Skip to content

[release-1.30] OCPBUGS-42276: Only restore container if all bind mounts are defined #8793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 29, 2024
Merged

[release-1.30] OCPBUGS-42276: Only restore container if all bind mounts are defined #8793

merged 2 commits into from
Nov 29, 2024
+75 −136

Conversation

@kwilczynski
Copy link
Contributor

This is a manual cherry-pick of commit 429ef7c

commit 429ef7c366406280cfa3daa15812d14b22953a7a
Author: Adrian Reber <[email protected]>
Date:   Mon Sep 30 23:37:13 2024

    Only restore container if all bind mounts are defined
    
    To avoid the situation where a container that is restored via a registry
    mounts unexpected host paths into the container, this changes the
    restore behaviour of CRI-O.
    
    Previously all bind mounted paths in the original container which were
    defined for example like this:
    
        volumeMounts:
        - mountPath: /data
          name: data-volume
      volumes:
      - name: data-volume
        hostPath:
          path: /srv/container/data
    
    Were automatically mounted in the restored container without and
    definition necessary. This lead to the situation that the user does not
    know which path will be mounted if starting a restored container.
    
    Now CRI-O will refuse to restore a container if not all bind mounts are
    defined via the CRI CreateContainer RPC in the CreateContainerRequest
    message.
    
    CRI-O will now return an error that will look something likes this:
    
    Error: the container to restore (7f...be) expects following bind mounts defined (/data,/data2)
    
    Now the user has to explicitly add those bind mounts in the same way as
    it was done during initial container creation.
    
    Signed-off-by: Adrian Reber <[email protected]>

/assign kwilczynski

Note

This cherry-pickl brings the following Pull Request as a dependency:

Only restore container if all bind mounts are defined.

adrianreber and others added 2 commits November 29, 2024 09:52
@adrianreber
Only restore container if all bind mounts are defined
fba653e 
To avoid the situation where a container that is restored via a registry
mounts unexpected host paths into the container, this changes the
restore behaviour of CRI-O.

Previously all bind mounted paths in the original container which were
defined for example like this:

    volumeMounts:
    - mountPath: /data
      name: data-volume
  volumes:
  - name: data-volume
    hostPath:
      path: /srv/container/data

Were automatically mounted in the restored container without and
definition necessary. This lead to the situation that the user does not
know which path will be mounted if starting a restored container.

Now CRI-O will refuse to restore a container if not all bind mounts are
defined via the CRI CreateContainer RPC in the CreateContainerRequest
message.

CRI-O will now return an error that will look something likes this:

Error: the container to restore (7f...be) expects following bind mounts defined (/data,/data2)

Now the user has to explicitly add those bind mounts in the same way as
it was done during initial container creation.

Signed-off-by: Adrian Reber <[email protected]>
@saschagrunert
Fix container restore lint report
308c07a 
Signed-off-by: Sascha Grunert <[email protected]>
@kwilczynski kwilczynski requested a review from mrunalp as a code owner November 29, 2024 00:53
@openshift-ci openshift-ci bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Nov 29, 2024
@kwilczynski kwilczynski changed the title Only restore container if all bind mounts are defined [release-1.30] Only restore container if all bind mounts are defined Nov 29, 2024
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 29, 2024
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 29, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kwilczynski, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 29, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit 7be0d22 into cri-o:release-1.30 Nov 29, 2024
41 of 43 checks passed
@kwilczynski kwilczynski deleted the feature/backport-commit-429ef7c36-to-release-1.30 branch November 29, 2024 08:19
@kwilczynski kwilczynski changed the title [release-1.30] Only restore container if all bind mounts are defined [release-1.30] OCPBUGS-42276: Only restore container if all bind mounts are defined Dec 10, 2024
@openshift-ci-robot
Copy link

@kwilczynski: Jira Issue OCPBUGS-42276: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-42276 has been moved to the MODIFIED state.

In response to this:

This is a manual cherry-pick of commit 429ef7c

commit 429ef7c366406280cfa3daa15812d14b22953a7a
Author: Adrian Reber <[email protected]>
Date:   Mon Sep 30 23:37:13 2024

   Only restore container if all bind mounts are defined
   
   To avoid the situation where a container that is restored via a registry
   mounts unexpected host paths into the container, this changes the
   restore behaviour of CRI-O.
   
   Previously all bind mounted paths in the original container which were
   defined for example like this:
   
       volumeMounts:
       - mountPath: /data
         name: data-volume
     volumes:
     - name: data-volume
       hostPath:
         path: /srv/container/data
   
   Were automatically mounted in the restored container without and
   definition necessary. This lead to the situation that the user does not
   know which path will be mounted if starting a restored container.
   
   Now CRI-O will refuse to restore a container if not all bind mounts are
   defined via the CRI CreateContainer RPC in the CreateContainerRequest
   message.
   
   CRI-O will now return an error that will look something likes this:
   
   Error: the container to restore (7f...be) expects following bind mounts defined (/data,/data2)
   
   Now the user has to explicitly add those bind mounts in the same way as
   it was done during initial container creation.
   
   Signed-off-by: Adrian Reber <[email protected]>

/assign kwilczynski

[!NOTE]
This cherry-pickl brings the following Pull Request as a dependency:

Only restore container if all bind mounts are defined.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@kwilczynski
Copy link
Contributor Author

/jira refresh

@openshift-ci-robot
Copy link

@kwilczynski: Jira Issue OCPBUGS-42276 is in an unrecognized state (ON_QA) and will not be moved to the MODIFIED state.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@hasan4791 hasan4791 Awaiting requested review from hasan4791

@sohankunkerkar sohankunkerkar Awaiting requested review from sohankunkerkar

Assignees

@kwilczynski kwilczynski

@saschagrunert saschagrunert

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kwilczynski @openshift-ci-robot @saschagrunert @adrianreber