Fix handling of readonly containers when defined in kube.yaml #16682
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
LGTM |
There was a problem hiding this comment.
Code LGTM but I have a couple of comments on the system test.
@edsantiago PTAL
test/system/700-play.bats
Outdated
| run_podman pod rm -a | ||
| run_podman rm -a | ||
|
|
||
| cat $YAML |
| run_podman create --pod new:pod1 --name test1 $IMAGE touch /test | ||
| run_podman create --pod pod1 --read-only --name test2 $IMAGE touch /test | ||
| run_podman create --pod pod1 --read-only --name test3 $IMAGE touch /tmp/test | ||
| run_podman kube generate pod1 -f $YAML |
There was a problem hiding this comment.
Can we check the output to verify that read-only field is properly set?
|
|
||
| cat $YAML | ||
| run_podman kube play $YAML | ||
| run_podman inspect --format "{{.State.ExitCode}}" pod1-test1 |
There was a problem hiding this comment.
Can we also check for the read-only fields to be set for the two containers?
test/system/700-play.bats
Outdated
| run_podman inspect --format "{{.State.ExitCode}}" pod1-test2 | ||
| is "$output" "1" "File system should be read/only" | ||
| run_podman inspect --format "{{.State.ExitCode}}" pod1-test3 | ||
| is "$output" "0" "File system should be read/write" |
There was a problem hiding this comment.
I think we can squash the three inspects into one querying all containers at once.
There was a problem hiding this comment.
Or use podman wait, but I lean slightly toward the way it is: it's nice to have an exact message for what happened (although the messages could be improved).
I added run_podman logs just before this, to investigate the problem on my laptop, and see:
142d0f92a92c touch: /tmp/test: Permission denied
This causes the pod1-test3 test to fail. It's not an AVC. I am stuck.
There was a problem hiding this comment.
Different error messages, please. A pattern I like is that, when I see an error message in a failed test log, I can find exactly one and only one place where that error message appears. So like, for all three "should be" messages above, something like this please?
is ... "Root filesystem in container1 should be read/write"
is ... "Root filesystem in container2 should be read-only"
is ... "/tmp in read-only container should be read/write"
test/system/700-play.bats
Outdated
| run_podman kube generate pod1 -f $YAML | ||
|
|
||
| run_podman pod rm -a | ||
| run_podman rm -a |
There was a problem hiding this comment.
We can remove the two commands by adding --replace to kube play below.
There was a problem hiding this comment.
I just remove the stray images, to remove warnings on cleanup.
test/system/700-play.bats
Outdated
|
|
||
| run_podman kube down - < $YAML | ||
| run_podman pod rm -a | ||
| run_podman rm -a |
There was a problem hiding this comment.
The two rms shouldn't be needed after kube down.
|
/hold rootless tests failing on my f37, need to understand why |
openshift-ci
bot
added
the
do-not-merge/hold
|
Tests won't pass on my laptop. This can't merge until we figure out why. The only clue I've found is running For a read-only container, I expected to see tmpfs: $ bin/podman run --rm --read-only quay.io/libpod/testimage:20221018 mount|grep /tmp
tmpfs on /tmp type tmpfs (rw,...I need to move on from this, so good luck. Again, please do not merge until this is resolved. |
|
The READ/WRITE container will not have a tmpfs mounted on /tmp. Only the read-only ones. Fixed up the tests and added some more checks. |
rhatdan
force-pushed
the
ro
branch
2 times, most recently
from
3edc5b9 to
bd7914e
Compare
That's what I was trying to say: all the containers in the pod, on my system, have /foo/btrfs-whatever mounted on /tmp. None of the containers have a tmpfs. I believe this is incorrect. And, tests still fail with this latest push. |
test/system/700-play.bats
Outdated
| @@ -196,6 +196,32 @@ EOF | |||
| run_podman rm -a | |||
| } | |||
|
|
|||
| @test "podman kube play read-only" { | |||
| YAML=$PODMAN_TMPDIR/test.yml | |||
| run_podman create --pod new:pod1 --name test1 $IMAGE touch /test | |||
There was a problem hiding this comment.
Suggestion: touch /testrw. And on the next line, touch /testro. And on the next, touch /tmp/testtmp. In my debugging of the btrfs-not-tmpfs bug, I found that that simple change made reading the code much easier for me.
test/system/700-play.bats
Outdated
| run_podman inspect --format "{{.State.ExitCode}}" pod1-test2 | ||
| is "$output" "1" "File system should be read/only" | ||
| run_podman inspect --format "{{.State.ExitCode}}" pod1-test3 | ||
| is "$output" "0" "File system should be read/write" |
There was a problem hiding this comment.
Different error messages, please. A pattern I like is that, when I see an error message in a failed test log, I can find exactly one and only one place where that error message appears. So like, for all three "should be" messages above, something like this please?
is ... "Root filesystem in container1 should be read/write"
is ... "Root filesystem in container2 should be read-only"
is ... "/tmp in read-only container should be read/write"
|
On 1minutetip, with ext4, rootless test passes even though Same kernel as my laptop, 6.0.9-300.fc37, so that's not the difference. I don't know how to run 1mt with a btrfs root, and I'm spending way too much time on this, so back to you. |
|
I think the issue is that for some reason your container is forcing a mount on /tmp which should not be happening. If you run this command, what do you see? I see nothing. When I run with --read-only I see |
|
I'm talking in the pod. In the pod, even though the container is read-only, Anyhow, I have a 1minutetip reproducer if you want it, ping me on IRC. |
pkg/specgenutil/volumes.go
Outdated
| mnt := spec.Mount{ | ||
| Destination: dest, | ||
| Type: define.TypeTmpfs, | ||
| Source: "tmpfs", |
There was a problem hiding this comment.
OMG I think this is it. This is the bug, or maybe it's somewhere else, but I'm kind of sure this is it.
Here is what is happening, in a very brief nutshell:
$ rm -rf tmpfs ! humor me okay
$ bin/podman create --pod new:pod1 --read-only --name foo quay.io/libpod/testimage:20221018 touch /tmp/oh-hi-there
3d77b20d33a5fe8c27cd7c0051434c922d432fef2f4c320f41795ea8fa407889
$ bin/podman kube generate pod1 -f /tmp/foo.yaml
...
$ bin/podman kube play --replace /tmp/foo.yaml
...blah blah
$ ls -l tmpfs
total 0
-rw-r--r--. 1 esm esm 0 Nov 30 13:14 oh-hi-there
drwxr-xr-t. 1 esm esm 0 Nov 30 13:14 secrets/That is: podman is creating a subdirectory called "tmpfs" in the current directory. I do not think that is what is intended. I think the intention is to mount an actual tmpfs.
The reason it failed on my laptop is that I ran hack/bats, which first runs as root, creates the root-owned subdirectory tmpfs, which then the second-pass (rootless) test of course fails to write with EACCES.
There was a problem hiding this comment.
Yeah, this is it. If I change "tmpfs" to "sdfsdfsdf", recompile and run, I get a new subdirectory with that name. OK, I'm done with this. Time for a nap. My brain hurts.
There was a problem hiding this comment.
Ok that is a different bug, not related to this PR. But podman generate kube is generating a bogus mount point for tmpfs mounts.
|
Your new push fixes the "tmpfs-subdirectory" bug, thank you! Since you have to re-push anyway to fix whitespace lint, could I ask you to consider addressing my other test-usability requests please? |
test/system/700-play.bats
Outdated
| run_podman 1 container exists pod1-test2 | ||
| run_podman 1 container exists pod1-test3 | ||
|
|
||
| run_podman rmi -a |
There was a problem hiding this comment.
Eek! Could you remove this please?
| // Set enableServiceLinks to false as podman doesn't use the service port environment variables | ||
| enableServiceLinks := false |
There was a problem hiding this comment.
This is what's causing e2e test failures:
Value for field 'EnableServiceLinks' failed to satisfy matcher.
Expected
<*bool | 0x0>: nil
to equal
<*bool | 0xc0007deab0>: false
|
System tests LGTM, thank you for addressing my readability concerns. e2e tests failing, should be an easy fix. I placed a hold because of the failing tests (caused by the tmpfs-subdirectory-not-actually-tmpfs bug, which you've fixed). Removing it. /hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
The containers should be able to write to tmpfs mounted directories. Also cleanup output of podman kube generate to not show default values. Signed-off-by: Daniel J Walsh <[email protected]>
github-actions
bot
added
the
locked - please file new issue/PR
The containers should be able to write to tmpfs mounted directories.
Signed-off-by: Daniel J Walsh [email protected]
Does this PR introduce a user-facing change?