Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

volumes: Implement subpath mount #45687

Merged
merged 12 commits into from
Jan 19, 2024
Merged

volumes: Implement subpath mount #45687

merged 12 commits into from
Jan 19, 2024

Conversation

vvoland
Copy link
Contributor

@vvoland vvoland commented Jun 2, 2023
edited
Loading

- What I did
Make it possible to mount subdirectory of a named volume.

- How I did it

VolumeOptions now has a Subpath field which allows to specify a path relative to the volume that should be mounted as a destination.

Symlinks are supported, but they cannot escape the base volume directory.
A protection against the Time-of-check to Time-of-use is implemented for Linux and Windows to make it not possible to replace the mount source with a symlink that escapes the volume directory.

On Linux, all subpath components are opened with openat, relative to the base volume directory and checked against the volume escape. The final file descriptor is mounted from the /proc/self/fd/ to a temporary mount point owned by the daemon and then passed to the underlying container runtime. Temporary mountpoint is removed after the container is started.

On Windows, all components of the path are locked before the check, and released once the path is already mounted.

- How to verify it
TestRunMountVolumeSubdir integration test

- Description for the changelog
Add Subpath field to the VolumeOptions making it possible to mount a subpath of a volume.

- A picture of a cute animal (not mandatory but encouraged)
image

@vvoland vvoland added area/api kind/feature Functionality or other elements that the project doesn't currently have. Features are new and shiny impact/changelog area/volumes labels Jun 2, 2023
@vvoland vvoland added this to the 25.0.0 milestone Jun 2, 2023
@vvoland vvoland force-pushed the volume-mount-subpath branch 6 times, most recently from 162300a to e346dc5 Compare June 2, 2023 13:54
vvoland
vvoland commented Jun 2, 2023
View reviewed changes
volume/mounts/mounts.go Outdated Show resolved Hide resolved
@vvoland vvoland force-pushed the volume-mount-subpath branch 2 times, most recently from 0176b5a to 1765550 Compare June 2, 2023 15:48
@vvoland vvoland mentioned this pull request Jun 2, 2023
Merged
@vvoland vvoland force-pushed the volume-mount-subpath branch 14 times, most recently from b301fa1 to ac302cb Compare June 7, 2023 15:57
@vvoland
daemon/populateVolumes: Support volume subpath
cb1af22 
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
@vvoland
volumes/subpath: Plumb context
5bbcc41 
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
@vvoland vvoland force-pushed the volume-mount-subpath branch from 26ea50b to 5bbcc41 Compare January 19, 2024 16:32
@vvoland vvoland marked this pull request as ready for review January 19, 2024 17:27
thaJeztah
thaJeztah approved these changes Jan 19, 2024
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - let's get this one in 🎉

@thaJeztah thaJeztah merged commit 31ccdbb into moby:master Jan 19, 2024
126 checks passed
@Johnny-Knighten Johnny-Knighten mentioned this pull request Jan 31, 2024
Closed
This was referenced Mar 11, 2024
Merged
Closed
@felipecrs felipecrs mentioned this pull request Mar 20, 2024
Open
This was referenced Apr 6, 2024
Closed
Closed
@jocafi jocafi mentioned this pull request Apr 6, 2024
Closed
@zmweske
Copy link

zmweske commented Apr 19, 2024
edited
Loading

is the long syntax required or would it be possible to utilize short syntax? It currently seems to only work with long syntax but it would make sense to me that if a named volume exists with a subpath, it should work. If a named volume doesn't exist, it will look for folders in ./

See: https://docs.docker.com/compose/compose-file/05-services/#volumes

services:
  example:
    image: example:latest
    volumes:
      - named-volume/subpath:/internal/dir:rw  # would utilize a named volume that exists in the compose file already
      - local-dir/subpath:/internal/dir:rw  # would use a local dir as no named volume exists
      - ./local-dir2/subpath:/internal/dir2:rw  # functionally the same as above
...
volumes:
  named-volume:
    driver_opts:
      type: cifs
      o: "uid=1000,username=username,password=${CIFS_PWD},iocharset=utf8,noperm,nobrl,vers=3.0"
      device: "//192.168.10.10/example/storage"

Thoughts?

@neersighted
Copy link
Member

This is the wrong issue to discuss Compose's implementation. That being said, we're deliberately avoiding short/ambiguous formats (e.g. the implicit behavior you describe) for new features like this, for (hopefully obvious) reasons of explicit being better than implicit.

Less typing sounds nice, until it leads to a bevy of issue reports, wasted hours debugging, or (in the worst case) security issues.

Please open a discussion on https://github.com/compose-spec/compose-spec for questions, or open an issue if you have a concrete proposal/change to suggest.

@thaJeztah
Copy link
Member

Yeah, I don't think we want to overload the short-form syntax more. Also not sure if such a format should be defined by the compose-spec first (as there's an expectation for the short-form format to be the same as is used for -v short-form).

@pauliuspetk pauliuspetk mentioned this pull request Apr 25, 2024
Open
@dazinator dazinator mentioned this pull request May 17, 2024
Open
@Khushiyant Khushiyant mentioned this pull request Jun 10, 2024
Open
@kieraneglin kieraneglin mentioned this pull request Aug 3, 2024
Closed
@thaJeztah thaJeztah mentioned this pull request Aug 12, 2024
Merged
@stivyw stivyw mentioned this pull request Aug 21, 2024
Open
@Khushiyant Khushiyant mentioned this pull request Sep 17, 2024
Open
thaJeztah added a commit to thaJeztah/docker that referenced this pull request Oct 27, 2024
@thaJeztah
internal/safepath: Join(): remove workaround for ECI / nestybox
5b362f2 
This workaround was added in 9a0cde6 to
work around an issue on Docker Desktop with ECI (Enhanced Container Isolation)
enabled, which uses the Sysbox runtime under the hood.

A comment was added during review of the PR that added it (see [1]), and the
internal discussion on Slack tracked down the issue to code in [nestybox/sysfs].

That issue was resolved Sysbox EE, and upstreamed to Sysbox CE through
[nestybox/sysbox-fs@9cf74e4], which is part of Sysbox CE v0.6.3, so we
can remove this workaround.

[1]: moby#45687 (comment)
[nestybox/sysfs]: https://github.com/nestybox/sysbox-fs/blob/30fd49edbd51048fed8b2ad0af327598d30b29eb/process/process.go#L644-L684
[nestybox/sysbox-fs@9cf74e4]: nestybox/sysbox-fs@9cf74e4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah added a commit to thaJeztah/docker that referenced this pull request Oct 27, 2024
@thaJeztah
internal/safepath: Join(): remove workaround for ECI / Sysbox
0a3a207 
This workaround was added in 9a0cde6 to
work around an issue on Docker Desktop with ECI (Enhanced Container Isolation)
enabled, which uses the Sysbox runtime under the hood.

A comment was added during review of the PR that added it (see [1]), and the
internal discussion on Slack tracked down the issue to code in [nestybox/sysfs].

That issue was resolved Sysbox EE, and upstreamed to Sysbox CE through
[nestybox/sysbox-fs@9cf74e4], which is part of Sysbox CE v0.6.3, so we
can remove this workaround.

[1]: moby#45687 (comment)
[nestybox/sysfs]: https://github.com/nestybox/sysbox-fs/blob/30fd49edbd51048fed8b2ad0af327598d30b29eb/process/process.go#L644-L684
[nestybox/sysbox-fs@9cf74e4]: nestybox/sysbox-fs@9cf74e4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah added a commit to thaJeztah/docker that referenced this pull request Oct 27, 2024
@thaJeztah
internal/safepath: Join(): remove workaround for ECI / Sysbox
75e8f57 
This workaround was added in 9a0cde6 to
work around an issue on Docker Desktop with ECI (Enhanced Container Isolation)
enabled, which uses the Sysbox runtime under the hood.

A comment was added during review of the PR that added it (see [1]), and the
internal discussion on Slack tracked down the issue to code in [nestybox/sysfs].

That issue was resolved Sysbox EE, and upstreamed to Sysbox CE through
[nestybox/sysbox-fs@9cf74e4], which is part of Sysbox CE v0.6.3, so we
can remove this workaround.

[1]: moby#45687 (comment)
[nestybox/sysfs]: https://github.com/nestybox/sysbox-fs/blob/30fd49edbd51048fed8b2ad0af327598d30b29eb/process/process.go#L644-L684
[nestybox/sysbox-fs@9cf74e4]: nestybox/sysbox-fs@9cf74e4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was referenced Oct 27, 2024
Merged
Open
CharityKathure pushed a commit to CharityKathure/moby that referenced this pull request Nov 6, 2024
@thaJeztah
internal/safepath: Join(): remove workaround for ECI / Sysbox
9bffa23 
This workaround was added in 9a0cde6 to
work around an issue on Docker Desktop with ECI (Enhanced Container Isolation)
enabled, which uses the Sysbox runtime under the hood.

A comment was added during review of the PR that added it (see [1]), and the
internal discussion on Slack tracked down the issue to code in [nestybox/sysfs].

That issue was resolved Sysbox EE, and upstreamed to Sysbox CE through
[nestybox/sysbox-fs@9cf74e4], which is part of Sysbox CE v0.6.3, so we
can remove this workaround.

[1]: moby#45687 (comment)
[nestybox/sysfs]: https://github.com/nestybox/sysbox-fs/blob/30fd49edbd51048fed8b2ad0af327598d30b29eb/process/process.go#L644-L684
[nestybox/sysbox-fs@9cf74e4]: nestybox/sysbox-fs@9cf74e4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
maggie44 pushed a commit to maggie44/moby that referenced this pull request Dec 8, 2024
@thaJeztah @maggie44
internal/safepath: Join(): remove workaround for ECI / Sysbox
552167d 
This workaround was added in 9a0cde6 to
work around an issue on Docker Desktop with ECI (Enhanced Container Isolation)
enabled, which uses the Sysbox runtime under the hood.

A comment was added during review of the PR that added it (see [1]), and the
internal discussion on Slack tracked down the issue to code in [nestybox/sysfs].

That issue was resolved Sysbox EE, and upstreamed to Sysbox CE through
[nestybox/sysbox-fs@9cf74e4], which is part of Sysbox CE v0.6.3, so we
can remove this workaround.

[1]: moby#45687 (comment)
[nestybox/sysfs]: https://github.com/nestybox/sysbox-fs/blob/30fd49edbd51048fed8b2ad0af327598d30b29eb/process/process.go#L644-L684
[nestybox/sysbox-fs@9cf74e4]: nestybox/sysbox-fs@9cf74e4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neersighted neersighted neersighted approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

@cpuguy83 cpuguy83 cpuguy83 approved these changes

@corhere corhere corhere approved these changes

@rumpl rumpl rumpl approved these changes

@akerouanton akerouanton Awaiting requested review from akerouanton

@laurazard laurazard Awaiting requested review from laurazard

Assignees

@vvoland vvoland

Labels
area/api area/volumes impact/changelog kind/feature Functionality or other elements that the project doesn't currently have. Features are new and shiny status/1-design-review
Projects
None yet
Milestone
26.0.0
Development

Successfully merging this pull request may close these issues.

[feature] Allow mounting sub-directories of named volumes
9 participants
@vvoland @thaJeztah @cpuguy83 @nathancahill @zmweske @neersighted @rumpl @corhere @laurazard