mountPropagation: None equates to rprivate, not private
#39385
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
sig/docs
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site settings. |
|
/approve |
k8s-ci-robot
added
the
approved
|
/sig node This should have tech review by someone confident to check the evidence. |
k8s-ci-robot
added
the
sig/node
|
/approve FWIW |
|
@kubernetes/sig-node-pr-reviews , can we have a tech review on this PR? |
|
I think we might need to reword this a little more - While cri-o and containerd do use This might need to become a "cri-o and containerd use rprivate, other cri's may use private" type change /hold |
k8s-ci-robot
added
the
do-not-merge/hold
Evidences: - https://github.com/containerd/containerd/blob/v1.6.16/pkg/cri/opts/spec_linux.go#L181 - https://github.com/cri-o/cri-o/blob/v1.26.1/server/container_create_linux.go#L982 This commit also replaces the link to https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt with https://man7.org/linux/man-pages/man8/mount.8.html , as the former one does not mention `rprivate` . Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
AkihiroSuda
force-pushed
the
rprivate
branch
from
8517e79
to
8355f38
Compare
k8s-ci-robot
added
size/S
No, cri-dockerd+dockerd never uses the But you are right that the propagation isn't always ---
apiVersion: v1
kind: Pod
metadata:
name: propagation-test1
spec:
containers:
- name: sleep
image: busybox
command: ['sleep', 'infinity']
volumeMounts:
- mountPath: /mnt
name: mnt
mountPropagation: None
# The mount propagation `None` is translated to:
# - cri-dockerd v0.3.0, with Docker v20.10.23: rprivate
# - containerd v1.6.15: rprivate
# - CRI-O v1.24.1: rprivate
volumes:
- name: mnt
hostPath:
path: /mnt
---
apiVersion: v1
kind: Pod
metadata:
name: propagation-test2
spec:
containers:
- name: sleep
image: busybox
command: ['sleep', 'infinity']
volumeMounts:
- mountPath: /mnt
name: mnt
mountPropagation: None
# The mount propagation `None` is translated to:
# - cri-dockerd v0.3.0, with Docker v20.10.23: rslave
# - containerd v1.6.15: rprivate
# - CRI-O v1.24.1: rprivate
#
# Docker changes the default propagation to "rslave",
# because the mount source (`/`) contains `/var/lib/docker`.
# - https://github.com/moby/moby/blob/v20.10.23/daemon/volumes.go#L137-L143
# - https://github.com/moby/moby/blob/v20.10.23/daemon/volumes_linux.go#L11-L36
#
# This behavior was introduced in Docker 18.03: https://github.com/moby/moby/pull/36055
#
# containerd and CRI-O do not automatically change the propagation:
# - https://github.com/containerd/containerd/blob/v1.6.15/pkg/cri/opts/spec_linux.go#L181
# - https://github.com/cri-o/cri-o/blob/v1.24.1/server/container_create_linux.go#L967
volumes:
- name: mnt
hostPath:
path: /Updated the PR to clarify this limitation. |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: endocrimes, sftim, tengqm The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
LGTM label has been added. Git tree hash: 083ba25f6fd69dbfed9b566c8e2a7954eeeacd0e
|
|
(leaving the unhold to someone from sig-docs) |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
Evidences:
core/v1.MountPropagationNonetoruntimeapi.MountPropagation_PROPAGATION_PRIVATE:runtimeapi.MountPropagation_PROPAGATION_PRIVATEto OCI mount option"rprivate":This commit also replaces the link to https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt with https://man7.org/linux/man-pages/man8/mount.8.html , as the former one does not mention
rprivate.