runtime-rs: Propagate k8s configs correctly when sharedfs is disabled #11240
Conversation
|
Hi @Apokleos - thanks for this update. Just to check I understand the scope of this
I'm just trying to confirm how much of the gap this closes, if the watcher is a separate PR, then that's not a problem for me. Thanks! |
yes
Yes, you're right. And I'm also thinking this point to do watch on the files/dir changes, as you have pointed it out, I believe I have to make it work with one more commit which belongs to this PR.
I think I'm working on the same functions as the code you list. More comments will be added to make it more clear.
Appreciated Steven @stevenhorsman I tend to introduce one more commits to make it closer to runtime-go. |
Great - thanks for the clarification. I think this PR is still good, so am happy to see it go in, I just wanted to check I'd understand the limits/scope of it. |
Hi @stevenhorsman PR updated, PTAL! Thx. |
| // multiple times in a short period; we only execute the last one. | ||
| if let Some(t) = last_event_time { | ||
| if Instant::now().duration_since(t) > DEBOUNCE_TIME && *need_sync.lock().await { | ||
| info!(sl!(), "debonce handle copyfile {:?} -> {:?}", &src, &dst); |
| { | ||
| error!( | ||
| sl!(), | ||
| "debonce handle copyfile {:?} -> {:?} failed with error: {:?}", |
Thanks for the update. Is it just the identification of the Kubernetes files we want to propogate left now for this feature? |
92a1015 to
371dc34
Compare
Appreciate @stevenhorsman I have updated it with |
| /// This function is used to check whether a given volume is in the allowed copy whitelist. | ||
| /// More specifically, it determines whether the volume's path is located under a predefined | ||
| /// list of allowed copy directories. | ||
| pub(crate) fn is_whitelisted_copy_volume(source_path: &PathBuf) -> bool { |
There was a problem hiding this comment.
To try and comply with the Inclusive Naming Initiative which the CNCF created, could we rename whitelist to allowlist here? https://inclusivenaming.org/word-lists/tier-1/whitelist/
There was a problem hiding this comment.
Cool! definitly agree
Add async directory traversal using BFS algorithm: (1) Support file type handling: Regular files (S_IFREG) with content streaming; Directories (S_IFDIR) with mode preservation; Symbolic links (S_IFLNK) with target recreation; (2) Maintain POSIX metadata: UID/GID preservation,File mode bits, and Directory permissions (3) Implement async I/O operations for: Directory enumeration, file reading, symlink target resolution Fixes kata-containers#11237 Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
In Kubernetes (k8s), while Kata Pods often use virtiofs for injecting Service Accounts, Secrets, and ConfigMaps, security-sensitive environments like CoCo disable host-guest sharing. Consequently, when SharedFs is disabled, we propagate these configurations into the guest via file copy and bind mount for correct container access. Fixes kata-containers#11237 Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
Introduce event-driven file sync mechanism between host and guest when sharedfs is disabled, which will help monitor the host path in time and do sync files changes: 1. Introduce FsWatcher to monitor directory changes via inotify; 2. Support recursive watching with configurable filters; 3. Add debounce logic (default 500ms cooldown) to handle burst events; 4. Trigger `copy_dir_recursively` on stable state; 5. Handle CREATE/MODIFY/DELETE/MOVED/CLOSE_WRITE events; Fixes kata-containers#11237 Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
When synchronizing file changes on the host, a "symlink AlreadyExists"
issue occurs, primarily due to improper handling of symbolic links
(symlinks). Additionally, there are other related problems.
This patch will try to address these problems.
(1) Handle symlink target existence (files, dirs, symlinks) during host file
sync. Use appropriate removal methods (unlink, remove_file, remove_dir_all).
(2) Enhance temporary file handling for safer operations and implement truncate
only at offset 0 for resume support.
(3) Set permissions and ownership for parent directories.
(4) Check and clean target path for regular files before rename.
Fixes kata-containers#11237
Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
Fixes kata-containers#11237 Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
For security reasons, we have restricted directory copying.
Introduces the `is_allowlisted_copy_volume` function to verify
if a given volume path is present in an allowed copy directory.
This enhances security by ensuring only permitted volumes are
copied
Currently, only directories under the path
`/var/lib/kubelet/pods/<uid>/volumes/{kubernetes.io~configmap,
kubernetes.io~secret, kubernetes.io~downward-api,
kubernetes.io~projected}` are allowed to be copied into the
guest. Copying of other directories will be prohibited.
Fixes kata-containers#11237
Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
runtime-rs: Propagate k8s configs correctly when sharedfs is disabled
In Kubernetes (k8s), while Kata Pods often use virtiofs for injecting
Service Accounts, Secrets, and ConfigMaps, security-sensitive
environments like CoCo disable host-guest sharing. Consequently, when
SharedFs is disabled, we propagate these configurations into the guest
via file copy and bind mount for correct container access.
Fixes #11237
Signed-off-by: alex.lyn alex.lyn@antgroup.com