diff --git a/pkg/volume/util/hostutil/hostutil_linux.go b/pkg/volume/util/hostutil/hostutil_linux.go index cc480407cce..19bcc5f14e1 100644 --- a/pkg/volume/util/hostutil/hostutil_linux.go +++ b/pkg/volume/util/hostutil/hostutil_linux.go @@ -66,7 +66,7 @@ func (hu *HostUtil) PathIsDevice(pathname string) (bool, error) { return isDevice, err } -// ExclusiveOpenFailsOnDevice is shared with NsEnterMounter +// ExclusiveOpenFailsOnDevice checks if block device in use by calling Open with O_EXCL flag. func ExclusiveOpenFailsOnDevice(pathname string) (bool, error) { var isDevice bool finfo, err := os.Stat(pathname) @@ -154,8 +154,6 @@ func (hu *HostUtil) PathExists(pathname string) (bool, error) { } // EvalHostSymlinks returns the path name after evaluating symlinks. -// TODO once the nsenter implementation is removed, this method can be removed -// from the interface and filepath.EvalSymlinks used directly func (hu *HostUtil) EvalHostSymlinks(pathname string) (string, error) { return filepath.EvalSymlinks(pathname) } @@ -280,8 +278,8 @@ func (hu *HostUtil) GetMode(pathname string) (os.FileMode, error) { return GetModeLinux(pathname) } -// GetOwnerLinux is shared between Linux and NsEnterMounter -// pathname must already be evaluated for symlinks +// pathname must already be evaluated for symlinks. +// GetOwnerLinux returns the integer ID for the user and group of the given path. func GetOwnerLinux(pathname string) (int64, int64, error) { info, err := os.Stat(pathname) if err != nil { @@ -291,7 +289,7 @@ func GetOwnerLinux(pathname string) (int64, int64, error) { return int64(stat.Uid), int64(stat.Gid), nil } -// GetModeLinux is shared between Linux and NsEnterMounter +// GetModeLinux returns permissions of the pathname. func GetModeLinux(pathname string) (os.FileMode, error) { info, err := os.Stat(pathname) if err != nil { diff --git a/pkg/volume/util/subpath/subpath_linux.go b/pkg/volume/util/subpath/subpath_linux.go index 583939bdc4a..f1958cd6050 100644 --- a/pkg/volume/util/subpath/subpath_linux.go +++ b/pkg/volume/util/subpath/subpath_linux.go @@ -78,7 +78,7 @@ func (sp *subpath) PrepareSafeSubpath(subPath Subpath) (newHostPath string, clea return newHostPath, cleanupAction, err } -// This implementation is shared between Linux and NsEnter +// safeOpenSubPath opens subpath and returns its fd. func safeOpenSubPath(mounter mount.Interface, subpath Subpath) (int, error) { if !mount.PathWithinBase(subpath.Path, subpath.VolumePath) { return -1, fmt.Errorf("subpath %q not within volume path %q", subpath.Path, subpath.VolumePath) @@ -92,11 +92,6 @@ func safeOpenSubPath(mounter mount.Interface, subpath Subpath) (int, error) { // prepareSubpathTarget creates target for bind-mount of subpath. It returns // "true" when the target already exists and something is mounted there. -// Given Subpath must have all paths with already resolved symlinks and with -// paths relevant to kubelet (when it runs in a container). -// This function is called also by NsEnterMounter. It works because -// /var/lib/kubelet is mounted from the host into the container with Kubelet as -// /var/lib/kubelet too. func prepareSubpathTarget(mounter mount.Interface, subpath Subpath) (bool, string, error) { // Early check for already bind-mounted subpath. bindPathTarget := getSubpathBindTarget(subpath) @@ -237,7 +232,7 @@ func doBindSubPath(mounter mount.Interface, subpath Subpath) (hostPath string, e return bindPathTarget, nil } -// This implementation is shared between Linux and NsEnter +// doCleanSubPaths tears down the subpath bind mounts for a pod func doCleanSubPaths(mounter mount.Interface, podDir string, volumeName string) error { // scan /var/lib/kubelet/pods//volume-subpaths//* subPathDir := filepath.Join(podDir, containerSubPathDirectoryName, volumeName) @@ -372,9 +367,7 @@ func removeEmptyDirs(baseDir, endDir string) error { return nil } -// This implementation is shared between Linux and NsEnterMounter. Both pathname -// and base must be either already resolved symlinks or thet will be resolved in -// kubelet's mount namespace (in case it runs containerized). +// doSafeMakeDir creates a directory at pathname, but only if it is within base. func doSafeMakeDir(pathname string, base string, perm os.FileMode) error { klog.V(4).Infof("Creating directory %q within base %q", pathname, base) @@ -523,7 +516,6 @@ func findExistingPrefix(base, pathname string) (string, []string, error) { return pathname, []string{}, nil } -// This implementation is shared between Linux and NsEnterMounter // Open path and return its fd. // Symlinks are disallowed (pathname must already resolve symlinks), // and the path must be within the base directory. diff --git a/pkg/volume/util/subpath/subpath_unsupported.go b/pkg/volume/util/subpath/subpath_unsupported.go index 21493426da8..1771bc16b8e 100644 --- a/pkg/volume/util/subpath/subpath_unsupported.go +++ b/pkg/volume/util/subpath/subpath_unsupported.go @@ -24,7 +24,6 @@ import ( "os" "k8s.io/mount-utils" - "k8s.io/utils/nsenter" ) type subpath struct{} @@ -36,12 +35,6 @@ func New(mount.Interface) Interface { return &subpath{} } -// NewNSEnter is to satisfy the compiler for having NewSubpathNSEnter exist for all -// OS choices. however, NSEnter is only valid on Linux -func NewNSEnter(mounter mount.Interface, ne *nsenter.Nsenter, rootDir string) Interface { - return nil -} - func (sp *subpath) PrepareSafeSubpath(subPath Subpath) (newHostPath string, cleanupAction func(), err error) { return subPath.Path, nil, errUnsupported } diff --git a/pkg/volume/util/subpath/subpath_windows.go b/pkg/volume/util/subpath/subpath_windows.go index bf02de632fb..3746f3b5450 100644 --- a/pkg/volume/util/subpath/subpath_windows.go +++ b/pkg/volume/util/subpath/subpath_windows.go @@ -29,7 +29,6 @@ import ( "k8s.io/klog/v2" "k8s.io/mount-utils" - "k8s.io/utils/nsenter" ) // MaxPathLength is the maximum length of Windows path. Normally, it is 260, but if long path is enable, @@ -43,12 +42,6 @@ func New(mount.Interface) Interface { return &subpath{} } -// NewNSEnter is to satisfy the compiler for having NewSubpathNSEnter exist for all -// OS choices. however, NSEnter is only valid on Linux -func NewNSEnter(mounter mount.Interface, ne *nsenter.Nsenter, rootDir string) Interface { - return nil -} - // isDriveLetterPath returns true if the given path is empty or it ends with ":" or ":\" or ":\\" func isDriveLetterorEmptyPath(path string) bool { if path == "" || strings.HasSuffix(path, ":\\\\") || strings.HasSuffix(path, ":") || strings.HasSuffix(path, ":\\") { diff --git a/staging/src/k8s.io/mount-utils/mount_linux.go b/staging/src/k8s.io/mount-utils/mount_linux.go index c21951ebdab..9c0b6d554f3 100644 --- a/staging/src/k8s.io/mount-utils/mount_linux.go +++ b/staging/src/k8s.io/mount-utils/mount_linux.go @@ -722,7 +722,7 @@ func (mounter *SafeFormatAndMount) GetDiskFormat(disk string) (string, error) { return getDiskFormat(mounter.Exec, disk) } -// ListProcMounts is shared with NsEnterMounter +// ListProcMounts returns a list of all mounted filesystems. func ListProcMounts(mountFilePath string) ([]MountPoint, error) { content, err := readMountInfo(mountFilePath) if err != nil { @@ -776,7 +776,6 @@ func parseProcMounts(content []byte) ([]MountPoint, error) { // Some filesystems may share a source name, e.g. tmpfs. And for bind mounting, // it's possible to mount a non-root path of a filesystem, so we need to use // root path and major:minor to represent mount source uniquely. -// This implementation is shared between Linux and NsEnterMounter func SearchMountPoints(hostSource, mountInfoPath string) ([]string, error) { mis, err := ParseMountInfo(mountInfoPath) if err != nil { diff --git a/vendor/k8s.io/utils/nsenter/OWNERS b/vendor/k8s.io/utils/nsenter/OWNERS deleted file mode 100644 index 46895cbda83..00000000000 --- a/vendor/k8s.io/utils/nsenter/OWNERS +++ /dev/null @@ -1,10 +0,0 @@ -# See the OWNERS docs at https://go.k8s.io/owners - -reviewers: - - jsafrane - - msau42 - - cofyc -approvers: - - jsafrane - - msau42 - - cofyc diff --git a/vendor/k8s.io/utils/nsenter/README.md b/vendor/k8s.io/utils/nsenter/README.md deleted file mode 100644 index aaacf8e3d3c..00000000000 --- a/vendor/k8s.io/utils/nsenter/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# NSEnter - -This package provides interfaces for executing and interacting with processes -running within a namespace. diff --git a/vendor/k8s.io/utils/nsenter/nsenter.go b/vendor/k8s.io/utils/nsenter/nsenter.go deleted file mode 100644 index 6f847db878c..00000000000 --- a/vendor/k8s.io/utils/nsenter/nsenter.go +++ /dev/null @@ -1,264 +0,0 @@ -//go:build linux -// +build linux - -/* -Copyright 2017 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package nsenter - -import ( - "context" - "errors" - "fmt" - "os" - "path/filepath" - "strings" - - "k8s.io/klog/v2" - "k8s.io/utils/exec" -) - -const ( - // DefaultHostRootFsPath is path to host's filesystem mounted into container - // with kubelet. - DefaultHostRootFsPath = "/rootfs" - // mountNsPath is the default mount namespace of the host - mountNsPath = "/proc/1/ns/mnt" - // nsenterPath is the default nsenter command - nsenterPath = "nsenter" -) - -// Nsenter is a type alias for backward compatibility -type Nsenter = NSEnter - -// NSEnter is part of experimental support for running the kubelet -// in a container. -// -// NSEnter requires: -// -// 1. Docker >= 1.6 due to the dependency on the slave propagation mode -// of the bind-mount of the kubelet root directory in the container. -// Docker 1.5 used a private propagation mode for bind-mounts, so mounts -// performed in the host's mount namespace do not propagate out to the -// bind-mount in this docker version. -// 2. The host's root filesystem must be available at /rootfs -// 3. The nsenter binary must be on the Kubelet process' PATH in the container's -// filesystem. -// 4. The Kubelet process must have CAP_SYS_ADMIN (required by nsenter); at -// the present, this effectively means that the kubelet is running in a -// privileged container. -// 5. The volume path used by the Kubelet must be the same inside and outside -// the container and be writable by the container (to initialize volume) -// contents. TODO: remove this requirement. -// 6. The host image must have "mount", "findmnt", "umount", "stat", "touch", -// "mkdir", "ls", "sh" and "chmod" binaries in /bin, /usr/sbin, or /usr/bin -// 7. The host image should have systemd-run in /bin, /usr/sbin, or /usr/bin if -// systemd is installed/enabled in the operating system. -// -// For more information about mount propagation modes, see: -// -// https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt -type NSEnter struct { - // a map of commands to their paths on the host filesystem - paths map[string]string - - // Path to the host filesystem, typically "/rootfs". Used only for testing. - hostRootFsPath string - - // Exec implementation - executor exec.Interface -} - -// NewNsenter constructs a new instance of NSEnter -func NewNsenter(hostRootFsPath string, executor exec.Interface) (*NSEnter, error) { - ne := &NSEnter{ - hostRootFsPath: hostRootFsPath, - executor: executor, - } - if err := ne.initPaths(); err != nil { - return nil, err - } - return ne, nil -} - -func (ne *NSEnter) initPaths() error { - ne.paths = map[string]string{} - binaries := []string{ - "mount", - "findmnt", - "umount", - "systemd-run", - "stat", - "touch", - "mkdir", - "sh", - "chmod", - "realpath", - } - // search for the required commands in other locations besides /usr/bin - for _, binary := range binaries { - // check for binary under the following directories - for _, path := range []string{"/", "/bin", "/usr/sbin", "/usr/bin"} { - binPath := filepath.Join(path, binary) - if _, err := os.Stat(filepath.Join(ne.hostRootFsPath, binPath)); err != nil { - continue - } - ne.paths[binary] = binPath - break - } - // systemd-run is optional, bailout if we don't find any of the other binaries - if ne.paths[binary] == "" && binary != "systemd-run" { - return fmt.Errorf("unable to find %v", binary) - } - } - return nil -} - -// Exec executes nsenter commands in hostProcMountNsPath mount namespace -func (ne *NSEnter) Exec(cmd string, args []string) exec.Cmd { - hostProcMountNsPath := filepath.Join(ne.hostRootFsPath, mountNsPath) - fullArgs := append([]string{fmt.Sprintf("--mount=%s", hostProcMountNsPath), "--"}, - append([]string{ne.AbsHostPath(cmd)}, args...)...) - klog.V(5).Infof("Running nsenter command: %v %v", nsenterPath, fullArgs) - return ne.executor.Command(nsenterPath, fullArgs...) -} - -// Command returns a command wrapped with nsenter -func (ne *NSEnter) Command(cmd string, args ...string) exec.Cmd { - return ne.Exec(cmd, args) -} - -// CommandContext returns a CommandContext wrapped with nsenter -func (ne *NSEnter) CommandContext(ctx context.Context, cmd string, args ...string) exec.Cmd { - hostProcMountNsPath := filepath.Join(ne.hostRootFsPath, mountNsPath) - fullArgs := append([]string{fmt.Sprintf("--mount=%s", hostProcMountNsPath), "--"}, - append([]string{ne.AbsHostPath(cmd)}, args...)...) - klog.V(5).Infof("Running nsenter command: %v %v", nsenterPath, fullArgs) - return ne.executor.CommandContext(ctx, nsenterPath, fullArgs...) -} - -// LookPath returns a LookPath wrapped with nsenter -func (ne *NSEnter) LookPath(file string) (string, error) { - return "", fmt.Errorf("not implemented, error looking up : %s", file) -} - -// AbsHostPath returns the absolute runnable path for a specified command -func (ne *NSEnter) AbsHostPath(command string) string { - path, ok := ne.paths[command] - if !ok { - return command - } - return path -} - -// SupportsSystemd checks whether command systemd-run exists -func (ne *NSEnter) SupportsSystemd() (string, bool) { - systemdRunPath, ok := ne.paths["systemd-run"] - return systemdRunPath, ok && systemdRunPath != "" -} - -// EvalSymlinks returns the path name on the host after evaluating symlinks on the -// host. -// mustExist makes EvalSymlinks to return error when the path does not -// exist. When it's false, it evaluates symlinks of the existing part and -// blindly adds the non-existing part: -// pathname: /mnt/volume/non/existing/directory -// -// /mnt/volume exists -// non/existing/directory does not exist -// -// -> It resolves symlinks in /mnt/volume to say /mnt/foo and returns -// -// /mnt/foo/non/existing/directory. -// -// BEWARE! EvalSymlinks is not able to detect symlink looks with mustExist=false! -// If /tmp/link is symlink to /tmp/link, EvalSymlinks(/tmp/link/foo) returns /tmp/link/foo. -func (ne *NSEnter) EvalSymlinks(pathname string, mustExist bool) (string, error) { - var args []string - if mustExist { - // "realpath -e: all components of the path must exist" - args = []string{"-e", pathname} - } else { - // "realpath -m: no path components need exist or be a directory" - args = []string{"-m", pathname} - } - outBytes, err := ne.Exec("realpath", args).CombinedOutput() - if err != nil { - klog.Infof("failed to resolve symbolic links on %s: %v", pathname, err) - return "", err - } - return strings.TrimSpace(string(outBytes)), nil -} - -// KubeletPath returns the path name that can be accessed by containerized -// kubelet. It is recommended to resolve symlinks on the host by EvalSymlinks -// before calling this function -func (ne *NSEnter) KubeletPath(pathname string) string { - return filepath.Join(ne.hostRootFsPath, pathname) -} - -// NewFakeNsenter returns a NSEnter that does not run "nsenter --mount=... --", -// but runs everything in the same mount namespace as the unit test binary. -// rootfsPath is supposed to be a symlink, e.g. /tmp/xyz/rootfs -> /. -// This fake NSEnter is enough for most operations, e.g. to resolve symlinks, -// but it's not enough to call /bin/mount - unit tests don't run as root. -func NewFakeNsenter(rootfsPath string) (*NSEnter, error) { - executor := &fakeExec{ - rootfsPath: rootfsPath, - } - // prepare /rootfs/bin, usr/bin and usr/sbin - bin := filepath.Join(rootfsPath, "bin") - if err := os.Symlink("/bin", bin); err != nil { - return nil, err - } - - usr := filepath.Join(rootfsPath, "usr") - if err := os.Mkdir(usr, 0755); err != nil { - return nil, err - } - usrbin := filepath.Join(usr, "bin") - if err := os.Symlink("/usr/bin", usrbin); err != nil { - return nil, err - } - usrsbin := filepath.Join(usr, "sbin") - if err := os.Symlink("/usr/sbin", usrsbin); err != nil { - return nil, err - } - - return NewNsenter(rootfsPath, executor) -} - -type fakeExec struct { - rootfsPath string -} - -func (f fakeExec) Command(cmd string, args ...string) exec.Cmd { - // This will intentionaly panic if NSEnter does not provide enough arguments. - realCmd := args[2] - realArgs := args[3:] - return exec.New().Command(realCmd, realArgs...) -} - -func (fakeExec) LookPath(file string) (string, error) { - return "", errors.New("not implemented") -} - -func (fakeExec) CommandContext(ctx context.Context, cmd string, args ...string) exec.Cmd { - return nil -} - -var _ exec.Interface = fakeExec{} -var _ exec.Interface = &NSEnter{} diff --git a/vendor/k8s.io/utils/nsenter/nsenter_unsupported.go b/vendor/k8s.io/utils/nsenter/nsenter_unsupported.go deleted file mode 100644 index 8b56e91d2bf..00000000000 --- a/vendor/k8s.io/utils/nsenter/nsenter_unsupported.go +++ /dev/null @@ -1,80 +0,0 @@ -//go:build !linux -// +build !linux - -/* -Copyright 2017 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package nsenter - -import ( - "context" - "fmt" - - "k8s.io/utils/exec" -) - -const ( - // DefaultHostRootFsPath is path to host's filesystem mounted into container - // with kubelet. - DefaultHostRootFsPath = "/rootfs" -) - -// Nsenter is a type alias for backward compatibility -type Nsenter = NSEnter - -// NSEnter is part of experimental support for running the kubelet -// in a container. -type NSEnter struct { - // a map of commands to their paths on the host filesystem - Paths map[string]string -} - -// NewNsenter constructs a new instance of NSEnter -func NewNsenter(hostRootFsPath string, executor exec.Interface) (*Nsenter, error) { - return &Nsenter{}, nil -} - -// Exec executes nsenter commands in hostProcMountNsPath mount namespace -func (ne *NSEnter) Exec(cmd string, args []string) exec.Cmd { - return nil -} - -// AbsHostPath returns the absolute runnable path for a specified command -func (ne *NSEnter) AbsHostPath(command string) string { - return "" -} - -// SupportsSystemd checks whether command systemd-run exists -func (ne *NSEnter) SupportsSystemd() (string, bool) { - return "", false -} - -// Command returns a command wrapped with nenter -func (ne *NSEnter) Command(cmd string, args ...string) exec.Cmd { - return nil -} - -// CommandContext returns a CommandContext wrapped with nsenter -func (ne *NSEnter) CommandContext(ctx context.Context, cmd string, args ...string) exec.Cmd { - return nil -} - -// LookPath returns a LookPath wrapped with nsenter -func (ne *NSEnter) LookPath(file string) (string, error) { - return "", fmt.Errorf("not implemented, error looking up : %s", file) -} - -var _ exec.Interface = &NSEnter{} diff --git a/vendor/modules.txt b/vendor/modules.txt index 8fd2e7e3010..b060afb01f4 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1140,7 +1140,6 @@ k8s.io/utils/io k8s.io/utils/keymutex k8s.io/utils/lru k8s.io/utils/net -k8s.io/utils/nsenter k8s.io/utils/path k8s.io/utils/pointer k8s.io/utils/ptr