Hi @dixudx. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with @k8s-bot ok to test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

/assign @thockin

@dixudx Please divide this PR into two commits, one for your code changes and one commit for auto-generated stuff

@k8s-bot ok to test

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.

I0530 10:18:39.594] ================================================================================
I0530 10:18:39.594] ==================== Test output for //pkg/volume/host_path:go_default_test:
I0530 10:18:39.594] --- FAIL: TestPlugin (0.00s)
I0530 10:18:39.594] host_path_test.go:200: Failed to make a new Mounter: mkdir /vol1: read-only file system
I0530 10:18:39.595] host_path_test.go:203: Got a nil Mounter
I0530 10:18:39.595] panic: runtime error: invalid memory address or nil pointer dereference [recovered]
I0530 10:18:39.595] panic: runtime error: invalid memory address or nil pointer dereference

For this failed test, I think we may have to change the code to take this kind of read-only file system into consideration. Any comments on this ?

@thockin @dixudx any chance you want to implement 'new-file' while you're at it? That's what we'd need for the kube-proxy/kubelet iptables stuff. Obviously that wasn't a fully accepted part of the proposal, but...

What release is this PR targeted for? I assume it's not v1.7?

How did this went in without /sig storage or @kubernetes/sig-storage-pr-reviews? The way it hardcodes nsenter usage is wrong, there already is util/mount/nsenter_mount.go and there should be some base nsenter wrapper that is common for both. Will every component that needs nsenter add its own wrapper?

there should be some base nsenter wrapper that is common for both. Will every component that needs nsenter add its own wrapper?

@jsafrane I would like to do the refraction. Shall we define some proto first or open a new issue for tracking and discussion.

Hey @dixudx, is it possible that this merge caused kubernetes/kubeadm#412? The kubeadm e2e master tests broke, and this commit seems a likely candidate for what could have caused it.

@pipejakob Hopefully #50063 will fix it
Seems likely that it is this PR

However, I'd be worried if it broke kubeadm; as then it will probably break many others.
This change was supposed to be backwards-compatible (I think), but it doesn't seem so right now...

I can confirm: I checked out upstream/master and reverted all 5 commits from this PR locally and rebuilt, and it fixed the kubeadm failures I was seeing. I don't know if #50063 will also fix things, but as @luxas mentioned, this change may have had unintended consequences if it was supposed to be completely backwards-compatible.

This change was supposed to be backwards-compatible (I think), but it doesn't seem so right now...

@luxas @pipejakob Yes. The type has been set default to HostPathUnset. We are not going to check this kind of type.

I am wondering how this happens. I did not find any direct related logs about HostPath Type.

Confirming that this change broke kubeadm-dind-cluster apparently because it broke kubeadm.

@ivan4th Not sure what happened really; as kubeadm tests went back to green some hours after although no relevant PRs merged as far as I could see https://k8s-testgrid.appspot.com/sig-cluster-lifecycle#kubeadm-gce

@ivan4th Could you please let us know more details about the failure you're seeing in kubernetes/kubeadm#412 and we can sync there if this one is actually unrelated (just happened to merge at that time)?

@luxas: ok, here's correction: k-d-c adds hostPath mounts, and apparently that's what broke (will do more checks). I'll fix it but the problem is that the new requirements for hostPath will break a lot of k8s deployment tools and apps.

Was the issue the nsenter change when running kubelet in a container?

new requirements for hostPath will break a lot of k8s deployment tools and apps

HostPath type is optional. @luxas and I have met such problems when pull-kubernetes-e2e-kops-aws failed for the first time. We introduced HostPathUnset (an empty string, which is the default value) for backwards compatible. I don't understand what you mean on breaking the deployments.

Also @luxas has verified manually that it works for v1.7 clusters as well, with HostPath.Type written down unconditionally with current code (to static Pod manifests).

@luxas @dixudx sorry for bothering you, apparently it was red herring, the problem was due to other changes in kubeadm that I failed to follow, will recheck.

I'm a bit late to the party but it seems at some point during the review of this PR the ability to specify "the path must exist but I don't care about its file type" was lost.
The ability to do this was specified in the original proposal #34058 under the name exists.

As per #61460, it seems the container runtime should error out if the source path doesn't exist, but that's not the behavior of docker (see moby/moby#13121 for the rest of the fun)

Is there a way to mount whatever is specified in the source path of the volume, but error out if there's nothing in the current version of kubernetes? If not, should I file a new issue or continue discussion here?

@jraby the proposal is just an initial sketch of the idea. In particular, during implementation/review the "exists" case got consciously dropped in favor of more precise path-types, see #46597 (comment).

Thanks @lucab , I read most of the comments yesterday, but somehow missed that one.

While I agree that specifying the exact file type when it is known in advance makes most sense, the default behavior of creating a root:root directory in the source path when it doesn't exists is counter productive in many cases (especially when running containers as non-root).
Having the possibility to have the pod fail fast would be very useful in such cases.