Merge pull request #637 from mrunalp/image_volumes

Image volumes

cmd/crio/config.go

@@ -120,6 +120,10 @@ pause_command = "{{ .PauseCommand }}"
 # unspecified so that the default system-wide policy will be used.
 signature_policy = "{{ .SignaturePolicyPath }}"
 
+# image_volumes controls how image volumes are handled.
+# The valid values are mkdir and ignore.
+image_volumes = "{{ .ImageVolumes }}"
+
 # insecure_registries is used to skip TLS verification when pulling images.
 insecure_registries = [
 {{ range $opt := .InsecureRegistries }}{{ printf "\t%q,\n" $opt }}{{ end }}]

cmd/crio/main.go

@@ -22,6 +22,17 @@ import (
 
 const crioConfigPath = "/etc/crio/crio.conf"
 
+func validateConfig(config *server.Config) error {
+	switch config.ImageVolumes {
+	case server.ImageVolumesMkdir:
+	case server.ImageVolumesIgnore:
+	default:
+		return fmt.Errorf("Unrecognized image volume type specified")
+
+	}
+	return nil
+}
+
 func mergeConfig(config *server.Config, ctx *cli.Context) error {
 	// Don't parse the config if the user explicitly set it to "".
 	if path := ctx.GlobalString("config"); path != "" {
@@ -98,6 +109,9 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
 	if ctx.GlobalIsSet("cni-plugin-dir") {
 		config.PluginDir = ctx.GlobalString("cni-plugin-dir")
 	}
+	if ctx.GlobalIsSet("image-volumes") {
+		config.ImageVolumes = server.ImageVolumesType(ctx.GlobalString("image-volumes"))
+	}
 	return nil
 }
 
@@ -233,6 +247,11 @@ func main() {
 			Name:  "cni-plugin-dir",
 			Usage: "CNI plugin binaries directory",
 		},
+		cli.StringFlag{
+			Name:  "image-volumes",
+			Value: string(server.ImageVolumesMkdir),
+			Usage: "image volume handling ('mkdir' or 'ignore')",
+		},
 		cli.BoolFlag{
 			Name:  "profile",
 			Usage: "enable pprof remote profiler on localhost:6060",
@@ -253,6 +272,10 @@ func main() {
 			return err
 		}
 
+		if err := validateConfig(config); err != nil {
+			return err
+		}
+
 		cf := &logrus.TextFormatter{
 			TimestampFormat: "2006-01-02 15:04:05.000000000Z07:00",
 			FullTimestamp:   true,

docs/crio.8.md

@@ -73,6 +73,9 @@ set the CPU profile file path
 **--help, -h**
   Print usage statement
 
+**--image-volumes**=""
+  Image volume handling ('mkdir' or 'ignore') (default: "mkdir")
+
 **--listen**=""
   Path to crio socket (default: "/var/run/crio.sock")
 

docs/crio.conf.5.md

@@ -74,6 +74,9 @@ The `crio` table supports the following options:
 **default_transport**
   A prefix to prepend to image names that can't be pulled as-is (default: "docker://")
 
+**--image_volumes**=""
+  Image volume handling ('mkdir' or 'ignore') (default: "mkdir")
+
 **pause_command**=""
   Path to the pause executable in the pause image (default: "/pause")
 

server/config.go

@@ -33,6 +33,16 @@ type Config struct {
 	NetworkConfig
 }
 
+// ImageVolumesType describes image volume handling strategies
+type ImageVolumesType string
+
+const (
+	// ImageVolumesMkdir option is for using mkdir to handle image volumes
+	ImageVolumesMkdir ImageVolumesType = "mkdir"
+	// ImageVolumesIgnore option is for ignoring image volumes altogether
+	ImageVolumesIgnore ImageVolumesType = "ignore"
+)
+
 // This structure is necessary to fake the TOML tables when parsing,
 // while also not requiring a bunch of layered structs for no good
 // reason.
@@ -145,6 +155,8 @@ type ImageConfig struct {
 	// InsecureRegistries is a list of registries that must be contacted w/o
 	// TLS verification.
 	InsecureRegistries []string `toml:"insecure_registries"`
+	// ImageVolumes controls how volumes specified in image config are handled
+	ImageVolumes ImageVolumesType `toml:"image_volumes"`
 }
 
 // NetworkConfig represents the "crio.network" TOML config table
@@ -255,6 +267,7 @@ func DefaultConfig() *Config {
 			PauseImage:          pauseImage,
 			PauseCommand:        pauseCommand,
 			SignaturePolicyPath: "",
+			ImageVolumes:        ImageVolumesMkdir,
 		},
 		NetworkConfig: NetworkConfig{
 			NetworkDir: cniConfigDir,

server/container_create.go

@@ -607,8 +607,15 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 		if err != nil {
 			return nil, err
 		}
-		if err1 := os.MkdirAll(fp, 0644); err1 != nil {
+		switch s.config.ImageVolumes {
-			return nil, err1
+		case ImageVolumesMkdir:
+			if err1 := os.MkdirAll(fp, 0644); err1 != nil {
+				return nil, err1
+			}
+		case ImageVolumesIgnore:
+			logrus.Debugf("Ignoring volume %v", dest)
+		default:
+			logrus.Fatalf("Unrecognized image volumes setting")
 		}
 	}
 

test/helpers.bash

@@ -51,6 +51,8 @@ CHECKSECCOMP_BINARY=${CHECKSECCOMP_BINARY:-${CRIO_ROOT}/cri-o/test/checkseccomp/
 DEFAULT_LOG_PATH=/var/log/crio/pods
 # Cgroup manager to be used
 CGROUP_MANAGER=${CGROUP_MANAGER:-cgroupfs}
+# Image volumes handling
+IMAGE_VOLUMES=${IMAGE_VOLUMES:-mkdir}
 
 TESTDIR=$(mktemp -d)
 if [ -e /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
@@ -122,6 +124,15 @@ if ! [ -d "$ARTIFACTS_PATH"/oom-image ]; then
     fi
 fi
 
+# Make sure we have a copy of the mrunalp/image-volume-test:latest image.
+if ! [ -d "$ARTIFACTS_PATH"/image-volume-test-image ]; then
+    mkdir -p "$ARTIFACTS_PATH"/image-volume-test-image
+    if ! "$COPYIMG_BINARY" --import-from=docker://mrunalp/image-volume-test --export-to=dir:"$ARTIFACTS_PATH"/image-volume-test-image --signature-policy="$INTEGRATION_ROOT"/policy.json ; then
+        echo "Error pulling docker://mrunalp/image-volume-test-image"
+        rm -fr "$ARTIFACTS_PATH"/image-volume-test-image
+        exit 1
+    fi
+fi
 # Run crio using the binary specified by $CRIO_BINARY.
 # This must ONLY be run on engines created with `start_crio`.
 function crio() {
@@ -189,9 +200,10 @@ function start_crio() {
 #       above
 	"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTS --runroot "$TESTDIR/crio-run" --image-name=redis@sha256:03789f402b2ecfb98184bf128d180f398f81c63364948ff1454583b02442f73b --import-from=dir:"$ARTIFACTS_PATH"/redis-image-digest --add-name=docker.io/library/redis@sha256:03789f402b2ecfb98184bf128d180f398f81c63364948ff1454583b02442f73b --signature-policy="$INTEGRATION_ROOT"/policy.json
 	"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTS --runroot "$TESTDIR/crio-run" --image-name=mrunalp/oom --import-from=dir:"$ARTIFACTS_PATH"/oom-image --add-name=docker.io/library/mrunalp/oom --signature-policy="$INTEGRATION_ROOT"/policy.json
+	"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTS --runroot "$TESTDIR/crio-run" --image-name=mrunalp/image-volume-test --import-from=dir:"$ARTIFACTS_PATH"/image-volume-test-image --add-name=docker.io/library/mrunalp/image-volume-test --signature-policy="$INTEGRATION_ROOT"/policy.json
 	"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTS --runroot "$TESTDIR/crio-run" --image-name=busybox:latest --import-from=dir:"$ARTIFACTS_PATH"/busybox-image --add-name=docker.io/library/busybox:latest --signature-policy="$INTEGRATION_ROOT"/policy.json
 	"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTS --runroot "$TESTDIR/crio-run" --image-name=runcom/stderr-test:latest --import-from=dir:"$ARTIFACTS_PATH"/stderr-test --add-name=docker.io/runcom/stderr-test:latest --signature-policy="$INTEGRATION_ROOT"/policy.json
-	"$CRIO_BINARY" --conmon "$CONMON_BINARY" --listen "$CRIO_SOCKET" --cgroup-manager "$CGROUP_MANAGER" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/crio" --runroot "$TESTDIR/crio-run" $STORAGE_OPTS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$CRIO_CNI_CONFIG" --signature-policy "$INTEGRATION_ROOT"/policy.json --config /dev/null config >$CRIO_CONFIG
+	"$CRIO_BINARY" --conmon "$CONMON_BINARY" --listen "$CRIO_SOCKET" --cgroup-manager "$CGROUP_MANAGER" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/crio" --runroot "$TESTDIR/crio-run" $STORAGE_OPTS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$CRIO_CNI_CONFIG" --signature-policy "$INTEGRATION_ROOT"/policy.json --image-volumes "$IMAGE_VOLUMES" --config /dev/null config >$CRIO_CONFIG
 
 	# Prepare the CNI configuration files, we're running with non host networking by default
 	if [[ -n "$4" ]]; then
@@ -241,6 +253,11 @@ function start_crio() {
 		crioctl image pull busybox:latest
 	fi
 	BUSYBOX_IMAGEID=$(crioctl image status --id=busybox | head -1 | sed -e "s/ID: //g")
+	run crioctl image status --id=mrunalp/image-volume-test
+	if [ "$status" -ne 0 ] ; then
+		  crioctl image pull mrunalp/image-volume-test:latest
+	fi
+	VOLUME_IMAGEID=$(crioctl image status --id=mrunalp/image-volume-test | head -1 | sed -e "s/ID: //g")
 }
 
 function cleanup_ctrs() {

test/image_volume.bats

@@ -0,0 +1,38 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function teardown() {
+	cleanup_test
+}
+
+@test "image volume ignore" {
+	IMAGE_VOLUMES=ignore start_crio
+	run crioctl pod run --config "$TESTDATA"/sandbox_config.json
+	echo "$output"
+	[ "$status" -eq 0 ]
+	pod_id="$output"
+	image_volume_config=$(cat "$TESTDATA"/container_config.json | python -c 'import json,sys;obj=json.load(sys.stdin);obj["image"]["image"] = "mrunalp/image-volume-test"; obj["command"] = ["/bin/sleep", "600"]; json.dump(obj, sys.stdout)')
+	echo "$image_volume_config" > "$TESTDIR"/container_image_volume.json
+	run crioctl ctr create --config "$TESTDIR"/container_image_volume.json --pod "$pod_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	ctr_id="$output"
+	run crioctl ctr start --id "$ctr_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	run crioctl ctr execsync --id "$ctr_id" ls /imagevolume
+	echo "$output"
+	[ "$status" -eq 0 ]
+	[[ "$output" =~ "Exit code: 1" ]]
+	[[ "$output" =~ "ls: /imagevolume: No such file or directory" ]]
+	run crioctl pod stop --id "$pod_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	run crioctl pod remove --id "$pod_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	cleanup_ctrs
+	cleanup_pods
+	stop_crio
+}