plugins: container-rootfs-relative paths

[tiborvass]

Legacy plugins expect host-relative paths (such as for Volume.Mount).
However, a containerized plugin cannot respond with a host-relative
path. Therefore, this commit modifies new volume plugins' paths in Mount
and List to prepend the container's rootfs path.

Volume plugins that do mounts and want it to propagate to the host namespace, need to mount inside /mnt.

Signed-off-by: Tibor Vass tibor@docker.com

[tiborvass]

@anusha-ragunathan @vieux I changed this to accommodate legacy plugins that have hardcoded /run/docker/plugins already. I had initially chosen /run/docker because it was shorter. To be clear: this is the path inside the container where we expect the socket to be.

[anusha-ragunathan]

Works for me. It reduces the code change required by the legacy plugins to move to pluginv2.

[anusha-ragunathan]

@tiborvass : you dont need to change this for plugins. This is the host directory that gets bind mounted to the plugin. The plugin run time path is defaultPluginRuntimeDestination which is already set to /run/docker/plugins https://github.com/docker/docker/blob/fa7c1a68a68ffb7c6851c59d2c0b41091b9d6e5e/plugin/v2/plugin.go#L29

We could change runRoot back to /run/docker/plugins to indicate that the directories that get created under there are plugins related.

[cpuguy83]

For a separate PR, but this should not be hard-coded to /run/docker but instead use the daemon exec root

[anusha-ragunathan]

The reason to hard code is that, this holds the plugin socket. There's a socket path limitation on Linux to 108 bytes. The daemon exec root doesnt have any socket and is not bound by this limitation. So we have to choose a path that always works.

[anusha-ragunathan]

p.Rootfs can also be used in https://github.com/docker/docker/blob/master/plugin/backend.go#L132

[anusha-ragunathan]

Lets keep this PR specifically for container-rootfs-relative path fix and open new ones for the other bug fixes. Keeps a cleaner history.

[anusha-ragunathan]

Lets fix this todo by adding to Manifest's privilege section. Something like "REQUEST_DEVICE_CREATION".

[tiborvass]

@anusha-ragunathan I could not change this in the caller function because I have only access to CompatPlugin interface values, and not *Plugin objects.

[anusha-ragunathan]

Fair enough.

[anusha-ragunathan]

@tiborvass

FAIL: docker_cli_daemon_experimental_test.go:177: DockerDaemonSuite.TestVolumePlugin

[d0f844bc9335c] waiting for daemon to start
[d0f844bc9335c] daemon started
docker_cli_daemon_experimental_test.go:223:
    c.Assert(err, checker.IsNil, check.Commentf(out))
... value *exec.ExitError = &exec.ExitError{ProcessState:(*os.ProcessState)(0xc421c5b0e0), Stderr:[]uint8(nil)} ("exit status 127")
... Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
8ddc19f16526: Pulling fs layer
8ddc19f16526: Download complete
8ddc19f16526: Pull complete
Digest: sha256:a59906e33509d14c036c8678d687bd4eec81ed7c4b8ce907b888c607f6a1e0e6
Status: Downloaded newer image for busybox:latest
/go/src/github.com/docker/docker/bundles/1.13.0-dev/binary-client/docker: Error response from daemon: oci runtime error: rootfs_linux.go:53: mounting "/tmp/data" to rootfs "/go/src/github.com/docker/docker/bundles/1.13.0-dev/test-integration-cli/d0f844bc9335c/root/vfs/dir/fe75f9766650efb2ecd73bee99b3c9eb67301379cccf3e119582c92016c3a318" caused "stat /go/src/github.com/docker/docker/bundles/1.13.0-dev/test-integration-cli/d0f844bc9335c/root/plugins/2666fee9e7017759705396aa5301f13af1385ca24e8665106e0cdcd687385816/rootfs/data/plugin-volume: no such file or directory".

[ekristen]

Please let me know if I can assist. Looking forward to seeing this get merged for 1.13.

[tiborvass]

Thanks, I'm planning to update this soon.

[thaJeztah]

ping @tiborvass what's the status here?

[anusha-ragunathan]

Need a fresh pair of eyes reviewing this. @cpuguy83 ?

[anusha-ragunathan]

remove

[anusha-ragunathan]

remove

[anusha-ragunathan]

Please see #26398 (comment)

[anusha-ragunathan]

We are simply printing out the mounts, which doesnt test much. Can we use findmnt to see if the mount propagated?

[cpuguy83]

Beyond the already commented items, code seems ok.

[vdemeester]

Shouldn't this be dockerCmd instead ? Doesn't seem right to not care about error at all 😓

[tiborvass]

@vdemeester I kept err and asserted it non-nil. Realized that dockerCmd will assume non-nil error...

[anusha-ragunathan]

Is this still applicable? When does the mount leak?

[cpuguy83]

../../../../etc

[anusha-ragunathan]

Lets not introduce Public fields in this struct. Refer to #29191 is making changes to make this all private and move necessary fields to a controller struct in the manager. Please review that PR and follow similar design on the new fields.

[anusha-ragunathan]

https://github.com/docker/docker/blob/master/docs/extend/config.md needs to be updated. Please do that alongside.

[anusha-ragunathan]

LGTM (if tests pass)

[cpuguy83]

filepath.Base(p.PluginObj.Config.PropagatedMount)?

[cpuguy83]

Making sure I understand this... this is for mounting the propagated path to the plugin root (outside rootfs)?
Maybe even just use mnt instead of the mount path.

[anusha-ragunathan]

@tiborvass : You should be using filepath.Join(p.LibRoot, p.PluginObj.ID, p.PluginObj.Config.PropagatedMount). Else mounts from different plugins with the same name will collide. Another option is to fix p.LibRoot to include the pluginID (It should have been this way in the first place)

We dont want to use hard coded mnt. We want plugin devs to specify the mount that needs propagation.

[anusha-ragunathan]

@cpuguy83 : PropagatedMount is strictly for those plugins (typically volume and graph drivers) that need to setup mounts that need to propagated to the host.
We want plugin devs to specify which mounts need to be propagated, rather than hard coding it to a specific path.

[cpuguy83]

Right, but isn't this a singleton that's the "host" side of the mount?

[anusha-ragunathan]

Yes. Having the same dir as the mount in the config could be less confusing. On the other hand, having a standard dir such as mnt is also reasonable. I'll let @tiborvass decide. Also, we dont have to do this in this PR.

[tiborvass]

For start up reasons, this field is also set in plugin/manager.go. And I just realized it's set to something else. So I'll go with p.Rootfs for now.