remove nsenter package

pkg/volume/util/hostutil/hostutil_linux.go

@@ -66,7 +66,7 @@ func (hu *HostUtil) PathIsDevice(pathname string) (bool, error) {
 	return isDevice, err
 }
 
-// ExclusiveOpenFailsOnDevice is shared with NsEnterMounter
+// ExclusiveOpenFailsOnDevice checks if block device in use by calling Open with O_EXCL flag.
 func ExclusiveOpenFailsOnDevice(pathname string) (bool, error) {
 	var isDevice bool
 	finfo, err := os.Stat(pathname)
@@ -154,8 +154,6 @@ func (hu *HostUtil) PathExists(pathname string) (bool, error) {
 }
 
 // EvalHostSymlinks returns the path name after evaluating symlinks.
-// TODO once the nsenter implementation is removed, this method can be removed
-// from the interface and filepath.EvalSymlinks used directly
 func (hu *HostUtil) EvalHostSymlinks(pathname string) (string, error) {
 	return filepath.EvalSymlinks(pathname)
 }
@@ -280,8 +278,8 @@ func (hu *HostUtil) GetMode(pathname string) (os.FileMode, error) {
 	return GetModeLinux(pathname)
 }
 
-// GetOwnerLinux is shared between Linux and NsEnterMounter
+// pathname must already be evaluated for symlinks.
-// pathname must already be evaluated for symlinks
+// GetOwnerLinux returns the integer ID for the user and group of the given path.
 func GetOwnerLinux(pathname string) (int64, int64, error) {
 	info, err := os.Stat(pathname)
 	if err != nil {
@@ -291,7 +289,7 @@ func GetOwnerLinux(pathname string) (int64, int64, error) {
 	return int64(stat.Uid), int64(stat.Gid), nil
 }
 
-// GetModeLinux is shared between Linux and NsEnterMounter
+// GetModeLinux returns permissions of the pathname.
 func GetModeLinux(pathname string) (os.FileMode, error) {
 	info, err := os.Stat(pathname)
 	if err != nil {

pkg/volume/util/subpath/subpath_linux.go

@@ -78,7 +78,7 @@ func (sp *subpath) PrepareSafeSubpath(subPath Subpath) (newHostPath string, clea
 	return newHostPath, cleanupAction, err
 }
 
-// This implementation is shared between Linux and NsEnter
+// safeOpenSubPath opens subpath and returns its fd.
 func safeOpenSubPath(mounter mount.Interface, subpath Subpath) (int, error) {
 	if !mount.PathWithinBase(subpath.Path, subpath.VolumePath) {
 		return -1, fmt.Errorf("subpath %q not within volume path %q", subpath.Path, subpath.VolumePath)
@@ -92,11 +92,6 @@ func safeOpenSubPath(mounter mount.Interface, subpath Subpath) (int, error) {
 
 // prepareSubpathTarget creates target for bind-mount of subpath. It returns
 // "true" when the target already exists and something is mounted there.
-// Given Subpath must have all paths with already resolved symlinks and with
-// paths relevant to kubelet (when it runs in a container).
-// This function is called also by NsEnterMounter. It works because
-// /var/lib/kubelet is mounted from the host into the container with Kubelet as
-// /var/lib/kubelet too.
 func prepareSubpathTarget(mounter mount.Interface, subpath Subpath) (bool, string, error) {
 	// Early check for already bind-mounted subpath.
 	bindPathTarget := getSubpathBindTarget(subpath)
@@ -237,7 +232,7 @@ func doBindSubPath(mounter mount.Interface, subpath Subpath) (hostPath string, e
 	return bindPathTarget, nil
 }
 
-// This implementation is shared between Linux and NsEnter
+// doCleanSubPaths tears down the subpath bind mounts for a pod
 func doCleanSubPaths(mounter mount.Interface, podDir string, volumeName string) error {
 	// scan /var/lib/kubelet/pods/<uid>/volume-subpaths/<volume>/*
 	subPathDir := filepath.Join(podDir, containerSubPathDirectoryName, volumeName)
@@ -372,9 +367,7 @@ func removeEmptyDirs(baseDir, endDir string) error {
 	return nil
 }
 
-// This implementation is shared between Linux and NsEnterMounter. Both pathname
+// doSafeMakeDir creates a directory at pathname, but only if it is within base.
-// and base must be either already resolved symlinks or thet will be resolved in
-// kubelet's mount namespace (in case it runs containerized).
 func doSafeMakeDir(pathname string, base string, perm os.FileMode) error {
 	klog.V(4).Infof("Creating directory %q within base %q", pathname, base)
 
@@ -523,7 +516,6 @@ func findExistingPrefix(base, pathname string) (string, []string, error) {
 	return pathname, []string{}, nil
 }
 
-// This implementation is shared between Linux and NsEnterMounter
 // Open path and return its fd.
 // Symlinks are disallowed (pathname must already resolve symlinks),
 // and the path must be within the base directory.

pkg/volume/util/subpath/subpath_unsupported.go

@@ -24,7 +24,6 @@ import (
 	"os"
 
 	"k8s.io/mount-utils"
-	"k8s.io/utils/nsenter"
 )
 
 type subpath struct{}
@@ -36,12 +35,6 @@ func New(mount.Interface) Interface {
 	return &subpath{}
 }
 
-// NewNSEnter is to satisfy the compiler for having NewSubpathNSEnter exist for all
-// OS choices. however, NSEnter is only valid on Linux
-func NewNSEnter(mounter mount.Interface, ne *nsenter.Nsenter, rootDir string) Interface {
-	return nil
-}
-
 func (sp *subpath) PrepareSafeSubpath(subPath Subpath) (newHostPath string, cleanupAction func(), err error) {
 	return subPath.Path, nil, errUnsupported
 }

pkg/volume/util/subpath/subpath_windows.go

@@ -29,7 +29,6 @@ import (
 
 	"k8s.io/klog/v2"
 	"k8s.io/mount-utils"
-	"k8s.io/utils/nsenter"
 )
 
 // MaxPathLength is the maximum length of Windows path. Normally, it is 260, but if long path is enable,
@@ -43,12 +42,6 @@ func New(mount.Interface) Interface {
 	return &subpath{}
 }
 
-// NewNSEnter is to satisfy the compiler for having NewSubpathNSEnter exist for all
-// OS choices. however, NSEnter is only valid on Linux
-func NewNSEnter(mounter mount.Interface, ne *nsenter.Nsenter, rootDir string) Interface {
-	return nil
-}
-
 // isDriveLetterPath returns true if the given path is empty or it ends with ":" or ":\" or ":\\"
 func isDriveLetterorEmptyPath(path string) bool {
 	if path == "" || strings.HasSuffix(path, ":\\\\") || strings.HasSuffix(path, ":") || strings.HasSuffix(path, ":\\") {

staging/src/k8s.io/mount-utils/mount_linux.go

@@ -722,7 +722,7 @@ func (mounter *SafeFormatAndMount) GetDiskFormat(disk string) (string, error) {
 	return getDiskFormat(mounter.Exec, disk)
 }
 
-// ListProcMounts is shared with NsEnterMounter
+// ListProcMounts returns a list of all mounted filesystems.
 func ListProcMounts(mountFilePath string) ([]MountPoint, error) {
 	content, err := readMountInfo(mountFilePath)
 	if err != nil {
@@ -776,7 +776,6 @@ func parseProcMounts(content []byte) ([]MountPoint, error) {
 // Some filesystems may share a source name, e.g. tmpfs. And for bind mounting,
 // it's possible to mount a non-root path of a filesystem, so we need to use
 // root path and major:minor to represent mount source uniquely.
-// This implementation is shared between Linux and NsEnterMounter
 func SearchMountPoints(hostSource, mountInfoPath string) ([]string, error) {
 	mis, err := ParseMountInfo(mountInfoPath)
 	if err != nil {

vendor/k8s.io/utils/nsenter/OWNERS

@@ -1,10 +0,0 @@
-# See the OWNERS docs at https://go.k8s.io/owners
-
-reviewers:
-  - jsafrane
-  - msau42
-  - cofyc
-approvers:
-  - jsafrane
-  - msau42
-  - cofyc

vendor/k8s.io/utils/nsenter/README.md

@@ -1,4 +0,0 @@
-# NSEnter
-
-This package provides interfaces for executing and interacting with processes
-running within a namespace.

vendor/k8s.io/utils/nsenter/nsenter.go

@@ -1,264 +0,0 @@
-//go:build linux
-// +build linux
-
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package nsenter
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"k8s.io/klog/v2"
-	"k8s.io/utils/exec"
-)
-
-const (
-	// DefaultHostRootFsPath is path to host's filesystem mounted into container
-	// with kubelet.
-	DefaultHostRootFsPath = "/rootfs"
-	// mountNsPath is the default mount namespace of the host
-	mountNsPath = "/proc/1/ns/mnt"
-	// nsenterPath is the default nsenter command
-	nsenterPath = "nsenter"
-)
-
-// Nsenter is a type alias for backward compatibility
-type Nsenter = NSEnter
-
-// NSEnter is part of experimental support for running the kubelet
-// in a container.
-//
-// NSEnter requires:
-//
-//  1. Docker >= 1.6 due to the dependency on the slave propagation mode
-//     of the bind-mount of the kubelet root directory in the container.
-//     Docker 1.5 used a private propagation mode for bind-mounts, so mounts
-//     performed in the host's mount namespace do not propagate out to the
-//     bind-mount in this docker version.
-//  2. The host's root filesystem must be available at /rootfs
-//  3. The nsenter binary must be on the Kubelet process' PATH in the container's
-//     filesystem.
-//  4. The Kubelet process must have CAP_SYS_ADMIN (required by nsenter); at
-//     the present, this effectively means that the kubelet is running in a
-//     privileged container.
-//  5. The volume path used by the Kubelet must be the same inside and outside
-//     the container and be writable by the container (to initialize volume)
-//     contents. TODO: remove this requirement.
-//  6. The host image must have "mount", "findmnt", "umount", "stat", "touch",
-//     "mkdir", "ls", "sh" and "chmod" binaries in /bin, /usr/sbin, or /usr/bin
-//  7. The host image should have systemd-run in /bin, /usr/sbin, or /usr/bin if
-//     systemd is installed/enabled in the operating system.
-//
-// For more information about mount propagation modes, see:
-//
-//	https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt
-type NSEnter struct {
-	// a map of commands to their paths on the host filesystem
-	paths map[string]string
-
-	// Path to the host filesystem, typically "/rootfs". Used only for testing.
-	hostRootFsPath string
-
-	// Exec implementation
-	executor exec.Interface
-}
-
-// NewNsenter constructs a new instance of NSEnter
-func NewNsenter(hostRootFsPath string, executor exec.Interface) (*NSEnter, error) {
-	ne := &NSEnter{
-		hostRootFsPath: hostRootFsPath,
-		executor:       executor,
-	}
-	if err := ne.initPaths(); err != nil {
-		return nil, err
-	}
-	return ne, nil
-}
-
-func (ne *NSEnter) initPaths() error {
-	ne.paths = map[string]string{}
-	binaries := []string{
-		"mount",
-		"findmnt",
-		"umount",
-		"systemd-run",
-		"stat",
-		"touch",
-		"mkdir",
-		"sh",
-		"chmod",
-		"realpath",
-	}
-	// search for the required commands in other locations besides /usr/bin
-	for _, binary := range binaries {
-		// check for binary under the following directories
-		for _, path := range []string{"/", "/bin", "/usr/sbin", "/usr/bin"} {
-			binPath := filepath.Join(path, binary)
-			if _, err := os.Stat(filepath.Join(ne.hostRootFsPath, binPath)); err != nil {
-				continue
-			}
-			ne.paths[binary] = binPath
-			break
-		}
-		// systemd-run is optional, bailout if we don't find any of the other binaries
-		if ne.paths[binary] == "" && binary != "systemd-run" {
-			return fmt.Errorf("unable to find %v", binary)
-		}
-	}
-	return nil
-}
-
-// Exec executes nsenter commands in hostProcMountNsPath mount namespace
-func (ne *NSEnter) Exec(cmd string, args []string) exec.Cmd {
-	hostProcMountNsPath := filepath.Join(ne.hostRootFsPath, mountNsPath)
-	fullArgs := append([]string{fmt.Sprintf("--mount=%s", hostProcMountNsPath), "--"},
-		append([]string{ne.AbsHostPath(cmd)}, args...)...)
-	klog.V(5).Infof("Running nsenter command: %v %v", nsenterPath, fullArgs)
-	return ne.executor.Command(nsenterPath, fullArgs...)
-}
-
-// Command returns a command wrapped with nsenter
-func (ne *NSEnter) Command(cmd string, args ...string) exec.Cmd {
-	return ne.Exec(cmd, args)
-}
-
-// CommandContext returns a CommandContext wrapped with nsenter
-func (ne *NSEnter) CommandContext(ctx context.Context, cmd string, args ...string) exec.Cmd {
-	hostProcMountNsPath := filepath.Join(ne.hostRootFsPath, mountNsPath)
-	fullArgs := append([]string{fmt.Sprintf("--mount=%s", hostProcMountNsPath), "--"},
-		append([]string{ne.AbsHostPath(cmd)}, args...)...)
-	klog.V(5).Infof("Running nsenter command: %v %v", nsenterPath, fullArgs)
-	return ne.executor.CommandContext(ctx, nsenterPath, fullArgs...)
-}
-
-// LookPath returns a LookPath wrapped with nsenter
-func (ne *NSEnter) LookPath(file string) (string, error) {
-	return "", fmt.Errorf("not implemented, error looking up : %s", file)
-}
-
-// AbsHostPath returns the absolute runnable path for a specified command
-func (ne *NSEnter) AbsHostPath(command string) string {
-	path, ok := ne.paths[command]
-	if !ok {
-		return command
-	}
-	return path
-}
-
-// SupportsSystemd checks whether command systemd-run exists
-func (ne *NSEnter) SupportsSystemd() (string, bool) {
-	systemdRunPath, ok := ne.paths["systemd-run"]
-	return systemdRunPath, ok && systemdRunPath != ""
-}
-
-// EvalSymlinks returns the path name on the host after evaluating symlinks on the
-// host.
-// mustExist makes EvalSymlinks to return error when the path does not
-// exist. When it's false, it evaluates symlinks of the existing part and
-// blindly adds the non-existing part:
-// pathname: /mnt/volume/non/existing/directory
-//
-//	/mnt/volume exists
-//	           non/existing/directory does not exist
-//
-// -> It resolves symlinks in /mnt/volume to say /mnt/foo and returns
-//
-//	/mnt/foo/non/existing/directory.
-//
-// BEWARE! EvalSymlinks is not able to detect symlink looks with mustExist=false!
-// If /tmp/link is symlink to /tmp/link, EvalSymlinks(/tmp/link/foo) returns /tmp/link/foo.
-func (ne *NSEnter) EvalSymlinks(pathname string, mustExist bool) (string, error) {
-	var args []string
-	if mustExist {
-		// "realpath -e: all components of the path must exist"
-		args = []string{"-e", pathname}
-	} else {
-		// "realpath -m: no path components need exist or be a directory"
-		args = []string{"-m", pathname}
-	}
-	outBytes, err := ne.Exec("realpath", args).CombinedOutput()
-	if err != nil {
-		klog.Infof("failed to resolve symbolic links on %s: %v", pathname, err)
-		return "", err
-	}
-	return strings.TrimSpace(string(outBytes)), nil
-}
-
-// KubeletPath returns the path name that can be accessed by containerized
-// kubelet. It is recommended to resolve symlinks on the host by EvalSymlinks
-// before calling this function
-func (ne *NSEnter) KubeletPath(pathname string) string {
-	return filepath.Join(ne.hostRootFsPath, pathname)
-}
-
-// NewFakeNsenter returns a NSEnter that does not run "nsenter --mount=... --",
-// but runs everything in the same mount namespace as the unit test binary.
-// rootfsPath is supposed to be a symlink, e.g. /tmp/xyz/rootfs -> /.
-// This fake NSEnter is enough for most operations, e.g. to resolve symlinks,
-// but it's not enough to call /bin/mount - unit tests don't run as root.
-func NewFakeNsenter(rootfsPath string) (*NSEnter, error) {
-	executor := &fakeExec{
-		rootfsPath: rootfsPath,
-	}
-	// prepare /rootfs/bin, usr/bin and usr/sbin
-	bin := filepath.Join(rootfsPath, "bin")
-	if err := os.Symlink("/bin", bin); err != nil {
-		return nil, err
-	}
-
-	usr := filepath.Join(rootfsPath, "usr")
-	if err := os.Mkdir(usr, 0755); err != nil {
-		return nil, err
-	}
-	usrbin := filepath.Join(usr, "bin")
-	if err := os.Symlink("/usr/bin", usrbin); err != nil {
-		return nil, err
-	}
-	usrsbin := filepath.Join(usr, "sbin")
-	if err := os.Symlink("/usr/sbin", usrsbin); err != nil {
-		return nil, err
-	}
-
-	return NewNsenter(rootfsPath, executor)
-}
-
-type fakeExec struct {
-	rootfsPath string
-}
-
-func (f fakeExec) Command(cmd string, args ...string) exec.Cmd {
-	// This will intentionaly panic if NSEnter does not provide enough arguments.
-	realCmd := args[2]
-	realArgs := args[3:]
-	return exec.New().Command(realCmd, realArgs...)
-}
-
-func (fakeExec) LookPath(file string) (string, error) {
-	return "", errors.New("not implemented")
-}
-
-func (fakeExec) CommandContext(ctx context.Context, cmd string, args ...string) exec.Cmd {
-	return nil
-}
-
-var _ exec.Interface = fakeExec{}
-var _ exec.Interface = &NSEnter{}

vendor/k8s.io/utils/nsenter/nsenter_unsupported.go

@@ -1,80 +0,0 @@
-//go:build !linux
-// +build !linux
-
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package nsenter
-
-import (
-	"context"
-	"fmt"
-
-	"k8s.io/utils/exec"
-)
-
-const (
-	// DefaultHostRootFsPath is path to host's filesystem mounted into container
-	// with kubelet.
-	DefaultHostRootFsPath = "/rootfs"
-)
-
-// Nsenter is a type alias for backward compatibility
-type Nsenter = NSEnter
-
-// NSEnter is part of experimental support for running the kubelet
-// in a container.
-type NSEnter struct {
-	// a map of commands to their paths on the host filesystem
-	Paths map[string]string
-}
-
-// NewNsenter constructs a new instance of NSEnter
-func NewNsenter(hostRootFsPath string, executor exec.Interface) (*Nsenter, error) {
-	return &Nsenter{}, nil
-}
-
-// Exec executes nsenter commands in hostProcMountNsPath mount namespace
-func (ne *NSEnter) Exec(cmd string, args []string) exec.Cmd {
-	return nil
-}
-
-// AbsHostPath returns the absolute runnable path for a specified command
-func (ne *NSEnter) AbsHostPath(command string) string {
-	return ""
-}
-
-// SupportsSystemd checks whether command systemd-run exists
-func (ne *NSEnter) SupportsSystemd() (string, bool) {
-	return "", false
-}
-
-// Command returns a command wrapped with nenter
-func (ne *NSEnter) Command(cmd string, args ...string) exec.Cmd {
-	return nil
-}
-
-// CommandContext returns a CommandContext wrapped with nsenter
-func (ne *NSEnter) CommandContext(ctx context.Context, cmd string, args ...string) exec.Cmd {
-	return nil
-}
-
-// LookPath returns a LookPath wrapped with nsenter
-func (ne *NSEnter) LookPath(file string) (string, error) {
-	return "", fmt.Errorf("not implemented, error looking up : %s", file)
-}
-
-var _ exec.Interface = &NSEnter{}

vendor/modules.txt

@@ -1140,7 +1140,6 @@ k8s.io/utils/io
 k8s.io/utils/keymutex
 k8s.io/utils/lru
 k8s.io/utils/net
-k8s.io/utils/nsenter
 k8s.io/utils/path
 k8s.io/utils/pointer
 k8s.io/utils/ptr