Client DaemonSet redefinitions

quobyte-alek · quobyte-alek · commit f9f519082146 · 2019-02-19T11:39:42.000+01:00
Use namespaces to increase the client pod isolation.
diff --git a/client_quick_setup.md b/client_quick_setup.md
@@ -19,6 +19,11 @@ EOF
 $ systemctl daemon-reload && systemctl restart docker
 ```
 
+Also make sure your Kubernetes cluster runs with the `MountPropagation` feature
+gate enabled for kubelets as well as kube-apiservers. Refer to a
+[feature support matrix](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/)
+for details.
+
 ## Client setup
 This guide assumes that you have a dedicated Quobyte server running and you
 want to provide access to Quobyte volumes to pods running in Kubernetes.
@@ -27,6 +32,17 @@ To access a Quobyte volume a pod has to run on a Kubernetes node which has a
 Quobyte client running. The client runs inside of a Pod and makes the Quobyte
 storage accessible to other pods.
 
+We provide two different DaemonSet definitions: the [recommended one](deploy/client-ds.yaml)
+and [legacy one](deploy/client-ds-legacy.yaml). The former can be used only with
+explicit user and group mapping. The latter allows you to resolve user and group
+identity using a host Name Service Switch (NSS), which we do not recommend as
+this approach poses certain security and system stability risks. We provide the
+legacy DaemonSet configuration for backward compatibility reasons only. If using
+identity mapping feature is not suitable for your deployment scenario we
+recommend you to create a customized version of our client Docker image. This
+way you can apply necessary changes in the container's NSS facility to meet your
+requirements.
+
 Quobyte clients run in the quobyte namespace.
 ```bash
 $ cd deploy
@@ -37,11 +53,9 @@ To connect to Quobyte, the client needs to resolve the address of the registry.
 It is configured in the client-ds.yaml DaemonSet definition:
 ```yaml
 env:
-  - name: QUOBYTE_REGISTRY
-    value: registry.quobyte
-```
-If you have a QNS (Quobyte Name Service), the value for QUOBYTE_REGISTRY might
-look like `<qnsid>.myquobyte.net`
+  - name: QUOBYTE_REGISTRY value: registry.quobyte ``` If you have a QNS
+    (Quobyte Name Service), the value for QUOBYTE_REGISTRY might look like
+    `<qnsid>.myquobyte.net`
 
 If you have a certificate for the client, it is stored as a Secret and
 mounted into the client Pod as client.cfg.
@@ -58,8 +72,9 @@ or
 $ kubectl -n quobyte create -f client-certificate-ds.yaml
 ```
 
-The deployed DaemonSet starts client pods on all nodes marked as `quobyte_client`.
-This can either be done manually, or by using the Quobyte operator.
+The deployed DaemonSet starts client pods on all nodes marked as
+`quobyte_client`. This can either be done manually, or by using the Quobyte
+operator.
 
 ```bash
 $ kubectl label nodes <node-1> <node-n> quobyte_client="true"
diff --git a/deploy/client-ds.yaml b/deploy/client-ds.yaml
@@ -28,7 +28,7 @@ spec:
             value: registry.quobyte
           - name: QUOBYTE_MOUNT_POINT
             # Note that the mount point has to be a subdir of the volume(Mount)
-            value: /var/lib/kubelet/plugins/kubernetes.io~quobyte
+            value: /mnt/kubernetes.io~quobyte
           - name: NODENAME
             valueFrom:
               fieldRef:
@@ -53,79 +53,34 @@ spec:
           - /bin/bash
           - -xec
           - |
-            if [[ ! -f /etcfs/fuse.conf ]]; then
-              echo "Copy fuse config to host"
-              { echo -e '# Copied from Quobyte Client Container\n'; cat /etc/fuse.conf; } > /etcfs/fuse.conf
-            fi
-            if [[ $(grep "^[^#]" /etcfs/fuse.conf | grep -c "user_allow_other") -eq 0 ]]; then
-              echo "user_allow_other" >> /etcfs/fuse.conf
-            fi
-            if cut -d" " -f2 /etcfs/mtab | grep -q ${QUOBYTE_MOUNT_POINT}; then
-              echo "found existing mount point on host. Trying to umount ${QUOBYTE_MOUNT_POINT}"
-              if ! /bin/nsenter -t 1 -m -- /bin/umount -f ${QUOBYTE_MOUNT_POINT}; then
-                /bin/nsenter -t 1 -m -- /bin/umount -l ${QUOBYTE_MOUNT_POINT}
-              fi
-              sleep 1 # give os the chance to clean up everything.
-            else
-              if ! [[ $(ls `dirname ${QUOBYTE_MOUNT_POINT}`|egrep "^`basename ${QUOBYTE_MOUNT_POINT}`$") ]]; then
-                echo "mount point ${QUOBYTE_MOUNT_POINT} does not exist, creating it..."
-                mkdir -p ${QUOBYTE_MOUNT_POINT}
-              fi
+            if cut -d" " -f2 /proc/self/mounts | grep -q ${QUOBYTE_MOUNT_POINT}; then
+              umount -l ${QUOBYTE_MOUNT_POINT}
             fi
 
+            mkdir -p /root/.quobyte ${QUOBYTE_MOUNT_POINT}
+
             # set the mount point immutable. As long as mount.quobyte does not run,
             # other processes cannot write data to this dir.
-            chattr +i ${QUOBYTE_MOUNT_POINT}
-
-            # Until k8s mountPropagation is stable, nsenter is used for the client
-            # to mount Quobyte into the host's mount namespace. By using nsenter, the client process
-            # will also use the host's dns resolve mechanisms, which most probably will not include
-            # the k8s internal name resolution. So the client is not able to resolve k8s internal 'registry.quobyte' anymore.
-            # Hence, for k8s internal Quobyte clusters, we need to pre-resolve the current ips, and let the client
-            # work with ips and not dns names.
-            if [ "$QUOBYTE_REGISTRY" == "registry" ] || [ "$QUOBYTE_REGISTRY" == "registry.quobyte" ] ; then
-              registry_ips=
-              for ip in $(nslookup ${QUOBYTE_REGISTRY} | grep ${QUOBYTE_REGISTRY} -A2 | grep Address | cut -d':' -f2 | awk '{print $1}'); do
-                registry_ips="$ip $registry_ips"
-              done
-              ADDR=$(echo $registry_ips | tr ' ' ',')
-              echo "Assuming to connect to k8s hosted Quobyte cluster. Resolved DNS to: '$ADDR'"
-            else
-              ADDR=${QUOBYTE_REGISTRY}
-              echo "Assuming to connect to an external Quobyte cluster. Client will resolve DNS for: '$ADDR'"
-            fi
-
-            /bin/nsenter -t 1 --wd=. -m -- \
-              lib/ld-linux-x86-64.so.2 \
-              --library-path ./lib \
-              /usr/bin/mount.quobyte --hostname ${NODENAME} --allow-usermapping-in-volumename \
-              --http-port 55000 -f -l /dev/stdout -d ${QUOBYTE_CLIENT_LOG_LEVEL} ${OPTS} \
-              ${ADDR}/ ${QUOBYTE_MOUNT_POINT}
+            chattr +i ${QUOBYTE_MOUNT_POINT} || \
+              echo "WARNING: The local filesystem does not support IMMUTABLE flag"
 
+            /usr/bin/mount.quobyte --hostname ${NODENAME} \
+              --allow-usermapping-in-volumename --http-port 55000 -f \
+              -d ${QUOBYTE_CLIENT_LOG_LEVEL} -l /dev/stdout ${OPTS} \
+              ${QUOBYTE_REGISTRY}/ ${QUOBYTE_MOUNT_POINT}
         securityContext:
           privileged: true
         volumeMounts:
           - name: k8s-plugin-dir
-            mountPath: /var/lib/kubelet/plugins/
-          - name: etcfs
-            mountPath: /etcfs
+            mountPath: /mnt
+            mountPropagation: Bidirectional
         lifecycle:
           preStop:
             exec:
-              command:
-                - /bin/bash
-                - -xc
-                - |
-                  if ! /bin/nsenter -t 1 -m -- /bin/umount -f ${QUOBYTE_MOUNT_POINT}; then
-                    /bin/nsenter -t 1 -m -- /bin/umount -l ${QUOBYTE_MOUNT_POINT}
-                  fi
-      hostPID: true
+              command: ["/bin/bash", "-xc", "umount -l ${QUOBYTE_MOUNT_POINT}"]
       nodeSelector:
         quobyte_client: "true"
       volumes:
       - name: k8s-plugin-dir
         hostPath:
           path: /var/lib/kubelet/plugins/
-      - name: etcfs
-        hostPath:
-          path: /etc
diff --git a/deploy/legacy-client-ds.yaml b/deploy/legacy-client-ds.yaml
@@ -0,0 +1,131 @@
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  name: client
+  namespace: quobyte
+spec:
+  selector:
+    matchLabels:
+      role: client
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: 'true'
+        prometheus.io/path: '/prometheus'
+        prometheus.io/port: '55000'
+      labels:
+        role: client
+        version: "2"
+    spec:
+      containers:
+      - name: quobyte-client
+        image: quay.io/quobyte/quobyte-client:2
+        imagePullPolicy: Always
+        env:
+          - name: QUOBYTE_CLIENT_LOG_LEVEL
+            value: INFO
+          - name: QUOBYTE_REGISTRY
+            value: registry.quobyte
+          - name: QUOBYTE_MOUNT_POINT
+            # Note that the mount point has to be a subdir of the volume(Mount)
+            value: /var/lib/kubelet/plugins/kubernetes.io~quobyte
+          - name: NODENAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+        ports:
+          - name: http-port
+            containerPort: 55000
+            hostPort: 55000
+            protocol: TCP
+        readinessProbe:
+          timeoutSeconds: 5
+          httpGet:
+            port: 55000
+            path: /
+        livenessProbe:
+          initialDelaySeconds: 30
+          timeoutSeconds: 5
+          httpGet:
+            port: 55000
+            path: /
+        command:
+          - /bin/bash
+          - -xec
+          - |
+            if [[ ! -f /etcfs/fuse.conf ]]; then
+              echo "Copy fuse config to host"
+              { echo -e '# Copied from Quobyte Client Container\n'; cat /etc/fuse.conf; } > /etcfs/fuse.conf
+            fi
+            if [[ $(grep "^[^#]" /etcfs/fuse.conf | grep -c "user_allow_other") -eq 0 ]]; then
+              echo "user_allow_other" >> /etcfs/fuse.conf
+            fi
+            if cut -d" " -f2 /etcfs/mtab | grep -q ${QUOBYTE_MOUNT_POINT}; then
+              echo "found existing mount point on host. Trying to umount ${QUOBYTE_MOUNT_POINT}"
+              if ! /bin/nsenter -t 1 -m -- /bin/umount -f ${QUOBYTE_MOUNT_POINT}; then
+                /bin/nsenter -t 1 -m -- /bin/umount -l ${QUOBYTE_MOUNT_POINT}
+              fi
+              sleep 1 # give os the chance to clean up everything.
+            else
+              if ! [[ $(ls `dirname ${QUOBYTE_MOUNT_POINT}`|egrep "^`basename ${QUOBYTE_MOUNT_POINT}`$") ]]; then
+                echo "mount point ${QUOBYTE_MOUNT_POINT} does not exist, creating it..."
+                mkdir -p ${QUOBYTE_MOUNT_POINT}
+              fi
+            fi
+
+            # set the mount point immutable. As long as mount.quobyte does not run,
+            # other processes cannot write data to this dir.
+            chattr +i ${QUOBYTE_MOUNT_POINT}
+
+            # Until k8s mountPropagation is stable, nsenter is used for the client
+            # to mount Quobyte into the host's mount namespace. By using nsenter, the client process
+            # will also use the host's dns resolve mechanisms, which most probably will not include
+            # the k8s internal name resolution. So the client is not able to resolve k8s internal 'registry.quobyte' anymore.
+            # Hence, for k8s internal Quobyte clusters, we need to pre-resolve the current ips, and let the client
+            # work with ips and not dns names.
+            if [ "$QUOBYTE_REGISTRY" == "registry" ] || [ "$QUOBYTE_REGISTRY" == "registry.quobyte" ] ; then
+              registry_ips=
+              for ip in $(nslookup ${QUOBYTE_REGISTRY} | grep ${QUOBYTE_REGISTRY} -A2 | grep Address | cut -d':' -f2 | awk '{print $1}'); do
+                registry_ips="$ip $registry_ips"
+              done
+              ADDR=$(echo $registry_ips | tr ' ' ',')
+              echo "Assuming to connect to k8s hosted Quobyte cluster. Resolved DNS to: '$ADDR'"
+            else
+              ADDR=${QUOBYTE_REGISTRY}
+              echo "Assuming to connect to an external Quobyte cluster. Client will resolve DNS for: '$ADDR'"
+            fi
+
+            /bin/nsenter -t 1 --wd=. -m -- \
+              lib/ld-linux-x86-64.so.2 \
+              --library-path ./lib \
+              /usr/bin/mount.quobyte --hostname ${NODENAME} --allow-usermapping-in-volumename \
+              --http-port 55000 -f -l /dev/stdout -d ${QUOBYTE_CLIENT_LOG_LEVEL} ${OPTS} \
+              ${ADDR}/ ${QUOBYTE_MOUNT_POINT}
+
+        securityContext:
+          privileged: true
+        volumeMounts:
+          - name: k8s-plugin-dir
+            mountPath: /var/lib/kubelet/plugins/
+          - name: etcfs
+            mountPath: /etcfs
+        lifecycle:
+          preStop:
+            exec:
+              command:
+                - /bin/bash
+                - -xc
+                - |
+                  if ! /bin/nsenter -t 1 -m -- /bin/umount -f ${QUOBYTE_MOUNT_POINT}; then
+                    /bin/nsenter -t 1 -m -- /bin/umount -l ${QUOBYTE_MOUNT_POINT}
+                  fi
+      hostPID: true
+      nodeSelector:
+        quobyte_client: "true"
+      volumes:
+      - name: k8s-plugin-dir
+        hostPath:
+          path: /var/lib/kubelet/plugins/
+      - name: etcfs
+        hostPath:
+          path: /etc
diff --git a/operator/deploy/client.yaml b/operator/deploy/client.yaml
@@ -40,7 +40,7 @@ spec:
             value: registry.quobyte
           - name: QUOBYTE_MOUNT_POINT
             # Note that the mount point has to be a subdir of the volume(Mount)
-            value: /var/lib/kubelet/plugins/kubernetes.io~quobyte
+            value: /mnt/kubernetes.io~quobyte
           - name: NODENAME
             valueFrom:
               fieldRef:
@@ -65,71 +65,35 @@ spec:
           - /bin/bash
           - -xec
           - |
-            if [[ ! -f /etcfs/fuse.conf ]]; then
-              echo "Copy fuse config to host"
-              { echo -e '# Copied from Quobyte Client Container\n'; cat /etc/fuse.conf; } > /etcfs/fuse.conf
-            fi
-            if [[ $(grep "^[^#]" /etcfs/fuse.conf | grep -c "user_allow_other") -eq 0 ]]; then
-              echo "user_allow_other" >> /etcfs/fuse.conf
-            fi
-            if cut -d" " -f2 /etcfs/mtab | grep -q ${QUOBYTE_MOUNT_POINT}; then
-              echo "found existing mount point on host. Trying to umount ${QUOBYTE_MOUNT_POINT}"
-              /bin/nsenter -t 1 -m -- /bin/umount -f ${QUOBYTE_MOUNT_POINT}
-              sleep 1 # give os the chance to clean up everything.
-            else
-              if ! [[ $(ls `dirname ${QUOBYTE_MOUNT_POINT}`|egrep "^`basename ${QUOBYTE_MOUNT_POINT}`$") ]]; then
-                echo "mount point ${QUOBYTE_MOUNT_POINT} does not exist, creating it..."
-                mkdir -p ${QUOBYTE_MOUNT_POINT}
-              fi
+            if cut -d" " -f2 /proc/self/mounts | grep -q ${QUOBYTE_MOUNT_POINT}; then
+              umount -l ${QUOBYTE_MOUNT_POINT}
             fi
 
+            mkdir -p /root/.quobyte ${QUOBYTE_MOUNT_POINT}
+
             # set the mount point immutable. As long as mount.quobyte does not run,
             # other processes cannot write data to this dir.
-            chattr +i ${QUOBYTE_MOUNT_POINT}
+            chattr +i ${QUOBYTE_MOUNT_POINT} || \
+              echo "WARNING: The local filesystem does not support IMMUTABLE flag"
 
-            # Until k8s mountPropagation is stable, nsenter is used for the client
-            # to mount Quobyte into the host's mount namespace. By using nsenter, the client process
-            # will also use the host's dns resolve mechanisms, which most probably will not include
-            # the k8s internal name resolution. So the client is not able to resolve k8s internal 'registry.quobyte' anymore.
-            # Hence, for k8s internal Quobyte clusters, we need to pre-resolve the current ips, and let the client
-            # work with ips and not dns names.
-            if [ "$QUOBYTE_REGISTRY" == "registry" ] || [ "$QUOBYTE_REGISTRY" == "registry.quobyte" ] ; then
-              registry_ips=
-              for ip in $(nslookup ${QUOBYTE_REGISTRY} | grep ${QUOBYTE_REGISTRY} -A2 | grep Address | cut -d':' -f2 | awk '{print $1}'); do
-                registry_ips="$ip $registry_ips"
-              done
-              ADDR=$(echo $registry_ips | tr ' ' ',')
-              echo "Assuming to connect to k8s hosted Quobyte cluster. Resolved DNS to: '$ADDR'"
-            else
-              ADDR=${QUOBYTE_REGISTRY}
-              echo "Assuming to connect to an external Quobyte cluster. Client will resolve DNS for: '$ADDR'"
-            fi
-
-            /bin/nsenter -t 1 --wd=. -m -- \
-              lib/ld-linux-x86-64.so.2 \
-              --library-path ./lib \
-              /usr/bin/mount.quobyte --hostname ${NODENAME} --allow-usermapping-in-volumename \
-              --http-port 55000 -f -l /dev/stdout -d ${QUOBYTE_CLIENT_LOG_LEVEL} ${OPTS} \
-              ${ADDR}/ ${QUOBYTE_MOUNT_POINT}
+            /usr/bin/mount.quobyte --hostname ${NODENAME} \
+              --allow-usermapping-in-volumename --http-port 55000 -f \
+              -d ${QUOBYTE_CLIENT_LOG_LEVEL} -l /dev/stdout ${OPTS} \
+              ${QUOBYTE_REGISTRY}/ ${QUOBYTE_MOUNT_POINT}
         securityContext:
           privileged: true
         volumeMounts:
           - name: k8s-plugin-dir
-            mountPath: /var/lib/kubelet/plugins/
-          - name: etcfs
-            mountPath: /etcfs
+            mountPath: /mnt
+            mountPropagation: Bidirectional
         lifecycle:
           preStop:
             exec:
-              command: ["/bin/bash", "-xc", "/bin/nsenter -t 1 -m -- /bin/umount -f ${QUOBYTE_MOUNT_POINT}"]
-      hostPID: true
+              command: ["/bin/bash", "-xc", "umount -l ${QUOBYTE_MOUNT_POINT}"]
       nodeSelector:
         # operator currently supports only single selector
         quobyte_client: "true"
       volumes:
       - name: k8s-plugin-dir
         hostPath:
           path: /var/lib/kubelet/plugins/
-      - name: etcfs
-        hostPath:
-          path: /etc
