Make ImageVolume garbage collection work

We need to return the image ID for the localhost mount, otherwise the
kubelet garbage collection is not able to handle them.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>

internal/oci/container.go

@@ -96,6 +96,7 @@ type ContainerVolume struct {
 	RecursiveReadOnly bool                   `json:"recursive_read_only"`
 	Propagation       types.MountPropagation `json:"propagation"`
 	SelinuxRelabel    bool                   `json:"selinux_relabel"`
+	Image             *types.ImageSpec       `json:"image,omitempty"` // A possible image for OCI volume mounts
 }
 
 // ContainerState represents the status of a container.

server/container_create_linux.go

@@ -1075,10 +1075,12 @@ func (s *Server) addOCIBindMounts(ctx context.Context, ctr ctrfactory.Container,
 			return nil, nil, errors.New("mount.ContainerPath is empty")
 		}
 		if m.Image != nil && m.Image.Image != "" {
-			m.HostPath, err = s.mountImage(ctx, m.Image.Image, mountLabel)
+			mountPoint, imageID, err := s.mountImage(ctx, m.Image.Image, mountLabel)
 			if err != nil {
 				return nil, nil, fmt.Errorf("mount image: %w", err)
 			}
+			m.Image.Image = imageID // Set the ID for container status later on
+			m.HostPath = mountPoint // Adjust the host path to use the mount point
 		}
 		if m.HostPath == "" {
 			return nil, nil, errors.New("mount.HostPath is empty")
@@ -1199,6 +1201,7 @@ func (s *Server) addOCIBindMounts(ctx context.Context, ctr ctrfactory.Container,
 			RecursiveReadOnly: m.RecursiveReadOnly,
 			Propagation:       m.Propagation,
 			SelinuxRelabel:    m.SelinuxRelabel,
+			Image:             m.Image,
 		})
 
 		uidMappings := getOCIMappings(m.UidMappings)
@@ -1235,11 +1238,11 @@ func (s *Server) addOCIBindMounts(ctx context.Context, ctr ctrfactory.Container,
 }
 
 // mountImage mounts the provided imageRef using the mountLabel and returns the hostPath on success.
-func (s *Server) mountImage(ctx context.Context, imageRef, mountLabel string) (hostPath string, err error) {
+func (s *Server) mountImage(ctx context.Context, imageRef, mountLabel string) (hostPath, imageID string, err error) {
 	log.Debugf(ctx, "Image ref to mount: %s", imageRef)
 	status, err := s.storageImageStatus(ctx, types.ImageSpec{Image: imageRef})
 	if err != nil {
-		return "", fmt.Errorf("get storage image status: %w", err)
+		return "", "", fmt.Errorf("get storage image status: %w", err)
 	}
 
 	id := status.ID.IDStringForOutOfProcessConsumptionOnly()
@@ -1248,11 +1251,11 @@ func (s *Server) mountImage(ctx context.Context, imageRef, mountLabel string) (h
 	options := []string{"ro", "noexec", "nosuid", "nodev"}
 	mountPoint, err := s.Store().MountImage(id, options, mountLabel)
 	if err != nil {
-		return "", fmt.Errorf("mount storage: %w", err)
+		return "", "", fmt.Errorf("mount storage: %w", err)
 	}
 
 	log.Infof(ctx, "Image mounted to: %s", mountPoint)
-	return mountPoint, nil
+	return mountPoint, id, nil
 }
 
 func getOCIMappings(m []*types.IDMapping) []rspec.LinuxIDMapping {

server/container_status.go

@@ -66,6 +66,7 @@ func (s *Server) ContainerStatus(ctx context.Context, req *types.ContainerStatus
 			RecursiveReadOnly: cv.RecursiveReadOnly,
 			Propagation:       cv.Propagation,
 			SelinuxRelabel:    cv.SelinuxRelabel,
+			Image:             cv.Image,
 		})
 	}
 	resp.Status.Mounts = mounts

test/oci_volumes.bats

@@ -39,6 +39,11 @@ function teardown() {
 	# Image removal should be blocked
 	run ! crictl rmi $IMAGE
 
+	# The kubelet garbage collection expects the image ID set in the container status mount
+	IMAGE_ID=$(crictl inspecti quay.io/crio/artifact:v1 | jq -e .status.id)
+	IMAGE_MOUNT_ID=$(crictl inspect "$CTR_ID" | jq -e '.status.mounts[0].image.image')
+	[[ "$IMAGE_ID" == "$IMAGE_MOUNT_ID" ]]
+
 	# Remove the container
 	crictl rm -f "$CTR_ID"