Bug 1471256 - RFE: Method for ignoring docker volumes specified with VOLUME in the dockerfile
Summary: RFE: Method for ignoring docker volumes specified with VOLUME in the dockerfile
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Mrunal Patel
QA Contact: Xiaoli Tian
URL:
Whiteboard:
: 1493014 (view as bug list)
Depends On:
Blocks: 1186913
TreeView+ depends on / blocked
 
Reported: 2017-07-14 20:18 UTC by Ryan Howe
Modified: 2021-03-11 15:27 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-11 20:33:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3266231 0 None None None 2017-12-19 16:08:38 UTC

Description Ryan Howe 2017-07-14 20:18:56 UTC 
Description of problem:

When a pod uses a docker image that was build containing the VOLUME statement, the volume is mount at /var/lib/docker/volume, there is no record from the pod spec showing that there is a volume on the host. In turn this is another location that needs to be monitored in addition to the kuelet volumedirectory. 

Version-Release number of selected component (if applicable):
3.5

How reproducible:
100%

Steps to Reproduce:

[root@master-1]# docker run -it --entrypoint "/bin/bash" --user root registry.access.redhat.com/rhscl/mongodb-26-rhel7:latest

$ grep -i volume /root/buildinfo/*
/root/buildinfo/Dockerfile-rhscl-mongodb-26-rhel7-2.6-8.19:VOLUME ["/var/lib/mongodb/data"]


**OPENSHIFT CREATED POD:  restricted SCC has not been changed in any way**

~~~
apiVersion: v1
kind: Pod
metadata:
  name: test-mongo
spec:
  containers:
  - name: mongo
    image: rhscl/mongodb-26-rhel7
    command: [ "/bin/bash", "-c", "--" ]
    args: [ "while true; do sleep 30  & done" ]
    imagePullPolicy: IfNotPresent
restartPolicy: Never
~~~

~~~
# oc volumes pod test-mongo
pods/test-mongo
  secret/default-token-fm82k as default-token-fm82k
    mounted at /var/run/secrets/kubernetes.io/serviceaccount

#  oc get pods test-mongo -o yaml | grep -e containerID -e scc -e image:
    openshift.io/scc: restricted
    image: rhscl/mongodb-26-rhel7
  - containerID: docker://6b617cad4c58fe5d1cefd9cff3f83e016b830326cdb5666827f0a089f5e96934
    image: rhscl/mongodb-26-rhel7

# oc rsh test-mongo
sh-4.2$ touch /var/lib/mongodb/data/test
sh-4.2$ ls /var/lib/mongodb/data/test -la
-rw-r--r--. 1 1000070000 root 0 Jul 14 14:05 /var/lib/mongodb/data/test
sh-4.2$ id
uid=1000070000 gid=0(root) groups=0(root),1000070000
~~~

** With docker inspect I see that there is a volume mounted to this container that was not listed when running the pod 

~~~
# docker inspect 6b617cad4c58
            {
                "Name": "120c702a78bf496374ea9d3d7727f021511db0ea937c0c19aed6e89eed73074b",
                "Source": "/var/lib/docker/volumes/120c702a78bf496374ea9d3d7727f021511db0ea937c0c19aed6e89eed73074b/_data",
                "Destination": "/var/lib/mongodb/data",
                "Driver": "local",
                "Mode": "",
                "RW": true,
                "Propagation": ""
            }

** File is saved to the host under group root. **

~~~
# ls -la /var/lib/docker/volumes/120c702a78bf496374ea9d3d7727f021511db0ea937c0c19aed6e89eed73074b/_data/test
-rw-r--r--. 1 1000070000 root 0 Jul 14 10:05 /var/lib/docker/volumes/120c702a78bf496374ea9d3d7727f021511db0ea937c0c19aed6e89eed73074b/_data/test

# oc delete pod test-mongo
~~~

Actual results:
A volume is mounted under /var/lib/docker/volume

Expected results:
Kubernetes/OCP sees that the image was built with a volume and defaults to creating an emptydir volume mounted in the kublet volumedirectory. Allowing the admins to control a hosts storage resources.
Comment 1 Derek Carr 2017-07-17 15:08:13 UTC 
Paul - please triage further.
Comment 2 Steven Walter 2017-08-24 20:53:36 UTC 
Are there other situations where it might generate an empytdir other than the VOLUME entry?
Comment 3 Ryan Howe 2017-08-28 19:25:51 UTC 
No, this should only happen if an image was build with VOLUME. 

To check run inspect on the image. 

Example: 
# docker pull registry.access.redhat.com/openshift3/mongodb-24-rhel7
# docker inspect fce0f0989f08

            "Volumes": {
                "/var/lib/mongodb/data": {}
            },


Then if a Pod uses this image but does not specify any volumes in the podspec we will default mounting a volume to /var/lib/docker on the host when using this image.
Comment 7 Seth Jennings 2017-09-19 14:25:16 UTC 
*** Bug 1493014 has been marked as a duplicate of this bug. ***
Comment 13 Ranjith Rajaram 2019-05-27 10:59:58 UTC 
Do we have any plans to include an option like "--image-volumes=ignore" with docker runtime ?.
Comment 18 Scott McCarty 2019-06-11 20:33:21 UTC 
All, I am closing this issue as CRI-O in OCP 4.1 is not affected. Per Mrunal, CRI-O is set to --image-volumes=mkdir so the directory should be deleted after the the ephemeral storage is deleted. I think this is totally appropriate. If somebody is really hot and heavy on a reason why this needs to be set to ignore, let me know. The entire world of Kubernetes has been living with the "bind" behavior for like 4 or 5 years, so I can't see how this is a bit deal.

===============================================================================================================

--image-volumes="": Image volume handling ('mkdir', 'bind' or 'ignore') (default: "mkdir")

mkdir: A directory is created inside the container root filesystem for the volumes.
bind: A directory is created inside container state directory and bind mounted into the container for the volumes.
ignore: All volumes are just ignored and no action is taken.

===============================================================================================================


Best Regards
Scott M
Note You need to log in before you can comment on or make changes to this bug.