Merge pull request cri-o#9159 from saschagrunert/artifact-subpath

openshift-merge-bot[bot] · web-flow · commit 2fe75a93f652 · 2025-04-30T07:36:51.000Z
Support artifact mount sub paths
diff --git a/server/artifacts_test.go b/server/artifacts_test.go
@@ -0,0 +1,87 @@
+package server_test
+
+import (
+	"context"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"github.com/cri-o/cri-o/internal/ociartifact"
+	"github.com/cri-o/cri-o/server"
+)
+
+// The actual test suite.
+var _ = t.Describe("Artifacts", func() {
+	const artifact = "my-artifact"
+	var (
+		ctx   = context.Background()
+		paths = []ociartifact.BlobMountPath{
+			{Name: "1"},
+			{Name: "dir-1/2"},
+			{Name: "dir-1/3"},
+			{Name: "dir-2/4"},
+			{Name: "dir-2/5"},
+		}
+	)
+
+	It("should succeed with empty sub path", func() {
+		// Given
+
+		// When
+		res, err := server.FilterMountPathsBySubPath(ctx, artifact, "", paths)
+
+		// Then
+		Expect(err).NotTo(HaveOccurred())
+		Expect(res).To(Equal(paths))
+	})
+
+	It("should succeed with filtered sub path", func() {
+		// Given
+
+		// When
+		res, err := server.FilterMountPathsBySubPath(ctx, artifact, "dir-1", paths)
+
+		// Then
+		Expect(err).NotTo(HaveOccurred())
+		Expect(res).To(Equal([]ociartifact.BlobMountPath{
+			{Name: "2"},
+			{Name: "3"},
+		}))
+	})
+
+	It("should succeed with '.' sub path", func() {
+		// Given
+
+		// When
+		res, err := server.FilterMountPathsBySubPath(ctx, artifact, ".", paths)
+
+		// Then
+		Expect(err).NotTo(HaveOccurred())
+		Expect(res).To(Equal(paths))
+	})
+
+	It("should succeed with './' prefix in sub path", func() {
+		// Given
+
+		// When
+		res, err := server.FilterMountPathsBySubPath(ctx, artifact, "./dir-1", paths)
+
+		// Then
+		Expect(err).NotTo(HaveOccurred())
+		Expect(res).To(Equal([]ociartifact.BlobMountPath{
+			{Name: "2"},
+			{Name: "3"},
+		}))
+	})
+
+	It("should fail if sub path is not existing", func() {
+		// Given
+
+		// When
+		res, err := server.FilterMountPathsBySubPath(ctx, artifact, "dir-3", paths)
+
+		// Then
+		Expect(err).To(HaveOccurred())
+		Expect(res).To(BeNil())
+	})
+})
diff --git a/server/container_create_linux.go b/server/container_create_linux.go
@@ -27,6 +27,7 @@ import (
 	"github.com/cri-o/cri-o/internal/lib/sandbox"
 	"github.com/cri-o/cri-o/internal/log"
 	"github.com/cri-o/cri-o/internal/oci"
+	"github.com/cri-o/cri-o/internal/ociartifact"
 	crioann "github.com/cri-o/cri-o/pkg/annotations"
 )
 
@@ -217,12 +218,17 @@ func (s *Server) addOCIBindMounts(ctx context.Context, ctr ctrfactory.Container,
 
 					continue
 				}
+
+				// Don't fallback to an image mount if we already encounter an ErrImageVolumeMountFailed error
+				if errors.Is(err, crierrors.ErrImageVolumeMountFailed) {
+					return nil, nil, nil, err
+				}
+
+				log.Warnf(ctx, "Artifact mount failed, falling back to image mount: %v", err)
 			} else {
 				log.Debugf(ctx, "Skipping artifact mount because OCI artifact mount support is disabled")
 			}
 
-			log.Warnf(ctx, "Artifact mount failed with %s. Falling back to image mount", err)
-
 			volume, safeMount, err := s.mountImage(ctx, specgen, imageVolumesPath, m, runDir)
 			if err != nil {
 				return nil, nil, nil, fmt.Errorf("%w: %w", crierrors.ErrImageVolumeMountFailed, err)
@@ -428,6 +434,12 @@ func (s *Server) mountArtifact(ctx context.Context, specgen *generate.Generator,
 		selinuxRelabel = false
 	}
 
+	paths, err = FilterMountPathsBySubPath(ctx, m.Image.Image, m.ImageSubPath, paths)
+	if err != nil {
+		// This error will get reported directly to the end user
+		return nil, err
+	}
+
 	for _, path := range paths {
 		dest, err := securejoin.SecureJoin(m.ContainerPath, path.Name)
 		if err != nil {
@@ -463,6 +475,34 @@ func (s *Server) mountArtifact(ctx context.Context, specgen *generate.Generator,
 	return volumes, nil
 }
 
+func FilterMountPathsBySubPath(ctx context.Context, artifact, subPath string, paths []ociartifact.BlobMountPath) (filteredPaths []ociartifact.BlobMountPath, err error) {
+	if subPath == "" || subPath == "." {
+		return paths, nil
+	}
+
+	cleanSubPath := filepath.Clean(subPath) + "/"
+
+	if !slices.ContainsFunc(paths, func(val ociartifact.BlobMountPath) bool {
+		return strings.HasPrefix(val.Name, cleanSubPath)
+	}) {
+		return nil, fmt.Errorf("%w: sub path %q does not exist in OCI artifact volume %q", crierrors.ErrImageVolumeMountFailed, subPath, artifact)
+	}
+
+	for _, path := range paths {
+		if !strings.HasPrefix(path.Name, cleanSubPath) {
+			log.Debugf(ctx, "Skipping to mount artifact path %q because it's not a sub path of %q", path.Name, subPath)
+
+			continue
+		}
+
+		newPath := strings.TrimPrefix(path.Name, cleanSubPath)
+		log.Debugf(ctx, "Modifying artifact mount path from %q to %q because of user specified sub path %q", path.Name, newPath, cleanSubPath)
+		filteredPaths = append(filteredPaths, ociartifact.BlobMountPath{Name: newPath, SourcePath: path.SourcePath})
+	}
+
+	return filteredPaths, nil
+}
+
 // mountImage adds required image mounts to the provided spec generator and returns a corresponding ContainerVolume.
 func (s *Server) mountImage(ctx context.Context, specgen *generate.Generator, imageVolumesPath string, m *types.Mount, runDir string) (*oci.ContainerVolume, *safeMountInfo, error) {
 	if m == nil || m.Image == nil || m.Image.Image == "" || m.ContainerPath == "" {
diff --git a/test/oci_artifacts.bats b/test/oci_artifacts.bats
@@ -13,6 +13,7 @@ function teardown() {
 
 ARTIFACT_REPO=quay.io/crio/artifact
 ARTIFACT_IMAGE="$ARTIFACT_REPO:singlefile"
+ARTIFACT_IMAGE_SUBPATH="$ARTIFACT_REPO:subpath"
 
 @test "should be able to pull and list an OCI artifact" {
 	start_crio
@@ -225,3 +226,43 @@ EOF
 
 	rm -f "$ARTIFACT_CONFIG"
 }
+
+@test "should be able to mount OCI Artifact with sub path" {
+	start_crio
+	crictl pull $ARTIFACT_IMAGE_SUBPATH
+	pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json)
+	jq --arg ARTIFACT_IMAGE_SUBPATH "$ARTIFACT_IMAGE_SUBPATH" \
+		'.mounts = [ {
+      container_path: "/root/artifact",
+      image: { image: $ARTIFACT_IMAGE_SUBPATH },
+      image_sub_path: "subpath"
+    } ] |
+    .command = ["sleep", "3600"]' \
+		"$TESTDATA"/container_config.json > "$TESTDIR/container_config.json"
+	ctr_id=$(crictl create "$pod_id" "$TESTDIR/container_config.json" "$TESTDATA/sandbox_config.json")
+	crictl start "$ctr_id"
+
+	# The artifact should get mounted with the correct sub path
+	run crictl exec --sync "$ctr_id" cat /root/artifact/2
+	[[ "$output" == "2" ]]
+
+	run crictl exec --sync "$ctr_id" cat /root/artifact/3
+	[[ "$output" == "3" ]]
+}
+
+@test "should fail to mount OCI Artifact with sub path if not existing" {
+	start_crio
+	crictl pull $ARTIFACT_IMAGE_SUBPATH
+	pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json)
+	jq --arg ARTIFACT_IMAGE_SUBPATH "$ARTIFACT_IMAGE_SUBPATH" \
+		'.mounts = [ {
+      container_path: "/root/artifact",
+      image: { image: $ARTIFACT_IMAGE_SUBPATH },
+      image_sub_path: "subpath-not-existing"
+    } ] |
+    .command = ["sleep", "3600"]' \
+		"$TESTDATA"/container_config.json > "$TESTDIR/container_config.json"
+	run ! crictl create "$pod_id" "$TESTDIR/container_config.json" "$TESTDATA/sandbox_config.json"
+
+	[[ "$output" == *"ImageVolumeMountFailed"*"does not exist in OCI artifact volume"* ]]
+}
diff --git a/test/testdata/artifacts/push-oci-artifacts b/test/testdata/artifacts/push-oci-artifacts
@@ -14,3 +14,4 @@ cd "$ARTIFACT_DIR"
 oras push "$REPOSITORY:singlefile" --artifact-type application/x.test.test.test.v1 artifact.txt
 oras push "$REPOSITORY:exec" --artifact-type application/x.test.test.test.v1 artifact.sh
 oras push "$REPOSITORY:multiplefiles" --artifact-type application/x.test.test.test.v1 artifact.txt artifact.sh
+oras push "$REPOSITORY:subpath" --artifact-type application/x.test.test.test.v1 subpath/2:text/plain subpath/3:text/plain
diff --git a/test/testdata/artifacts/subpath/2 b/test/testdata/artifacts/subpath/2
@@ -0,0 +1 @@
+2
diff --git a/test/testdata/artifacts/subpath/3 b/test/testdata/artifacts/subpath/3
@@ -0,0 +1 @@
+3
