From 628d55bf4c11d590013ffa913ceaeb0574d1ff23 Mon Sep 17 00:00:00 2001 From: "fupan.lfp" Date: Fri, 16 Apr 2021 17:08:59 +0800 Subject: [PATCH] kata-agent: fix the issue of fsGroup missing For k8s emptyDir volume, a specific fsGroup would be set for it, thus runtime should pass this fsGroup for EphemeralStorage to guest and set it properly on the emptyDir volume in guest. Fixes: #1580 Signed-off-by: fupan.lfp --- src/runtime/virtcontainers/kata_agent.go | 28 +++++++++++++++++-- src/runtime/virtcontainers/kata_agent_test.go | 9 ++++-- 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go index a02cb85f15..9e845f2e2c 100644 --- a/src/runtime/virtcontainers/kata_agent.go +++ b/src/runtime/virtcontainers/kata_agent.go @@ -1319,7 +1319,11 @@ func (k *kataAgent) createContainer(ctx context.Context, sandbox *Sandbox, c *Co k.handleShm(ociSpec.Mounts, sandbox) - epheStorages := k.handleEphemeralStorage(ociSpec.Mounts) + epheStorages, err := k.handleEphemeralStorage(ociSpec.Mounts) + if err != nil { + return nil, err + } + ctrStorages = append(ctrStorages, epheStorages...) localStorages, err := k.handleLocalStorage(ociSpec.Mounts, sandbox.id, c.rootfsSuffix) @@ -1400,10 +1404,27 @@ func buildProcessFromExecID(token string) (*Process, error) { // handleEphemeralStorage handles ephemeral storages by // creating a Storage from corresponding source of the mount point -func (k *kataAgent) handleEphemeralStorage(mounts []specs.Mount) []*grpc.Storage { +func (k *kataAgent) handleEphemeralStorage(mounts []specs.Mount) ([]*grpc.Storage, error) { var epheStorages []*grpc.Storage for idx, mnt := range mounts { if mnt.Type == KataEphemeralDevType { + origin_src := mounts[idx].Source + stat := syscall.Stat_t{} + err := syscall.Stat(origin_src, &stat) + if err != nil { + k.Logger().WithError(err).Errorf("failed to stat %s", origin_src) + return nil, err + } + + var dir_options []string + + // if volume's gid isn't root group(default group), this means there's + // an specific fsGroup is set on this local volume, then it should pass + // to guest. + if stat.Gid != 0 { + dir_options = append(dir_options, fmt.Sprintf("%s=%d", fsGid, stat.Gid)) + } + // Set the mount source path to a path that resides inside the VM mounts[idx].Source = filepath.Join(ephemeralPath(), filepath.Base(mnt.Source)) // Set the mount type to "bind" @@ -1416,11 +1437,12 @@ func (k *kataAgent) handleEphemeralStorage(mounts []specs.Mount) []*grpc.Storage Source: "tmpfs", Fstype: "tmpfs", MountPoint: mounts[idx].Source, + Options: dir_options, } epheStorages = append(epheStorages, epheStorage) } } - return epheStorages + return epheStorages, nil } // handleLocalStorage handles local storage within the VM diff --git a/src/runtime/virtcontainers/kata_agent_test.go b/src/runtime/virtcontainers/kata_agent_test.go index b216d5aef6..adf608af48 100644 --- a/src/runtime/virtcontainers/kata_agent_test.go +++ b/src/runtime/virtcontainers/kata_agent_test.go @@ -184,6 +184,7 @@ func TestHandleEphemeralStorage(t *testing.T) { k := kataAgent{} var ociMounts []specs.Mount mountSource := "/tmp/mountPoint" + os.Mkdir(mountSource, 0755) mount := specs.Mount{ Type: KataEphemeralDevType, @@ -191,7 +192,8 @@ func TestHandleEphemeralStorage(t *testing.T) { } ociMounts = append(ociMounts, mount) - epheStorages := k.handleEphemeralStorage(ociMounts) + epheStorages, err := k.handleEphemeralStorage(ociMounts) + assert.Nil(t, err) epheMountPoint := epheStorages[0].MountPoint expected := filepath.Join(ephemeralPath(), filepath.Base(mountSource)) @@ -664,6 +666,7 @@ func TestHandleShm(t *testing.T) { // shared with the sandbox shm. ociMounts[0].Type = KataEphemeralDevType mountSource := "/tmp/mountPoint" + os.Mkdir(mountSource, 0755) ociMounts[0].Source = mountSource k.handleShm(ociMounts, sandbox) @@ -671,7 +674,9 @@ func TestHandleShm(t *testing.T) { assert.Equal(ociMounts[0].Type, KataEphemeralDevType) assert.NotEmpty(ociMounts[0].Source, mountSource) - epheStorages := k.handleEphemeralStorage(ociMounts) + epheStorages, err := k.handleEphemeralStorage(ociMounts) + assert.Nil(err) + epheMountPoint := epheStorages[0].MountPoint expected := filepath.Join(ephemeralPath(), filepath.Base(mountSource)) assert.Equal(epheMountPoint, expected,