nomad-driver-podman: Podman does not support the mount propagation needed by CSI plugins

In #169 @tgross added the ability for the Podman driver to bind mounts from a TaskConfig. While this didn’t allow the addition of a mount block using the external API (that’s left to do in #142), it did allow Podman to set up the bind mounts requested by the CSI Plugin Prestart Hook, enabling Podman driver CSI support.

As we were experimenting with this functionality for the BeeGFS CSI driver, we noticed that our driver container seemed unable to see volumes it had already mounted. In NodeUnpublishVolume and NodeUnstageVolume, this manifested itself as a bunch of errors wherein Nomad would tell the driver to unstage but the driver insisted there was no mount to operate on. An inspection of the driver container shows the following:

 "Binds": [
                "/opt/nomad/alloc/edb56316-6229-5b3a-e5eb-6053a698d2b7/alloc:/alloc:rw,rprivate,rbind",
                "/opt/nomad/alloc/edb56316-6229-5b3a-e5eb-6053a698d2b7/node/local:/local:rw,rprivate,rbind",
                "/opt/nomad/alloc/edb56316-6229-5b3a-e5eb-6053a698d2b7/node/secrets:/secrets:rw,rprivate,noexec,rbind",
                "/:/host:ro,rshared,rbind",
                "/opt/nomad/client/csi/plugins/edb56316-6229-5b3a-e5eb-6053a698d2b7:/csi:rw,rprivate,rbind",
                "/opt/nomad/client/csi/node/beegfs-csi-plugin:/opt/nomad/client/csi/node/beegfs-csi-plugin:rw,rprivate,rbind",
                "/dev:/dev:rw,rprivate,nosuid,rbind"
            ],

There’s a lot there, but the important bit is that /opt/nomad/client/csi/node/beegfs-csi-plugin is bind mounted to /opt/nomad/client/csi/node/beegfs-csi-plugin as rprivate (this would be /opt/nomad/client/csi/node/beegfs-csi-plugin to /local/csi for most plugins, but this is just a BeeGFS CSI driver implementation detail). The CSI Plugin Prestart Hook wants this to be a bidirectional mount (rshared), but the changes in #169 don’t take PropagationMode into account. Unless it the bind has rshare, it’s not clear how most CSI drivers would be able to propagate the mounts they create inside their containers to Nomad tasks.

I think a fix for this would be as easy as adding a conversion like the Docker driver already does, but the Docker driver has some extra logic in it that gives me a bit of pause (can the Podman driver run on Windows?).

I can probably find some time to make a quick change and do some sanity checking, but am I thinking about this issue correctly?

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 18 (15 by maintainers)

Most upvoted comments

Sorry all. I didn’t get to testing while the code was sitting out there on main, but I did have an opportunity to play with it this afternoon (using the released Nomad v1.4.3). The changes from https://github.com/hashicorp/nomad/pull/15096 plus my new PR (#204) yield the following:

"Binds": [
                "/opt/nomad/alloc/9764ce7a-d3a5-e3cf-a249-58684205eaaa/alloc:/alloc:rw,rprivate,rbind",
                "/opt/nomad/alloc/9764ce7a-d3a5-e3cf-a249-58684205eaaa/node/local:/local:rw,rprivate,rbind",
                "/opt/nomad/alloc/9764ce7a-d3a5-e3cf-a249-58684205eaaa/node/secrets:/secrets:rw,rprivate,noexec,rbind",
                "/:/host:ro,rshared,rbind",
                "/opt/nomad/client/csi/plugins/9764ce7a-d3a5-e3cf-a249-58684205eaaa:/csi:rshared,rw,rbind",
                "/opt/nomad/client/csi/node/beegfs-csi-plugin:/opt/nomad/client/csi/node/beegfs-csi-plugin:rshared,rw,rbind",
                "/dev:/dev:rw,rprivate,nosuid,rbind"
            ],

Note the rshared in "/opt/nomad/client/csi/node/beegfs-csi-plugin:/opt/nomad/client/csi/node/beegfs-csi-plugin:rshared,rw,rbind". Looks like things are working to me!

+3
ejweber on Nov 22, 2022
Read more comments on GitHub
← nomad-autoscaler: Failed to get policy (EOF)
packer-plugin-proxmox: Unable to create qcow2 format disks →