CSI mounter second-guesses failed NodePublishVolume RPCs, inferring success wrongly

[seh]

What happened:

A custom CSI driver implementing the NodePublishVolume RPC returns a failure response, indicating that it did not complete its intended steps to prepare the volume for the mounting pod. Let's say that these steps involve

1. Mounting a filesystem at the target directory,
2. Fetching data from a service, and
3. Writing that data to a set of files in the mounted filesystem.

If the first filesystem mounting step succeeds, but either of the subsequent two steps fail, the volume is still not ready for use by the pod. However, if this CSI driver returns a failure response, and the CSI mounter comes back and, before invoking the NodePublishVolume RPC again, it finds a filesystem already mounted at the target directory, it considers that to be good enough, and ceases further calls to NodePublishVolume to allow the CSI driver to try again.

What you expected to happen:

If a CSI driver returns a failure response to a NodePublishVolume RPC, Kubernetes should honor that declaration of failure and invoke the RPC again, disallowing the mounting pod from starting until this RPC succeeds.

Even though it's possible to partially work around the current behavior by having the driver mount the filesystem as late as possible, and then attempting to unmount it if fails to populate the volume with its intended data, doing so makes writing drivers more complicated and forces them to do extra work.

How to reproduce it (as minimally and precisely as possible):

In a CSI driver (even one that serves just ephemeral, inline volumes), implement NodePublishVolume to mount a filesystem at the target path, then return a failure response. Confirm that Kubernetes does not invoke NodePublishVolume again, because there's now a filesystem mounted at the target path.

Anything else we need to know?:

This topic came up for discussion in the "csi" channel in the "Kubernetes" Slack team. There, @timoreimann helped investigate this complaint, and @msau42 suggested filing this report to discuss changing this behavior.

Environment:

• Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.0", GitCommit:"70132b0f130acc0bed193d9ba59dd186f0e634cf", GitTreeState:"clean", BuildDate:"2019-12-13T11:51:44Z", GoVersion:"go1.13.4", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.2", GitCommit:"c97fe5036ef3df2967d086711e6c0c405941e14b", GitTreeState:"clean", BuildDate:"2019-10-15T19:09:08Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"linux/amd64"}

• Cloud provider or hardware configuration:
  AWS EC2

• OS (e.g: cat /etc/os-release):

NAME="Container Linux by CoreOS"
ID=coreos
VERSION=2303.3.0
VERSION_ID=2303.3.0
BUILD_ID=2019-12-02-2049
PRETTY_NAME="Container Linux by CoreOS 2303.3.0 (Rhyolite)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://issues.coreos.com"
COREOS_BOARD="amd64-usr"

• Kernel (e.g. uname -a):

Linux ip-10-130-113-181 4.19.86-coreos #1 SMP Mon Dec 2 20:13:38 -00 2019 x86_64 Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz GenuineIntel GNU/Linux

• Install tools:
  kubeadm

• Others:
  csi-node-driver-registrar container image tag: v1.0.2

[seh]

/sig storage

[msau42]

@kubernetes/sig-storage-bugs

While the plugin should try to clean up as much as possible, I agree that kubelet should not be assuming that if there's a mount point, the publish is successful. NodePublish is supposed to be idempotent so it should theoretically be safe to call it when it's already mounted, although there is the possibility that plugins may have written against the K8s behavior.

[jingxu97]

For the mount point checking here

kubernetes/pkg/volume/csi/csi_mounter.go

Lines 114 to 117 in 0387ee4

	if mounted {
	klog.V(4).Info(log("mounter.SetUpAt skipping mount, dir already mounted [%s]", dir))
	return nil
	}

before calling NodePublishVolume, I am wondering it is just for performance optimization, or it has other purposes. Have concern about some drivers might depend on this check if they are not implemented with idenpotency.

[seh]

Those drivers would be operating in violation of the specification. I'd prefer that we don't penalize already conforming and yet-to-be written drivers in order to accommodate these existing drivers—if they even exist.

[seh]

More fallout in last night's testing: I introduced a bug into my driver that caused it to panic during step 3 above ("Writing that data to a set of files in the mounted filesystem"). My NodePublishVolume handler function is set up to unmount a successfully mounted volume via defer if it doesn't complete steps 2 and 3 above, in order to deal with this issue's principal complaint.

My driver container would crash due to this panic. The kubelet would call on my driver twice, it would crash twice, but the pod still started running. I'm not yet sure whether or not the filesystem got unmounted successfully via the defer on the first call, but somehow the pod started despite my NodePublishVolume handler function never completing successfully.

I'm going to try to get some more debugging time on this later today to see if I can figure out what the kubelet was doing there.

[seh]

I'm going to try to get some more debugging time on this later today to see if I can figure out what the kubelet was doing there.

Studying my code more, I see that my defer function only unmounted the mounted directory when the containing NodePublishVolume handler function was returning an error. When unwinding due to a panic, the named return value of type error I was inspecting was still nil. Revising the criteria in that defer function covers both failure reasons (returning an error and unwinding due to a panic).

Regardless, this further underscores the problem: If a driver makes it as far as mounting a filesystem at the target directory, but fails afterward—including the process crashing and never responding positively to the NodePublishVolume RPC—the mounting pod will start. That's likely to then cause the pod to fail, for lack of the files it expected to find mounted.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale