Skip to content

Commit

Permalink
issue-2285: skip changing group ownership for readonly volumes (#2443)
Browse files Browse the repository at this point in the history
  • Loading branch information
antonmyagkov authored Nov 8, 2024
1 parent aad4510 commit e5858c4
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 13 deletions.
27 changes: 22 additions & 5 deletions cloud/blockstore/tests/csi_driver/e2e_tests_part2/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,11 @@ def get_access_mode(mount_point: str) -> str:
return ""


@pytest.mark.parametrize('mount_path,access_type,vm_mode',
[("/var/lib/kubelet/pods/123/volumes/kubernetes.io~csi/example-disk/mount", "mount", False),
("/var/lib/kubelet/plugins/kubernetes.io/csi/volumeDevices/publish/123/example-disk", "block", False),
("/var/lib/kubelet/pods/123/volumes/kubernetes.io~csi/example-disk/mount", "mount", True)])
def test_readonly_volume(mount_path, access_type, vm_mode):
@pytest.mark.parametrize('mount_path,access_type,vm_mode,gid',
[("/var/lib/kubelet/pods/123/volumes/kubernetes.io~csi/example-disk/mount", "mount", False, "1010"),
("/var/lib/kubelet/plugins/kubernetes.io/csi/volumeDevices/publish/123/example-disk", "block", False, "1011"),
("/var/lib/kubelet/pods/123/volumes/kubernetes.io~csi/example-disk/mount", "mount", True, "1012")])
def test_readonly_volume(mount_path, access_type, vm_mode, gid):
env, run = csi.init(vm_mode)
try:
volume_name = "example-disk"
Expand All @@ -35,6 +35,23 @@ def test_readonly_volume(mount_path, access_type, vm_mode):
env.csi.publish_volume(pod_id, volume_name, pod_name, access_type, readonly=True)
assert "ro" == get_access_mode(mount_path)

env.csi.unpublish_volume(pod_id, volume_name, access_type)
result = subprocess.run(
["groupadd", "-g", gid, "test_group_" + gid],
capture_output=True,
)
assert result.returncode == 0

env.csi.publish_volume(
pod_id,
volume_name,
pod_name,
access_type,
readonly=True,
volume_mount_group=gid
)
assert "ro" == get_access_mode(mount_path)

except subprocess.CalledProcessError as e:
csi.log_called_process_error(e)
raise
Expand Down
6 changes: 5 additions & 1 deletion cloud/blockstore/tests/csi_driver/lib/csi_runner.py
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,8 @@ def publish_volume(
pod_name: str,
access_type: str,
fs_type: str = "",
readonly: bool = False):
readonly: bool = False,
volume_mount_group: str = ""):
args = [
"publishvolume",
"--pod-id",
Expand All @@ -168,6 +169,9 @@ def publish_volume(
]
if readonly:
args += ["--readonly"]

if len(volume_mount_group) != 0:
args += ["--volume-mount-group", volume_mount_group]
return self._node_run(*args)

def unpublish_volume(self, pod_id: str, volume_id: str, access_type: str):
Expand Down
20 changes: 15 additions & 5 deletions cloud/blockstore/tools/csi_driver/client/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -191,11 +191,14 @@ func newDeleteVolumeCommand(endpoint *string) *cobra.Command {

func createVolumeCapability(
accessMode csi.VolumeCapability_AccessMode_Mode,
accessType string) *csi.VolumeCapability {
accessType string,
volumeMountGroup string) *csi.VolumeCapability {
volumeCapability := &csi.VolumeCapability{
AccessMode: &csi.VolumeCapability_AccessMode{Mode: accessMode},
AccessType: &csi.VolumeCapability_Mount{
Mount: &csi.VolumeCapability_MountVolume{},
Mount: &csi.VolumeCapability_MountVolume{
VolumeMountGroup: volumeMountGroup,
},
},
}
if accessType == "block" {
Expand Down Expand Up @@ -245,7 +248,7 @@ func newNodeStageVolumeCommand(endpoint *string) *cobra.Command {
&csi.NodeStageVolumeRequest{
VolumeId: volumeId,
StagingTargetPath: stagingTargetPath,
VolumeCapability: createVolumeCapability(accessMode, accessType),
VolumeCapability: createVolumeCapability(accessMode, accessType, ""),
VolumeContext: volumeContext,
},
)
Expand Down Expand Up @@ -286,6 +289,7 @@ func newPublishVolumeCommand(endpoint *string) *cobra.Command {
var volumeId, podId, stagingTargetPath, podName, fsType string
var accessType string
var readOnly bool
var volumeMountGroup string
cmd := cobra.Command{
Use: "publishvolume",
Short: "Send publish volume request to the CSI node",
Expand Down Expand Up @@ -319,7 +323,7 @@ func newPublishVolumeCommand(endpoint *string) *cobra.Command {
PublishContext: nil,
StagingTargetPath: stagingTargetPath,
TargetPath: getTargetPath(podId, volumeId, accessType),
VolumeCapability: createVolumeCapability(accessMode, accessType),
VolumeCapability: createVolumeCapability(accessMode, accessType, volumeMountGroup),
Readonly: readOnly,
Secrets: nil,
VolumeContext: volumeContext,
Expand Down Expand Up @@ -370,6 +374,12 @@ func newPublishVolumeCommand(endpoint *string) *cobra.Command {
"mount",
"mount or block access type",
)
cmd.Flags().StringVar(
&volumeMountGroup,
"volume-mount-group",
"",
"fs group id",
)

err := cmd.MarkFlagRequired("volume-id")
if err != nil {
Expand Down Expand Up @@ -565,7 +575,7 @@ func newNodeExpandVolumeCommand(endpoint *string) *cobra.Command {
CapacityRange: &csi.CapacityRange{
RequiredBytes: size,
},
VolumeCapability: createVolumeCapability(accessMode, accessType),
VolumeCapability: createVolumeCapability(accessMode, accessType, ""),
},
)
if err != nil {
Expand Down
4 changes: 2 additions & 2 deletions cloud/blockstore/tools/csi_driver/internal/driver/node.go
Original file line number Diff line number Diff line change
Expand Up @@ -629,7 +629,7 @@ func (s *nodeService) nodePublishDiskAsFilesystemDeprecated(
return err
}

if mnt != nil && mnt.VolumeMountGroup != "" {
if mnt != nil && mnt.VolumeMountGroup != "" && !req.Readonly {
cmd := exec.Command("chown", "-R", ":"+mnt.VolumeMountGroup, req.TargetPath)
if out, err := cmd.CombinedOutput(); err != nil {
return fmt.Errorf("failed to chown %s to %q: %w, output %q",
Expand Down Expand Up @@ -686,7 +686,7 @@ func (s *nodeService) nodePublishDiskAsFilesystem(
return err
}

if mnt != nil && mnt.VolumeMountGroup != "" {
if mnt != nil && mnt.VolumeMountGroup != "" && !req.Readonly {
cmd := exec.Command("chown", "-R", ":"+mnt.VolumeMountGroup, req.TargetPath)
if out, err := cmd.CombinedOutput(); err != nil {
return fmt.Errorf("failed to chown %s to %q: %w, output %q",
Expand Down

0 comments on commit e5858c4

Please sign in to comment.