Add image volume support.

[Random-Liu]

For image volume, currently we only:

1. Create host directory and mount into the image;
2. Change the ownership of the host directory to be the same with mount point inside the image.

What we are going to do in the future:

1. Consider whether we need to copy existing content in the image into the volume. Support ExposedPorts and Volumes in image config. #186.
2. Consider whether we should add the helper into containerd Add WithVolume helper in client. containerd#1482.
3. Consider how to properly manage these volumes in kubelet Ensure that host disk space used by Docker volume is accounted for kubernetes/kubernetes#52032.

@ijc
Signed-off-by: Lantao Liu lantaol@google.com

[Random-Liu]

I've verified this PR, ownership and rw of the image volume is set properly now:

# crictl --runtime-endpoint=/var/run/cri-containerd.sock exec -s 2545316f7d3ff883c80da6480833804d5bd0d463e2080e0777147e2fe4718f99 cat /proc/self/mountinfo | grep "data"
314 295 8:1 /var/lib/cri-containerd/sandboxes/dadf4bf511917af2a595d7d12356bdfabb620190c27f0e8ac67b65f7ae755d6c/hosts /etc/hosts ro,relatime - ext4 /dev/sda1 rw,data=ordered
315 295 8:1 /var/lib/cri-containerd/sandboxes/dadf4bf511917af2a595d7d12356bdfabb620190c27f0e8ac67b65f7ae755d6c/resolv.conf /etc/resolv.conf ro,relatime - ext4 /dev/sda1 rw,data=ordered
317 295 8:1 /var/lib/cri-containerd/containers/2545316f7d3ff883c80da6480833804d5bd0d463e2080e0777147e2fe4718f99/volumes/4281438d8117f1b6e33a10658d5e5290035c6a63dd68d6abe87bf97f3ec6b010 /data/configdb rw,relatime - ext4 /dev/sda1 rw,data=ordered
318 295 8:1 /var/lib/cri-containerd/containers/2545316f7d3ff883c80da6480833804d5bd0d463e2080e0777147e2fe4718f99/volumes/abe3b46973580e81795394a5067ad98717bf1d462b5eb42805e6c8b2558a09bf /data/db rw,relatime - ext4 /dev/sda1 rw,data=ordered
# crictl --runtime-endpoint=/var/run/cri-containerd.sock exec -s 2545316f7d3ff883c80da6480833804d5bd0d463e2080e0777147e2fe4718f99 ls -al /data
total 16
drwxr-xr-x 4 root    root    4096 Sep  8 08:09 .
drwxr-xr-x 1 root    root    4096 Sep 12 06:31 ..
drwxr-xr-x 2 mongodb mongodb 4096 Sep 12 06:31 configdb
drwxr-xr-x 2 mongodb mongodb 4096 Sep 12 06:31 db

[ijc]

1. Consider whether we need to copy existing content in the image into the volume. Support ExposedPorts and Volumes in image config. #186.

I think we do, I found the sock-shop demo was relying on it (I think to preseed the database within the volume).

[ijc]

I think you need to subtract from volumeMounts anything which is also expliclty in mounts, since an explicit bind mount is supposed to take precedence over the implicit ones.

[ijc]

BTW -- this would also mean that as soon as Kubelet starts to understand these things and provide them via mounts directly it will magically stop trying to do things here.

[Random-Liu]

I think you need to subtract from volumeMounts anything which is also expliclty in mounts, since an explicit bind mount is supposed to take precedence over the implicit ones.

Done.

BTW -- this would also mean that as soon as Kubelet starts to understand these things and provide them via mounts directly it will magically stop trying to do things here.

We'll see how CRI will change in that case, and make change our side correspondingly. Added TODO for it.

[Random-Liu]

I think we do, I found the sock-shop demo was relying on it (I think to preseed the database within the volume).

I'll do this in another PR. For this PR, I'll only copy the ownership, and see how things going.

[ijc]

LGTM

[ijc]

Consider whether we need to copy existing content in the image into the volume. #186.

I think we do, I found the sock-shop demo was relying on it (I think to preseed the database within the volume).

I'll do this in another PR. For this PR, I'll only copy the ownership, and see how things going.

It seems like I was mistaken -- I just fired up sock-shop with this PR and everything looked to be working ok. I was unable to login with any of the preseeded accounts but I made a quick patch to add copy up and it didn't seem to make a difference to that functionality. In any case I was able to manually add a new account.

[Random-Liu]

Apply LGTM based on #241 (review).

Will merge after test passes.

[ijc]

-- FAIL: TestGeneralContainerSpec (0.00s)

	Error Trace:	container_create_test.go:207

	Error:		Received unexpected error failed to set OCI bind mounts \
[«redacted by ijc»]: \
failed to resolve symlink "": lstat host-path-1: no such file or directory
	
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
	panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x2158fa8]

For the panic I think specCheck should start with require.NotNil(t, spec). Or else one or more assert.Foo should be require.Foo so the test stops at that point. Perhaps the assert.NoError(t, err) after calling c.generateContainerSpec (in several places) should instead be `require.NoError(t, err).

The failed lstat appears to be from resolveSymbolicLink which appears to have been added by this PR, not sure why it is suddenly showing up as a failure now, I guess these tests run on master+pr rather than just the pr and there was a clash with #242.

[ijc]

I fixed the tests carried this in #247.

[ijc]

It seems like I was mistaken -- I just fired up sock-shop with this PR and everything looked to be working ok. I was unable to login with any of the preseeded accounts but I made a quick patch to add copy up and it didn't seem to make a difference to that functionality. In any case I was able to manually add a new account.

Sorry to flip-flop on this, but I tested with docker as the engine and I could login, so the issue here was that my copy-up prototype was somehow incomplete or wrong. I'm looking into why now, but we can move ahead with this PR/#247 in the meantime I think.

[Random-Liu]

Sorry to flip-flop on this, but I tested with docker as the engine and I could login, so the issue here was that my copy-up prototype was somehow incomplete or wrong. I'm looking into why now, but we can move ahead with this PR/#247 in the meantime I think.

No wonder. :p

[Random-Liu]

@ijc I'll review and merge your PR instead.

[Random-Liu]

Close this one, because this has been included in #247.