Consistency issues due to the use of mount binds #74
Comments
|
Have you looked at how the csi-lib example handles this? https://github.com/cert-manager/csi-lib/blob/main/deploy/cert-manager-csi-driver.yaml#L104 Namely, we use a host path volume to pass through a directory from the host, and on startup the csi-lib mounts a tmpfs volume into a directory in this directory, with bidirectional mount propagation, allowing the temporary filesystem to persist across restarts of the csi driver pod 😊 Hope that makes sense - this is the recommended way to configure/run drivers built on csi-lib. |
|
It seems like you are using a host path as recommended already, but have not enabled Bidirectional mount propagation (meaning the tmpfs is not available in the host path in the new container as that mount point only exists within the old one). Making it bidirectional allows the host to see this mount point too, making it accessible to any other containers that later start up and reference that same hostPath. |
|
Hello! Thanks a lot for your prompt answer! 🙏 So, just to be sure I understand, the tmpfs they mount at start time in the CSI data dir is not propagated to the host, that means, when the instance restart, the tmpfs is lost from the POV of the host right? But then, is this mount bind made from this |
|
I think what I have a hard time to understand is how this mount bind (made inside the context of the driver pod) then propagate to the host. Will Bidirectional propagation also persist the mount bind from the POV of the host? EDIT: Just realised that may be propagated but from this line instead https://github.com/cert-manager/csi-lib/blob/main/deploy/cert-manager-csi-driver.yaml#L101 Then I don't even understand how the Kernel dealt with the mount bind since the host was not aware of the "source" of the mount bind 🤯 |
|
I have a second question that is more about
(Source: https://kubernetes-csi.github.io/docs/csi-driver-object.html under |
Hello,
We ended-up in a really edgy problem with our https://github.com/cert-manager/csi-driver-spiffe.
Basically, unlike most other Kubernetes CSI drivers, it uses a first
tmpfsthat will contains both metadata for volumes and SPIFFE SVID certificates (x509 certificates issued by cert-manager). Then, it answers toNodePublishVolumeCSI RPC requests by making amountwithbind+rofrom thistmpfsto thetarget_pathgiven by the Container Orchestrator (in our case Kube).The issue is that, on restart or failure, the bind no longer point to the valid
tmpfsdirectory, we end up with a never renewed certificates from the POV of pods. One could say, it's fine if the instance of csi-driver-spiffe is never rebooted, you never have to care about that. But the issue is a bit more complex than that!Since this driver uses
RequiresRepublish,kubeletwill issue A LOT of repeated calls toNodePublishVolumeand any failure will lead to anunmount, but this will not be propagated to themount_namespaceof the running pods!. Hence, requiring users to restart the pod manually.This is a real problem when used with SPIFFE SVID since they are typically short-lived and rotated often. A failure in this critical rotation mechanism leads to major workload disruptions.
I am revamping parts of this library in a fork to:
tmpfsand data gets its owntmpfsdirectly mounted attarget_pathwhere we will perform atomic updates. No more mount binds so it is simpler to manage.target_pathis already correctly mounted, avoid unmount or doing any destructive changes since the running pods wouldn't see that.IsMounteddetection to ensure it's not just any mount point but one as expected by this library.Please, tell me if any of those changes seems too risky / if we have a good reason to have a mount bind instead of two separate mounts etc..
Also, tell me if you are interested in getting that merged upstream :)
Thanks 🙏
The text was updated successfully, but these errors were encountered: