docker volume isn't controlled

[wenlxie]

What is the problem you're trying to solve
Some of the open source images have volume defined in dockerfile.
For containerd, it will create a dir at h host and bind mount it to container.
PR: #247
But this dir is not controlled, user may writes lots of datas to that mounted dir inside container to abuse the system.

Describe the solution you'd like

1. User need to do resource request in their pod spec
2. Kubelet can monitor the usage and take action like evict.
3. runtime can report the volume usage via CRI to kubelet.

Additional context
This feature had been discussed before
kubernetes/kubernetes#52032

cc @crosbymichael @Random-Liu @fuweid

[Random-Liu]

Since volume is part of OCI spec now, we should properly handle it.

A simpler solution is to let the CRI plugin report the disk usage to Kubelet as part of container stats.

A nicer solution is to change Kubelet to be aware of the image volume, and decide where the volume should reside, e.g. make it behave like an emptydir.

[wenlxie]

@Random-Liu
If we make this like emptyDir, then the volume's lifecycle is along with the pod. But if not special configured, the VOLUME's lifecycle is along with container in contained. If container restart, then the VOLUME data will be lost. When remove the container, it will remove all of the directories under dir io.containerd.grpc.v1.cri/containers/<container id>. Not sure whether there are users like current behavior.

[pierreozoux]

Would is be possible to even deactivate this feature?

My problem is that I'd like to use upstream images, like Wordpress or Nextcloud, but they have this VOLUME directive.

If I could deactivate this feature at containerd level, I'd be equally happy actually :)

[crosbymichael]

@pierreozoux are you talking about disable this in the context of using CRI?

[pierreozoux]

I'm using kubernetes, so in my case yes, but I guess it can be helpful for anybody.

Before asking, I actually checked the doc of containerd and runc, didn't see such option.
Now you responded, I checked CRI part and google, still no luck :)

Is there a way?

[crosbymichael]

Not that I know of. This would have to be a CRI setting because generating the config happens in the CRI code, we couldn't make this a setting on the containerd daemon, it has to be up to the clients of containerd.