8000 Handle non-empty EmptyDirs used by GCS Fuse CSI Driver. by copybara-service[bot] · Pull Request #11728 · google/gvisor · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Handle non-empty EmptyDirs used by GCS Fuse CSI Driver. #11728

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 22, 2025
Merged

Handle non-empty EmptyDirs used by GCS Fuse CSI Driver. #11728

merged 1 commit into from
May 22, 2025

Conversation

copybara-service[bot]
Copy link

Handle non-empty EmptyDirs used by GCS Fuse CSI Driver.

Some CSI drivers, like GCS Fuse CSI driver, inject EmptyDirs into sidecar
containers and communicate with the container using files in the EmptyDir.

In gVisor terminology, such an EmptyDir is being used as a shared bind (gofer)
mount. It is not exclusive to the sandbox. This breaks a fundamental assumption
gVisor makes about EmptyDirs; it assumes that they are exclusive to the sandbox
and that it has no external observers. So as an optimization, gVisor converts
EmptyDir volumes into gVisor-internal tmpfs filesystems that are mounted into
all the containers that are using that EmptyDir. As a result:

  • Any files in the host EmptyDir directory is not reflected within the sandbox.
  • Any changes made by the sandbox in the EmptyDir are not reflcted on the host.

This change uses the heuristic that if the EmptyDir volume's host directory is
not empty at sandbox creation time, then it is being shared with some external
component which is interacting with the sandbox. We have observed that the GCS
Fuse CSI Driver populates the /gcsfuse-tmp EmptyDir with a UDS at path
.volumes/gcsfuse-mount/socket.

@copybara-service copybara-service bot added the exported Issue was exported automatically label May 14, 2025
@copybara-service copybara-service bot force-pushed the test/cl758765841 branch 2 times, most recently from 53b8b14 to 8fda2b6 Compare May 22, 2025 07:01
@ayushr2 @gvisor-bot
Handle non-empty EmptyDirs used by GCS Fuse CSI Driver.
ab9666d 
Some CSI drivers, like GCS Fuse CSI driver, inject EmptyDirs into sidecar
containers and communicate with the container using files in the EmptyDir.

In gVisor terminology, such an EmptyDir is being used as a shared bind (gofer)
mount. It is not exclusive to the sandbox. This breaks a fundamental assumption
gVisor makes about EmptyDirs; it assumes that they are exclusive to the sandbox
and that it has no external observers. So as an optimization, gVisor converts
EmptyDir volumes into gVisor-internal tmpfs filesystems that are mounted into
all the containers that are using that EmptyDir. As a result:
- Any files in the host EmptyDir directory is not reflected within the sandbox.
- Any changes made by the sandbox in the EmptyDir are not reflcted on the host.

This change uses the heuristic that if the EmptyDir volume's host directory is
not empty at sandbox creation time, then it is being shared with some external
component which is interacting with the sandbox. We have observed that the GCS
Fuse CSI Driver populates the /gcsfuse-tmp EmptyDir with a UDS at path
`.volumes/gcsfuse-mount/socket`.

PiperOrigin-RevId: 761839333
@copybara-service copybara-service bot merged commit ab9666d into master May 22, 2025
1 check was pending
@copybara-service copybara-service bot deleted the test/cl758765841 branch May 22, 2025 07:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
exported Issue was exported automatically
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ayushr2
0