-
Notifications
You must be signed in to change notification settings - Fork 39.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Removed awk from kubeadm reset #81494
Conversation
Added WIP due to testing needing to be run on at least one of the other platforms. I should be able to do this over the weekend. Tested on Ubuntu 18.04 server vm and successfully unmounted correct directories. |
/test pull-kubernetes-e2e-gce |
i think it's fine to merge without testing
thanks. /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Klaven, neolit123 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @Klaven !
Overall, this looks OK, but we may need to think on better platform split for reset (WRT the Windows side of things).
if len(m) < 2 || !strings.HasPrefix(m[1], kubeadmconstants.KubeletRunDirectory) { | ||
continue | ||
} | ||
if err := syscall.Unmount(m[1], syscall.MNT_FORCE); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The original call did not imply MNT_FORCE
. Also, that flag is somewhat misleading. It is actually used to force unmount a filesystem, which is a remote one and the connection to the server is lost. It does not force unmount a filesystem if it has opened handles.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can remove this if you like. will have to be tonight as it will mean I need to retest it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this has been removed and tested. (testing methodology posted.) I agree, it's misleading and really not helpful in this case. Also not used on the original so even if we wanted to add it would probably be better to add in new PR.
@@ -0,0 +1,29 @@ | |||
// +build !linux |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's not do premature platform splitting in reset at this point. It's almost all Linux dependent and we need to have the whole picture in mind to take the best approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but this function certainly should not run on _windows.go (NO-OP).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rosti I guess I don't understand, if I don't have this file the code will not pass checks because it does not have the functions used in the unmount_linux.go
file on windows and mac. For both windows and mac this is a no-op. How are you wanting me to handle compiling for windows and linux if not with this file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, we can leave it like this for now, but we may need to redesign and rename the files.
The question is if we should place absoluteKubeletRunDirectory
in the platform specific portions of cleanupnode.go
? So the idea is to have cleanupnode_unix.go
and cleanupnode_windows.go
with absoluteKubeletRunDirectory
and a few other things in it.
But, certainly, that must be done in another PR.
my test: (with removal of force)
|
umountDirsCmd := fmt.Sprintf("awk '$2 ~ path {print $2}' path=%s/ /proc/mounts | xargs -r umount", absoluteKubeletRunDirectory) | ||
klog.V(1).Infof("[reset] Executing command %q", umountDirsCmd) | ||
umountOutputBytes, err := exec.Command("sh", "-c", umountDirsCmd).Output() | ||
err = unmountKubeletDirectory() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A thing, that I've missed on the first run here is, that we need absoluteKubeletRunDirectory
to be passed to unmountKubeletDirectory
(instead of using a const there).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @Klaven !
Let's merge these as they are, but first, please, squash your commits.
removed awk from kubeadm reset in favor of native go lang calls that are not vulnerable to expantion.
/test pull-kubernetes-kubemark-e2e-gce-big |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
removed awk usage from
kubeadm reset
in favor of native golang callsthat are not vulnerable to expansion.
What type of PR is this?
/kind bug
What this PR does / why we need it:
This PR was created based on results from the security assessment,
Which issue(s) this PR fixes:
Fixes #
xref#/kubernetes/kubeadm/issues/1715
Special notes for your reviewer:
@neolit123 :
Wanted to get feedback. in it's current state it's not very testable. But at the same time I did not want to pollute the core change with changes not related to removing awk.
also, I would not expect a function called
absoluteKubeletRunDirectory
to unmount directories. but again thought this change would pollute the core change. If it is acceptable I will make a new PR later this week to address this.Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: