9P/virtio-fs: inotify does not work: ConfigMap Updates

[mcastelino]

ConfigMap Updates: inotify doesn't work on 9p/virtio-fs filesystem mounts

A common design pattern in Kubernetes is to watch for changes to files/directories passes in as Configmaps or Secrets. Sidecar's normally use inotify to watch for changes and then signal the main container or perform some other type of reconfiguration.

Given that Kata today uses 9p to pass in both ConfigMaps as well as Secrets into the VM this will not work.

Note: This will be an issue for virtio-fs too

Expected result

Here is an example for a sidecar used to inject configuration change

apiVersion: v1
data:
    authorized_keys: |
      ssh-rsa USE_SIDECAR_TO_ADD_KEYS_kubectl_cm_edit_ssh-pub-key
kind: ConfigMap
metadata:
  name: ssh-pub-key
---
apiVersion: v1
kind: Pod
metadata:
  name: footfed
spec:
  runtimeClassName: kata
  volumes:
  - name: runv
    emptyDir:
      medium: "Memory"
  - name: runlockv
    emptyDir:
      medium: "Memory"
  - name: tmpv
    emptyDir:
      medium: "Memory"
  - name: fakecgroup
    hostPath:
      path: /sys/fs/cgroup
  - name: ssh-dir
    emptyDir:
      medium: "Memory"
  - name: ssh-pub-key
    configMap:
      name: ssh-pub-key
      defaultMode: 384
  containers:
  # This sidecar is used to constantly update the keys allowing the VM
  # keys to be revoked or updated
  - name: key-sidecar
    image: pstauffer/inotify
    command: ["sh", "-xc", "chmod 700 /root/.ssh; cp /tmp/keys/authorized_keys /root/.ssh/authorized_keys; inotifywait -m -r -e create /tmp/ | while read IGNOREME; do echo /tmp/keys/authorized_keys; cp /tmp/keys/authorized_keys /root/.ssh/authorized_keys; chmod 600 /root/.ssh/authorized_keys; done"]
    volumeMounts:
    - name: ssh-dir
      mountPath: /root/.ssh
    - name: ssh-pub-key
      mountPath: /tmp/keys
  - name: footfed
    image: quay.io/footloose/fedora29:latest
    command: ["/sbin/init"]
    volumeMounts:
    - name: runv
      mountPath: /run
    - name: runlockv
      mountPath: /run/lock
    - name: tmpv
      mountPath: /tmp
    - name: fakecgroup
      readOnly: true
      mountPath: /sys/fs/cgroup
    - name: ssh-dir
      mountPath: /root/.ssh

Once the pod is fully up and running

• Edit the config map using kubectl edit cm ssh-pub-key and modify the key

Watch for the key to change (it will take a few seconds

• watch kubectl exec footfed -c footfed -- cat /root/.ssh/authorized_keys

You should see the new key being setup

Actual result

The key is never updates as the config map change is never detected.

You can also see this in the side-car logs when things work

Every 2.0s: kubectl logs footfed -c key-sidecar                                                           bored-pelinor: Tue Apr  9 01:05:06 2019

+ chmod 700 /root/.ssh
+ cp /tmp/keys/authorized_keys /root/.ssh/authorized_keys
+ inotifywait -m -r -e create /tmp/
+ read IGNOREME
Setting up watches.  Beware: since -r was given, this may take a while!
Watches established.
+ echo /tmp/keys/authorized_keys
+ cp /tmp/keys/authorized_keys /root/.ssh/authorized_keys
/tmp/keys/authorized_keys
+ chmod 600 /root/.ssh/authorized_keys
/tmp/keys/authorized_keys
+ read IGNOREME
+ echo /tmp/keys/authorized_keys
+ cp /tmp/keys/authorized_keys /root/.ssh/authorized_keys
+ chmod 600 /root/.ssh/authorized_keys
+ read IGNOREME

[mcastelino]

This is an issue that minikube faces too kubernetes/minikube#1551

[mcastelino]

@ganeshmaharaj can you verify that inotify works with virtio-fs.

/cc @sboeuf @egernst

[grahamwhaley]

Ouch. Hmm, @stefanha @dagrh, I wonder if virtio-fs might help out minikube as well then?

[stefanha]

@grahamwhaley host->guest inotify is not available in virtio-fs yet. It's something we will look at in the future.

[mcastelino]

@

@grahamwhaley host->guest inotify is not available in virtio-fs yet. It's something we will look at in the future.

@stefanha is this a limitation of fuse filesystem or the current implementation.

[stefanha]

On Tue, Apr 9, 2019 at 6:32 PM Manohar Castelino ***@***.***> wrote: @ @grahamwhaley <https://github.com/grahamwhaley> host->guest inotify is not available in virtio-fs yet. It's something we will look at in the future. @stefanha <https://github.com/stefanha> is this a limitation of fuse filesystem or the current implementation.

FUSE itself does not support inotify.

[sboeuf]

@stefanha thanks for the confirmation. Any other limitation related to FUSE that we would have missed?

[stefanha]

On Wed, Apr 10, 2019 at 6:59 AM Sebastien Boeuf ***@***.***> wrote: @stefanha <https://github.com/stefanha> thanks for the confirmation. Any other limitation related to FUSE that we would have missed?

We haven't tested SELinux yet. In theory it could just work but there's always a chance that additional work will be necessary.

[ganeshmaharaj]

@mcastelino this is what i found about fuse and inotify.
The initial blog to get inotify,fsnotify and the series is at https://github.com/libfuse/libfuse/wiki/Fsnotify-and-FUSE where the author stefbon says he is working on an implementation to enable the transport for events. The latest on this topic is an issue opened in the github project at libfuse/libfuse#328 where it seems the current status of the effort is that the feature is still being worked on but nothing of substance exists yet. libfuse/libfuse#328 (comment)

[fidencio]

@dagrh, @rhvgoyal, Stefan mentioned that "FUSE itself does not support inotify.". Is there something planned on the FUSE side to support it or can we mark this one as a known limitation on our side?

[stefanha]

@fidencio Lack of inotify support is a known limitation. Although we are discussing how to add support, the work has not yet begun and there is ETA. It seems to be technically possible but non-trivial.