Add podman volume mount support

[rhatdan]

Fixes: #12768

Signed-off-by: Daniel J Walsh [email protected]

[edsantiago]

Nice new feature. Some suggestions for the tests.

[edsantiago]

inconsistent indentation; mix of tabs and spaces. Also, s/exists/exist/

[rhatdan]

Added a small test for rootless.

[edsantiago]

Test doesn't really do anything when rootless. Why not just skip_if_rootless?

[edsantiago]

oh, and linter is unhappy

pkg/domain/infra/abi/volumes.go:182:1: receiver name ir should be consistent with previous receiver name ic for ContainerEngine (golint)
func (ir *ContainerEngine) VolumeMount(ctx context.Context, nameOrIDs []string) ([]*entities.ContainerMountReport, error) {
^
pkg/domain/infra/abi/volumes.go:198:1: receiver name ir should be consistent with previous receiver name ic for ContainerEngine (golint)
func (ir *ContainerEngine) VolumeUnmount(ctx context.Context, nameOrIDs []string) ([]*entities.ContainerUnmountReport, error) {
^
pkg/domain/infra/abi/auto-update.go:10:28: ST1016: methods on the same type should have the same receiver name (seen 2x "ir", 97x "ic") (stylecheck)
func (ic *ContainerEngine) AutoUpdate(ctx context.Context, options entities.AutoUpdateOptions) ([]*entities.AutoUpdateReport, []error) {
                           ^
make: *** [Makefile:251: golangci-lint] Error 1

[mheon]

Need to v.lock.Lock(); defer v.lock.Unlock() here and Unmount

[mheon]

Thinking about this a bit more - v.config.MountPoint may not be populated until v.mount() runs (I think this is mostly a volume plugins thing), so it's safer to do err := v.mount(); return v.config.MountPoint, err

[mheon]

If you do a podman run using a volume, then do a podman volume unmount on it when the container is running - does that break anything? Want to make sure we don't need to add extra checks around that.

[rhatdan]

Since it is in a different mount namespace the unmount will not effect the running container.

Tested this out with a tmpfs container.

[mheon]

That isn't true? The volume mounts are made before the container is created, and then we bind-mount the mountpoint into the container - so there is no difference between a container requesting an unmount, and a user requesting an unmount, save for the fact that the container is still potentially running. I'm worried that we'll still set the mount counter to 0 if the unmount fails because the volume is in use, which would result in the volume being considered unmounted when it is still mounted.

[rhatdan]

What I see is the mount point in the podman unshare aria shows the tmpfs is no longer mounted, but if I exec into the container I see the tmpfs is still mounted and the data I created on it it is still available. This is because in the containers mount namespace the file system is still mounted.
If I run another container on the volume, I will see different content because the tmpfs will get mounted again.

[edsantiago]

@mheon from my testing, podman volume unmount is a NOP. Actually, volume mount is, too, all it does is display a path to an existing volume. It does not seem to increment refcnt. podman is perfectly happy to volume rm while I still "have" the volume "mounted":

$ sudo bin/podman volume mount myvolume
/var/lib/containers/storage/volumes/myvolume/_data
$ sudo touch files in there, etc etc
$ sudo bin/podman volume rm myvolume
myvolume
$ sudo ls /var/lib/containers/storage/volumes/myvolume
ls: cannot access '/var/lib/containers/storage/volumes/myvolume': No such file or directory

[mheon]

@edsantiago Did you make the volume with options that would require a mount take place - e.g. podman volume create --opt type=tmpfs --opt device=tmpfs myvolume or similar (options may not work perfectly, I'm going off memory here)?

[edsantiago]

Uh, no, it was just a plain simple volume create. I was just surprised that podman pulled the rug out from under me while I thought I had the volume "mounted". Not a big deal though.

[mheon]

Ah - yeah, it's a short-circuit operation unless the volume actually needs a mount. Should probably make that clear in the manpages.

It should always be safe to invoke mount and unmount, even on volumes that don't require a mount, to be clear; it's just that some volumes don't require them, and others do. I think the recommended workflow after the patches would always involve using them.

[rhatdan]

I think the bind mount happens after the tmpfs mount which causes the tmpfs mount to leak into the mount namespace.
Bottom line I did the following

$ podman unshare
# ./bin/podman volume create --opt device=tmpfs --opt type=tmpfs --opt o=uid=1000,gid=1000 testvol
# ./bin/podman run -d -v testvol:/vol:Z fedora sleep 1000
52fee416c7a0ac40f085654f4564693d4b5ffc181ec48c174e272378f0283fab
# mount | grep _data
tmpfs on /home/dwalsh/.local/share/containers/storage/volumes/testvol/_data type tmpfs (rw,relatime,seclabel,uid=100999,gid=100999,inode64)
# ./bin/podman exec -l touch /vol/dan
# ./bin/podman volume unmount testvol
testvol
# mount | grep _data
# ./bin/podman exec -l ls /vol
dan

[cdoern]

Do we want to use ContainerMountReport or should we make a new type for VolumeMount for consistency?

[cdoern]

Same as above, type consistency.

[rhatdan]

@containers/podman-maintainers PTAL

[giuseppe]

LGTM

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: edsantiago, giuseppe, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [edsantiago,giuseppe,rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vrothberg]

/lgtm