Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPNODE-2213: Add support for Recursive Read-only (RRO) mounts #7962

Merged
merged 5 commits into from
Apr 16, 2024
Merged

OCPNODE-2213: Add support for Recursive Read-only (RRO) mounts #7962

merged 5 commits into from
Apr 16, 2024

Conversation

kwilczynski
Copy link
Member

@kwilczynski kwilczynski commented Apr 4, 2024
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

Currently, the read-only option set for the host mounts does not correctly propagate recursively from the top level of the given mount point. As such, any sub-mounts that happen to be part of the tree would retain their current options, and should it be a read/write type mount, then it could be modified without any restriction. This is often both unexpected and undesirable.

Thus, add support for so-called Recursive Read-only (RRO) mounts. This allows a mount point to propagate the read-only option through the tree, marking the entire mount point read-only.

Support for the RRO mounts has already been available in the runtimes, such as crun and runc, for some time now.

Note

Support of the Recursive Read-only (RRO) mounts requires:

  • For Linux, kernel version 5.12
  • Kubernetes v1.30🔹
  • cri-tools v1.30
  • crun v1.4
  • runc v1.1

🔹⚠️ Feature gate called RecursiveReadOnlyMounts needs to be enabled given the Alpha status of the feature.

Related to:

Which issue(s) this PR fixes:

A temporary workaround:

Special notes for your reviewer:

None

Does this PR introduce a user-facing change?

Add support for the Recursive Read-only (RRO) mounts following runtimes and kernel support to enable read-only mounts to be recursively read-only.

@kwilczynski kwilczynski requested a review from mrunalp as a code owner April 4, 2024 18:19
@openshift-ci openshift-ci bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/feature Categorizes issue or PR as related to a new feature. labels Apr 4, 2024
@kwilczynski
Copy link
Member Author

/assign kwilczynski

@openshift-ci openshift-ci bot requested review from hasan4791 and klihub April 4, 2024 18:20
@kwilczynski kwilczynski changed the title Add support for Recursive Read-only (RRO) mounts [WIP] Add support for Recursive Read-only (RRO) mounts Apr 4, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 4, 2024
@kwilczynski kwilczynski changed the title [WIP] Add support for Recursive Read-only (RRO) mounts [WIP] OCPNODE-2213: Add support for Recursive Read-only (RRO) mounts Apr 5, 2024
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Apr 5, 2024
@openshift-ci-robot
Copy link

@kwilczynski: This pull request references OCPNODE-2213 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

What type of PR is this?

/kind feature

What this PR does / why we need it:

TBA

Which issue(s) this PR fixes:

None

Related to:

Special notes for your reviewer:

None

Does this PR introduce a user-facing change?

Add support for the Recursive Read-only (RRO) mounts following runtimes and kernel support to enable read-only mounts to be recursively read-only.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@kwilczynski kwilczynski force-pushed the feature/add-support-for-rro-mounts branch 9 times, most recently from d3cb4b4 to 2a601c0 Compare April 6, 2024 09:00
@codecov Codecov
Copy link

codecov bot commented Apr 6, 2024
edited
Loading

Codecov Report

Merging #7962 (324f0be) into main (e96fd09) will increase coverage by 0.54%.
Report is 18 commits behind head on main.
The diff coverage is 37.09%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7962      +/-   ##
==========================================
+ Coverage   49.17%   49.71%   +0.54%     
==========================================
  Files         152      153       +1     
  Lines       16496    16704     +208     
==========================================
+ Hits         8112     8305     +193     
+ Misses       7394     7372      -22     
- Partials      990     1027      +37

@kwilczynski
Copy link
Member Author

/retest-required

@kwilczynski kwilczynski force-pushed the feature/add-support-for-rro-mounts branch from 2a601c0 to 324f0be Compare April 6, 2024 15:12
@kwilczynski kwilczynski force-pushed the feature/add-support-for-rro-mounts branch from a83f3aa to ed947be Compare April 15, 2024 23:42
@kwilczynski
Add support for Recursive Read-only (RRO) mounts
39be41e 
Signed-off-by: Krzysztof Wilczyński <kwilczynski@redhat.com>
@kwilczynski
Add test helpers to check for kernel and crictl versions
1234e86 
Signed-off-by: Krzysztof Wilczyński <kwilczynski@redhat.com>
@kwilczynski
Add test helpers to check for current SELinux status and mode
9331b86 
Signed-off-by: Krzysztof Wilczyński <kwilczynski@redhat.com>
@kwilczynski
Move to use new SELinux test helpers over the opencoded checks
0302c41 
Signed-off-by: Krzysztof Wilczyński <kwilczynski@redhat.com>
@kwilczynski kwilczynski force-pushed the feature/add-support-for-rro-mounts branch from ed947be to 0302c41 Compare April 15, 2024 23:53
@kwilczynski
Copy link
Member Author

/retest

@kwilczynski
Copy link
Member Author

@cri-o/cri-o-maintainers, please have a look again. Thank you!

@kwilczynski
Copy link
Member Author

/test e2e-gcp-ovn

sohankunkerkar
sohankunkerkar approved these changes Apr 16, 2024
View reviewed changes
Copy link
Member

@sohankunkerkar sohankunkerkar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

test/ctr.bats Outdated Show resolved Hide resolved
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 16, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 16, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander, kwilczynski, sohankunkerkar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Apr 16, 2024
@kwilczynski
Move test volume creation to a local helper function
8cffb65 
Signed-off-by: Krzysztof Wilczyński <kwilczynski@redhat.com>
@kwilczynski kwilczynski force-pushed the feature/add-support-for-rro-mounts branch from 105a81d to 8cffb65 Compare April 16, 2024 15:44
@sohankunkerkar
Copy link
Member

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 16, 2024
@sohankunkerkar
Copy link
Member

/retest

1 similar comment
@kwilczynski
Copy link
Member Author

/retest

@openshift-merge-bot openshift-merge-bot bot merged commit df0b6be into cri-o:main Apr 16, 2024
71 checks passed
@kwilczynski kwilczynski deleted the feature/add-support-for-rro-mounts branch April 16, 2024 21:06
@kwilczynski
Copy link
Member Author

/cherry-pick release-1.29

@openshift-cherrypick-robot
Copy link

@kwilczynski: #7962 failed to apply on top of branch "release-1.29":

Applying: Add support for Recursive Read-only (RRO) mounts
Using index info to reconstruct a base tree...
M	contrib/test/ci/vars.yml
M	internal/oci/oci.go
M	pkg/config/config.go
M	pkg/config/config_freebsd.go
M	pkg/config/config_linux.go
M	pkg/config/config_test.go
M	server/container_create_linux.go
M	server/container_create_linux_test.go
M	server/container_restore.go
M	server/runtime_status.go
M	test/ctr.bats
Falling back to patching base and 3-way merge...
Auto-merging test/ctr.bats
Auto-merging server/runtime_status.go
CONFLICT (content): Merge conflict in server/runtime_status.go
Auto-merging server/container_restore.go
Auto-merging server/container_create_linux_test.go
Auto-merging server/container_create_linux.go
Auto-merging pkg/config/config_test.go
Auto-merging pkg/config/config_linux.go
CONFLICT (content): Merge conflict in pkg/config/config_linux.go
Auto-merging pkg/config/config_freebsd.go
CONFLICT (content): Merge conflict in pkg/config/config_freebsd.go
Auto-merging pkg/config/config.go
CONFLICT (content): Merge conflict in pkg/config/config.go
Auto-merging internal/oci/oci.go
Auto-merging contrib/test/ci/vars.yml
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Add support for Recursive Read-only (RRO) mounts
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.29

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kwilczynski
Copy link
Member Author

OK. Requires manual cherry-pick.

@saschagrunert
Copy link
Member

OK. Requires manual cherry-pick.

No need to cherry-pick this one as discussed.

@kwilczynski
Copy link
Member Author

OK. Requires manual cherry-pick.

No need to cherry-pick this one as discussed.

To add more background here:

I initially thought we would need to backport this to 1.29, to support older Kubernetes and, as such, OpenShift. Thinking that we were missing some crucial functionality; however, this feature, as I remembered later, is only made available as Alpha in Kubernetes 1.30. Thus, there is no point in having any backports.

This was referenced May 28, 2024
Merged
Merged
@AkihiroSuda AkihiroSuda mentioned this pull request Nov 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sohankunkerkar sohankunkerkar sohankunkerkar approved these changes

@haircommander haircommander haircommander left review comments

@kolyshkin kolyshkin kolyshkin left review comments

@littlejawa littlejawa littlejawa left review comments

@saschagrunert saschagrunert saschagrunert left review comments

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@hasan4791 hasan4791 Awaiting requested review from hasan4791

@klihub klihub Awaiting requested review from klihub

Assignees

@kwilczynski kwilczynski

@sohankunkerkar sohankunkerkar

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.
Projects
None yet
Milestone
1.30
Development

Successfully merging this pull request may close these issues.
9 participants
@kwilczynski @openshift-ci-robot @haircommander @sohankunkerkar @openshift-cherrypick-robot @saschagrunert @littlejawa @kolyshkin @openshift-merge-robot