[WIP] KEP-3857: Recursive Read-only (RRO) mounts

See kubernetes/enhancements issue 3857 (PR 3858)

WIP: depends on kubernetes/kubernetes PR 123180

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

Author: AkihiroSuda

cmd/crictl/container.go

@@ -919,7 +919,7 @@ func ContainerStatus(client internalapi.RuntimeService, id, output string, tmplS
 
 	switch output {
 	case "json", "yaml", "go-template":
-		return outputStatusInfo(status, r.Info, output, tmplStr)
+		return outputStatusInfo(status, "", r.Info, output, tmplStr)
 	case "table": // table output is after this switch block
 	default:
 		return fmt.Errorf("output option cannot be %s", output)

cmd/crictl/image.go

@@ -308,7 +308,7 @@ var imageStatusCommand = &cli.Command{
 			}
 			switch output {
 			case "json", "yaml", "go-template":
-				if err := outputStatusInfo(status, r.Info, output, tmplStr); err != nil {
+				if err := outputStatusInfo(status, "", r.Info, output, tmplStr); err != nil {
 					return fmt.Errorf("output status for %q: %w", id, err)
 				}
 				continue
@@ -501,7 +501,7 @@ var imageFsInfoCommand = &cli.Command{
 
 		switch output {
 		case "json", "yaml", "go-template":
-			if err := outputStatusInfo(status, nil, output, tmplStr); err != nil {
+			if err := outputStatusInfo(status, "", nil, output, tmplStr); err != nil {
 				return fmt.Errorf("output filesystem info: %w", err)
 			}
 			return nil

cmd/crictl/info.go

@@ -18,6 +18,7 @@ package main
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 
 	"github.com/sirupsen/logrus"
@@ -79,5 +80,9 @@ func Info(cliContext *cli.Context, client internalapi.RuntimeService) error {
 	if err != nil {
 		return err
 	}
-	return outputStatusInfo(status, r.Info, cliContext.String("output"), cliContext.String("template"))
+	handlers, err := json.Marshal(r.RuntimeHandlers) // protobufObjectToJSON cannot be used
+	if err != nil {
+		return err
+	}
+	return outputStatusInfo(status, string(handlers), r.Info, cliContext.String("output"), cliContext.String("template"))
 }

cmd/crictl/sandbox.go

@@ -404,7 +404,7 @@ func PodSandboxStatus(client internalapi.RuntimeService, id, output string, quie
 	}
 	switch output {
 	case "json", "yaml", "go-template":
-		return outputStatusInfo(status, r.Info, output, tmplStr)
+		return outputStatusInfo(status, "", r.Info, output, tmplStr)
 	case "table": // table output is after this switch block
 	default:
 		return fmt.Errorf("output option cannot be %s", output)

cmd/crictl/util.go

@@ -231,7 +231,7 @@ func outputProtobufObjAsYAML(obj proto.Message) error {
 	return nil
 }
 
-func outputStatusInfo(status string, info map[string]string, format string, tmplStr string) error {
+func outputStatusInfo(status, handlers string, info map[string]string, format string, tmplStr string) error {
 	// Sort all keys
 	keys := []string{}
 	for k := range info {
@@ -240,6 +240,9 @@ func outputStatusInfo(status string, info map[string]string, format string, tmpl
 	sort.Strings(keys)
 
 	jsonInfo := "{" + "\"status\":" + status + ","
+	if handlers != "" {
+		jsonInfo += "\"runtimeHandlers\":" + handlers + ","
+	}
 	for _, k := range keys {
 		var res interface{}
 		// We attempt to convert key into JSON if possible else use it directly

go.mod

@@ -119,7 +119,7 @@ replace (
 	k8s.io/component-base => k8s.io/kubernetes/staging/src/k8s.io/component-base v0.0.0-20231213084502-3f7a50f38688
 	k8s.io/component-helpers => k8s.io/kubernetes/staging/src/k8s.io/component-helpers v0.0.0-20231213084502-3f7a50f38688
 	k8s.io/controller-manager => k8s.io/kubernetes/staging/src/k8s.io/controller-manager v0.0.0-20231213084502-3f7a50f38688
-	k8s.io/cri-api => k8s.io/kubernetes/staging/src/k8s.io/cri-api v0.0.0-20231213084502-3f7a50f38688
+	k8s.io/cri-api => github.com/AkihiroSuda/cri-api v0.30.0-alpha.1.0.20240207211503-14b9fc678aa7
 	k8s.io/csi-translation-lib => k8s.io/kubernetes/staging/src/k8s.io/csi-translation-lib v0.0.0-20231213084502-3f7a50f38688
 	k8s.io/dynamic-resource-allocation => k8s.io/kubernetes/staging/src/k8s.io/dynamic-resource-allocation v0.0.0-20231213084502-3f7a50f38688
 	k8s.io/endpointslice => k8s.io/kubernetes/staging/src/k8s.io/endpointslice v0.0.0-20231213084502-3f7a50f38688

go.sum

@@ -2,6 +2,8 @@ cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopT
 cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
+github.com/AkihiroSuda/cri-api v0.30.0-alpha.1.0.20240207211503-14b9fc678aa7 h1:4Im9fRMx6QtWpK5dXF85yGIZPOp04nF/aXH9iP0dwZQ=
+github.com/AkihiroSuda/cri-api v0.30.0-alpha.1.0.20240207211503-14b9fc678aa7/go.mod h1:9fQTFm+wi4FLyqrkVUoMJiUB3mE74XrVvHz8uFY/sSw=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
@@ -279,8 +281,6 @@ k8s.io/kubernetes/staging/src/k8s.io/client-go v0.0.0-20231213084502-3f7a50f3868
 k8s.io/kubernetes/staging/src/k8s.io/client-go v0.0.0-20231213084502-3f7a50f38688/go.mod h1:ZDvAVpZvDeVszpJ60k4vAm6m+lhTLxbr3GY5NbE8X1E=
 k8s.io/kubernetes/staging/src/k8s.io/component-base v0.0.0-20231213084502-3f7a50f38688 h1:QpQ05w9A7xLBHLse6EilSkfXqYynkWk/Vkq3SNCMfWY=
 k8s.io/kubernetes/staging/src/k8s.io/component-base v0.0.0-20231213084502-3f7a50f38688/go.mod h1:qLO9+0qPsNO/o4U/X1ebazO3IOaQRgQdfTXa7IsRnCE=
-k8s.io/kubernetes/staging/src/k8s.io/cri-api v0.0.0-20231213084502-3f7a50f38688 h1:1Wj+ocTpRZfNws4qajSd3hpNABIG0aExtmOvAP5xiow=
-k8s.io/kubernetes/staging/src/k8s.io/cri-api v0.0.0-20231213084502-3f7a50f38688/go.mod h1:inilmNAvSChktQm94KP+MNob/cllXUcKfDBcdo8tQ8w=
 k8s.io/kubernetes/staging/src/k8s.io/kubectl v0.0.0-20231213084502-3f7a50f38688 h1:yoiaNqQsNGRgNxlzuAL4Zy8MK2KxSHe8hA9YVbEQa+o=
 k8s.io/kubernetes/staging/src/k8s.io/kubectl v0.0.0-20231213084502-3f7a50f38688/go.mod h1:rScErriC7ZZ27CUVUI2za1FEpI1BJI/iMBTL9kscr5M=
 k8s.io/kubernetes/staging/src/k8s.io/kubelet v0.0.0-20231213084502-3f7a50f38688 h1:7ISXAlR8JDeIo9q+bCtdlkqSWHlHCmYTMemoRH7HPOE=

pkg/validate/container_linux.go

@@ -307,3 +307,202 @@ func createOOMKilledContainer(
 
 	return containerID
 }
+
+var _ = framework.KubeDescribe("Container Mount Readonly", func() {
+	f := framework.NewDefaultCRIFramework()
+
+	var rc internalapi.RuntimeService
+	var ic internalapi.ImageManagerService
+
+	BeforeEach(func() {
+		rc = f.CRIClient.CRIRuntimeClient
+		ic = f.CRIClient.CRIImageClient
+	})
+
+	Context("runtime should support readonly mounts", func() {
+		var podID string
+		var podConfig *runtimeapi.PodSandboxConfig
+
+		BeforeEach(func() {
+			podID, podConfig = createPrivilegedPodSandbox(rc, true)
+		})
+
+		AfterEach(func() {
+			By("stop PodSandbox")
+			rc.StopPodSandbox(context.TODO(), podID)
+			By("delete PodSandbox")
+			rc.RemovePodSandbox(context.TODO(), podID)
+		})
+
+		testRRO := func(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, rro bool) {
+			if rro && !runtimeSupportsRRO(rc, "") {
+				Skip("runtime does not implement recursive readonly mounts")
+				return
+			}
+
+			By("create host path")
+			hostPath, clearHostPath := createHostPathForRROMount(podID)
+			defer clearHostPath() // clean up the TempDir
+
+			By("create container with volume")
+			containerID := createRROMountContainer(rc, ic, podID, podConfig, hostPath, "/mnt", rro)
+
+			By("test start container with volume")
+			testStartContainer(rc, containerID)
+
+			By("check whether `touch /mnt/tmpfs/file` succeeds")
+			command := []string{"touch", "/mnt/tmpfs/file"}
+			if rro {
+				command = []string{"sh", "-c", `touch /mnt/tmpfs/foo 2>&1 | grep -q "Read-only file system"`}
+			}
+			execSyncContainer(rc, containerID, command)
+		}
+
+		It("should support non-recursive readonly mounts", func() {
+			testRRO(rc, ic, false)
+		})
+		It("should support recursive readonly mounts", func() {
+			testRRO(rc, ic, true)
+		})
+		testRROInvalidPropagation := func(prop runtimeapi.MountPropagation) {
+			if !runtimeSupportsRRO(rc, "") {
+				Skip("runtime does not implement recursive readonly mounts")
+				return
+			}
+			hostPath, clearHostPath := createHostPathForRROMount(podID)
+			defer clearHostPath() // clean up the TempDir
+			mounts := []*runtimeapi.Mount{
+				{
+					HostPath:          hostPath,
+					ContainerPath:     "/mnt",
+					Readonly:          true,
+					RecursiveReadOnly: true,
+					SelinuxRelabel:    true,
+					Propagation:       prop,
+				},
+			}
+			const expectErr = true
+			createMountContainer(rc, ic, podID, podConfig, mounts, expectErr)
+		}
+		It("should reject a recursive readonly mount with PROPAGATION_HOST_TO_CONTAINER", func() {
+			testRROInvalidPropagation(runtimeapi.MountPropagation_PROPAGATION_HOST_TO_CONTAINER)
+		})
+		It("should reject a recursive readonly mount with PROPAGATION_BIDIRECTIONAL", func() {
+			testRROInvalidPropagation(runtimeapi.MountPropagation_PROPAGATION_BIDIRECTIONAL)
+		})
+		It("should reject a recursive readonly mount with ReadOnly: false", func() {
+			if !runtimeSupportsRRO(rc, "") {
+				Skip("runtime does not implement recursive readonly mounts")
+				return
+			}
+			hostPath, clearHostPath := createHostPathForRROMount(podID)
+			defer clearHostPath() // clean up the TempDir
+			mounts := []*runtimeapi.Mount{
+				{
+					HostPath:          hostPath,
+					ContainerPath:     "/mnt",
+					Readonly:          false,
+					RecursiveReadOnly: true,
+					SelinuxRelabel:    true,
+				},
+			}
+			const expectErr = true
+			createMountContainer(rc, ic, podID, podConfig, mounts, expectErr)
+		})
+	})
+})
+
+func runtimeSupportsRRO(rc internalapi.RuntimeService, runtimeHandlerName string) bool {
+	ctx := context.Background()
+	status, err := rc.Status(ctx, false)
+	framework.ExpectNoError(err, "failed to check runtime status")
+	for _, h := range status.RuntimeHandlers {
+		if h.Name == runtimeHandlerName {
+			if f := h.Features; f != nil {
+				if f.RecursiveReadOnlyMounts {
+					return true
+				}
+				return false
+			}
+		}
+	}
+	return false
+}
+
+// createHostPath creates the hostPath for RRO mount test.
+//
+// hostPath contains a "tmpfs" directory with tmpfs mounted on it.
+func createHostPathForRROMount(podID string) (string, func()) {
+	hostPath, err := os.MkdirTemp("", "test"+podID)
+	framework.ExpectNoError(err, "failed to create TempDir %q: %v", hostPath, err)
+
+	tmpfsMntPoint := filepath.Join(hostPath, "tmpfs")
+	err = os.MkdirAll(tmpfsMntPoint, 0700)
+	framework.ExpectNoError(err, "failed to create tmpfs dir %q: %v", tmpfsMntPoint, err)
+
+	err = unix.Mount("none", tmpfsMntPoint, "tmpfs", 0, "")
+	framework.ExpectNoError(err, "failed to mount tmpfs on dir %q: %v", tmpfsMntPoint, err)
+
+	clearHostPath := func() {
+		By("clean up the TempDir")
+		err := unix.Unmount(tmpfsMntPoint, unix.MNT_DETACH)
+		framework.ExpectNoError(err, "failed to unmount \"tmpfsMntPoint\": %v", err)
+		err = os.RemoveAll(hostPath)
+		framework.ExpectNoError(err, "failed to remove \"hostPath\": %v", err)
+	}
+
+	return hostPath, clearHostPath
+}
+
+func createRROMountContainer(
+	rc internalapi.RuntimeService,
+	ic internalapi.ImageManagerService,
+	podID string,
+	podConfig *runtimeapi.PodSandboxConfig,
+	hostPath, containerPath string,
+	rro bool,
+) string {
+	mounts := []*runtimeapi.Mount{
+		{
+			HostPath:          hostPath,
+			ContainerPath:     containerPath,
+			Readonly:          true,
+			RecursiveReadOnly: rro,
+			SelinuxRelabel:    true,
+		},
+	}
+	return createMountContainer(rc, ic, podID, podConfig, mounts, false)
+}
+
+func createMountContainer(
+	rc internalapi.RuntimeService,
+	ic internalapi.ImageManagerService,
+	podID string,
+	podConfig *runtimeapi.PodSandboxConfig,
+	mounts []*runtimeapi.Mount,
+	expectErr bool,
+) string {
+	By("create a container with volume and name")
+	containerName := "test-mount-" + framework.NewUUID()
+	containerConfig := &runtimeapi.ContainerConfig{
+		Metadata: framework.BuildContainerMetadata(containerName, framework.DefaultAttempt),
+		Image:    &runtimeapi.ImageSpec{Image: framework.TestContext.TestImageList.DefaultTestContainerImage},
+		Command:  pauseCmd,
+		Mounts:   mounts,
+	}
+
+	if expectErr {
+		_, err := framework.CreateContainerWithError(rc, ic, containerConfig, podID, podConfig)
+		Expect(err).To(HaveOccurred())
+		return ""
+	}
+
+	containerID := framework.CreateContainer(rc, ic, containerConfig, podID, podConfig)
+
+	By("verifying container status")
+	resp, err := rc.ContainerStatus(context.TODO(), containerID, true)
+	framework.ExpectNoError(err, "unable to get container status")
+	Expect(len(resp.Status.Mounts), len(mounts))
+
+	return containerID
+}