Bug 1563317 - Mounting socket files from subPaths fail
Summary: Mounting socket files from subPaths fail
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage
Version: 3.6.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.6.z
Assignee: Hemant Kumar
QA Contact: Liang Xia
URL:
Whiteboard:
Depends On: 1558564 1563329 1563336
Blocks: 1560710
TreeView+ depends on / blocked
 
Reported: 2018-04-03 15:19 UTC by Hemant Kumar
Modified: 2018-04-30 04:01 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1558564
Environment:
Last Closed: 2018-04-30 04:00:18 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1233 0 None None None 2018-04-30 04:01:03 UTC

Description Hemant Kumar 2018-04-03 15:19:37 UTC
+++ This bug was initially created as a clone of Bug #1558564 +++

Description of problem:

Mounting sockets or special files from subpaths fails.

Version-Release number of selected component (if applicable): 3.9.x

How reproducible:

Steps to Reproduce:
1. Create a pod definition that uses "/" as hostPath.
2. Try and mount something like "/run/docker.sock" as a subpath within a container.
3. The pod will fail to start

The reason of this regression is - openat system call being used on https://github.com/kubernetes/kubernetes/blob/master/pkg/util/mount/mount_linux.go#L1138 does not work for special files like Unix sockets and it will throw - Errno::ENXIO: No such device or address /run/docker.sock


Actual results:

The pod fails to start


Expected results:
The pod should start

--- Additional comment from Hemant Kumar on 2018-03-20 10:34:25 EDT ---

For now, while we make the fix. One possible workaround is to directly mount "/run/docker.sock" via a new volume entry and a new VolumeMounts entry that does not uses subpath.

Something like:

VolumeMounts: [
{ mountPath: "/run/docker.sock", name: docker_sock, readOnly: true}
],
volumes: [
{ name: docker_sock,
hostPath: { path: "/run/docker.sock", type: "" },
]

--- Additional comment from Hemant Kumar on 2018-03-22 16:41:08 EDT ---

PR upstream for the fix https://github.com/kubernetes/kubernetes/pull/61480

--- Additional comment from Hemant Kumar on 2018-03-26 11:30:50 EDT ---

Opened PR for Openshift/origin - https://github.com/openshift/origin/pull/19100

Comment 6 Liang Xia 2018-04-20 07:43:32 UTC
# oc version
oc v3.6.173.0.113
kubernetes v1.6.1+5115d708d7
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://qe-lxia-36-master-nfs-1:8443
openshift v3.6.173.0.113
kubernetes v1.6.1+5115d708d7


# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)


# uname -a
Linux qe-lxia-36-master-nfs-1 3.10.0-514.26.1.el7.x86_64 #1 SMP Tue Jun 20
01:16:02 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux


First try to mount /run/docker.sock to /, the pod failed to start,
 9s		8s		2	kubelet, qe-lxia-36-node-registry-router-1	spec.containers{test-container}	Warning		Failed		Error: Error response from daemon: {"message":"Invalid bind mount spec \"/run/docker.sock:/\": Invalid specification: destination can't be '/' in '/run/docker.sock:/'"}

Then change mount point to /mnt, the pod is up and runing,
$ oc get pods testpd
NAME      READY     STATUS    RESTARTS   AGE
testpd    1/1       Running   0          24s


$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: testpd
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /mnt
      name: test-volume
      subpath: mysock
  volumes:
  - name: test-volume
    hostPath:
      path: /run/docker.sock
      type: ""

Comment 11 errata-xmlrpc 2018-04-30 04:00:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1233


Note You need to log in before you can comment on or make changes to this bug.