Skip to content

Thow an error if the kubelet requests mounts with uid/gid mappings#8376

Merged
mxpv merged 2 commits intocontainerd:mainfrom
kinvolk:rata/userns-stateless-idmap-error-main
Apr 12, 2023
Merged

Thow an error if the kubelet requests mounts with uid/gid mappings#8376
mxpv merged 2 commits intocontainerd:mainfrom
kinvolk:rata/userns-stateless-idmap-error-main

Conversation

@rata
Copy link
Copy Markdown
Contributor

@rata rata commented Apr 11, 2023

This PR implements option 1 of the possible solutions described here: #8209.

This PR just throws an error to avoid possible problems in the future (explained in the issue). But support for idmap mounts on volumes (not the rootfs) is coming in this PR: #8287

Once this is merged in main, I'll backport it to 1.7 as that is the only release affected. It was suggested to merge it in main by @fuweid here

Fixes: #8209

@rata
cri: Vendor v0.27.0-beta.0 for mounts uid/gid mappings
85afda6 
We will use this in future commits to see if the kubelet requested idmap
mounts for volumes, that we don't yet support.

Signed-off-by: Rodrigo Campos <[email protected]>
@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Apr 11, 2023

Hi @rata. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@rata rata mentioned this pull request Apr 11, 2023
Merged
fuweid
fuweid approved these changes Apr 11, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@fuweid fuweid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fuweid fuweid added the cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch label Apr 11, 2023
@rata rata force-pushed the rata/userns-stateless-idmap-error-main branch from 1f36a46 to 51b6ff6 Compare April 11, 2023 16:40
@rata
Copy link
Copy Markdown
Contributor Author

rata commented Apr 11, 2023

Re pushing to kick the CI again due to the flaky test failed on windows

@rata
cri: Throw an error if idmap mounts is requested
7e6ab84 
We need support in containerd and the OCI runtime to use idmap mounts.
Let's just throw an error for now if the kubelet requests some mounts
with mappings.

Signed-off-by: Rodrigo Campos <[email protected]>
@rata rata force-pushed the rata/userns-stateless-idmap-error-main branch from 51b6ff6 to 7e6ab84 Compare April 11, 2023 19:31
@mxpv mxpv merged commit 34e9f9b into containerd:main Apr 12, 2023
@rata rata deleted the rata/userns-stateless-idmap-error-main branch April 13, 2023 08:59
@samuelkarp samuelkarp added cherry-picked/1.7.x PR commits are cherry-picked into release/1.7 branch and removed cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch labels Aug 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mxpv mxpv mxpv approved these changes

@fuweid fuweid fuweid approved these changes

@dcantah dcantah dcantah approved these changes

Assignees

No one assigned

Labels

cherry-picked/1.7.x PR commits are cherry-picked into release/1.7 branch needs-ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Possible future problems with k8s stateful userns support

6 participants

@rata @k8s-ci-robot @mxpv @fuweid @dcantah @samuelkarp