06T02:47:59Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-06T03:01:07Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-06T03:13:57Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-05-06T03:27:10Z

/retest

Please review the full test history for this PR and help us cut down flakes.

haircommander · 2021-05-06T12:11:34Z

/cherry-pick release-1.21

openshift-cherrypick-robot · 2021-05-06T12:12:18Z

@haircommander: new pull request created: #4857

Details

In response to this:

/cherry-pick release-1.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

haircommander requested review from mrunalp and runcom as code owners May 4, 2021 18:29

openshift-ci-robot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/bug Categorizes issue or PR as related to a bug. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels May 4, 2021

openshift-ci-robot requested review from giuseppe and rhatdan May 4, 2021 18:30

openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 4, 2021

saschagrunert approved these changes May 5, 2021

View reviewed changes

haircommander force-pushed the hostname-hack branch from b08278a to af35974 Compare May 5, 2021 18:52

haircommander changed the title ~~server: fail if user attempts to mount /etc/hostname, but it does not…~~ add absent_mount_sources_to_reject option May 5, 2021

haircommander force-pushed the hostname-hack branch from af35974 to 43dc2b5 Compare May 5, 2021 18:58

mrunalp approved these changes May 5, 2021

View reviewed changes

openshift-ci-robot assigned mrunalp May 5, 2021

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label May 5, 2021

haircommander added 3 commits May 5, 2021 16:25

config: add absent_mount_sources_to_reject option

9f83de4

Signed-off-by: Peter Hunt <[email protected]>

test: add test for absent_mount_sources_to_reject

8703525

Signed-off-by: Peter Hunt <[email protected]>

haircommander force-pushed the hostname-hack branch from 43dc2b5 to 8703525 Compare May 5, 2021 20:26

openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label May 5, 2021

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label May 5, 2021

openshift-merge-robot merged commit 4d40e65 into cri-o:master May 6, 2021

openshift-cherrypick-robot mentioned this pull request May 6, 2021

[release-1.21] add absent_mount_sources_to_reject option #4857

Merged

openshift-ci bot mentioned this pull request Jun 3, 2021

Bug 1921937: crio: reject /etc/hostname mount if absent openshift/machine-config-operator#2575

Merged

	return nil, nil, errors.New("Cannot mount /etc/hostname: path does not exist and will cause issues as a directory. Consider mounting /proc/sys/kernel/hostname, or creating a static /etc/hostname")
	return nil, nil, errors.New("cannot mount /etc/hostname: path does not exist and will cause issues as a directory. Consider mounting /proc/sys/kernel/hostname, or creating a static /etc/hostname")

add absent_mount_sources_to_reject option #4844

add absent_mount_sources_to_reject option #4844

Uh oh!

Conversation

haircommander commented May 4, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Uh oh!

codecov bot commented May 4, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

haircommander commented May 4, 2021

Uh oh!

saschagrunert left a comment

Choose a reason for hiding this comment

Uh oh!

saschagrunert May 5, 2021

Choose a reason for hiding this comment

Uh oh!

TomSweeneyRedHat commented May 5, 2021

Uh oh!

mrunalp left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci-robot commented May 5, 2021

Uh oh!

openshift-bot commented May 5, 2021

Uh oh!

haircommander commented May 5, 2021

Uh oh!

mrunalp commented May 5, 2021

Uh oh!

openshift-bot commented May 5, 2021

Uh oh!

openshift-bot commented May 5, 2021

Uh oh!

openshift-bot commented May 5, 2021

Uh oh!

openshift-bot commented May 5, 2021

Uh oh!

openshift-bot commented May 5, 2021

Uh oh!

openshift-bot commented May 5, 2021

Uh oh!

openshift-bot commented May 5, 2021

Uh oh!

openshift-bot commented May 5, 2021

Uh oh!

openshift-bot commented May 6, 2021

Uh oh!

openshift-bot commented May 6, 2021

Uh oh!

openshift-bot commented May 6, 2021

Uh oh!

openshift-bot commented May 6, 2021

Uh oh!

openshift-bot commented May 6, 2021

Uh oh!

openshift-bot commented May 6, 2021

Uh oh!

openshift-ci bot commented May 6, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-bot commented May 6, 2021

Uh oh!

openshift-bot commented May 6, 2021

Uh oh!

openshift-bot commented May 6, 2021

Uh oh!

openshift-bot commented May 6, 2021

Uh oh!

haircommander commented May 6, 2021

Uh oh!

openshift-cherrypick-robot commented May 6, 2021

Uh oh!

haircommander commented May 4, 2021 •

edited

Loading

codecov bot commented May 4, 2021 •

edited

Loading

openshift-ci bot commented May 6, 2021 •

edited

Loading