Skip to content

Commit

Permalink
fix(networking): use mounted /host/proc instead of HostPID
Browse files Browse the repository at this point in the history
Longhorn 9223

Signed-off-by: Eric Weber <eric.weber@suse.com>
  • Loading branch information
ejweber committed Aug 14, 2024
1 parent 2baf491 commit 2bf1935
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 12 deletions.
20 changes: 10 additions & 10 deletions csi/deployment.go
Original file line number Diff line number Diff line change
Expand Up @@ -307,7 +307,6 @@ func NewPluginDeployment(namespace, serviceAccount, nodeDriverRegistrarImage, li
Tolerations: tolerations,
NodeSelector: nodeSelector,
PriorityClassName: priorityClass,
HostPID: true,
Containers: []corev1.Container{
{
Name: "node-driver-registrar",
Expand Down Expand Up @@ -447,13 +446,14 @@ func NewPluginDeployment(namespace, serviceAccount, nodeDriverRegistrarImage, li
MountPath: "/dev",
},
{
Name: "host-sys",
MountPath: "/sys",
// The plugin must be able to switch to the host's namespaces in order to execute
// cryptsetup commands for encrypted devices.
Name: "host-proc",
MountPath: "/host/proc",
},
{
Name: "host",
MountPath: "/host",
MountPropagation: &MountPropagationBidirectional,
Name: "host-sys",
MountPath: "/sys",
},
{
Name: "lib-modules",
Expand Down Expand Up @@ -509,18 +509,18 @@ func NewPluginDeployment(namespace, serviceAccount, nodeDriverRegistrarImage, li
},
},
{
Name: "host-sys",
Name: "host-proc",
VolumeSource: corev1.VolumeSource{
HostPath: &corev1.HostPathVolumeSource{
Path: "/sys",
Path: "/proc",
},
},
},
{
Name: "host",
Name: "host-sys",
VolumeSource: corev1.VolumeSource{
HostPath: &corev1.HostPathVolumeSource{
Path: "/",
Path: "/sys",
},
},
},
Expand Down
10 changes: 8 additions & 2 deletions package/nsmounter
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/bin/bash

PROC_DIR="/proc"
PROC_DIR="/host/proc"

os_distro_talos="talos"
os_distro=""
Expand Down Expand Up @@ -43,4 +43,10 @@ get_os_distro

[[ $os_distro = $os_distro_talos ]] && get_pid "kubelet"

nsenter -t $target_pid -m -n -u -- "$@"
# Use namespace files instead of -t to avoid the need for HostPID.
ns_dir="$PROC_DIR/$target_pid/ns"
ns_mnt="$ns_dir/mnt"
ns_net="$ns_dir/net"
ns_uts="$ns_dir/uts"

nsenter --mount="$ns_mnt" --net="$ns_net" --uts="$ns_uts" -- "$@"

0 comments on commit 2bf1935

Please sign in to comment.