agent: Initial watchable-bind implementation

Add support for watchable-bind storage driver. When watchable-bind storage is present, the agent will create a watchable path in a tmpfs, and poll the watchable-bind source to keep this new mount-point up to date. This poll will allow the agent to present the mount-point to the container, allowing for inotify usage by the container workload. If a mount becomes too large, either in file count or in overall size, we want to stop treating it as watchable, and instead just treat as a bindmount. This'll help avoid DoS by growing tmpfs too large, as well as limiting time spent scanning files. If a watchable-bind grows beyond 8 files (arbitrary sane number for certs/secrets) or 1MB (limit on ConfigMap size), we treat it as a normal bind. Fixes: #1879 Signed-off-by: Eric Ernst <eric_ernst@apple.com> Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com> Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com> agent: watcher: SandboxStorages check loop cleanup
2025-10-21 20:08:54 +00:00 · 2021-05-21 10:47:01 -07:00
parent 57c0cee0a5
commit 6a93e5d593
8 changed files with 855 additions and 14 deletions
--- a/tools/agent-ctl/Cargo.lock
+++ b/tools/agent-ctl/Cargo.lock
@@ -506,9 +506,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"

 [[package]]
 name = "libc"
-version = "0.2.94"
+version = "0.2.97"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "18794a8ad5b29321f790b55d93dfba91e125cb1a9edbd4f8e3150acc771c1a5e"
+checksum = "12b8adadd720df158f4d70dfe7ccc6adb0472d7c55ca83445f6a5ab3e36f8fb6"

 [[package]]
 name = "log"
@@ -536,6 +536,15 @@ version = "2.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b16bd47d9e329435e309c58469fe0791c2d0d1ba96ec0954152a5ae2b04387dc"

+[[package]]
+name = "memoffset"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "59accc507f1338036a0477ef61afdae33cde60840f4dfe481319ce3ad116ddf9"
+dependencies = [
+ "autocfg",
+]
+
 [[package]]
 name = "miniz_oxide"
 version = "0.4.4"
@@ -624,6 +633,19 @@ dependencies = [
 "libc",
 ]

+[[package]]
+name = "nix"
+version = "0.21.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c3728fec49d363a50a8828a190b379a446cc5cf085c06259bbbeb34447e4ec7"
+dependencies = [
+ "bitflags",
+ "cc",
+ "cfg-if 1.0.0",
+ "libc",
+ "memoffset",
+]
+
 [[package]]
 name = "ntapi"
 version = "0.3.6"
@@ -999,7 +1021,7 @@ dependencies = [
 "inotify",
 "lazy_static",
 "libc",
- "nix 0.17.0",
+ "nix 0.21.0",
 "oci",
 "path-absolutize",
 "protobuf",