216cf51364
For compliance with the Project Testing Interface as described in: https://governance.openstack.org/tc/reference/project-testing-interface.html For more details information, please refer to: http://lists.openstack.org/pipermail/openstack-dev/2017-December/125710.html http://lists.openstack.org/pipermail/openstack-dev/2018-March/128594.html Co-Authored-By: Hongbin Lu <hongbin034@gmail.com> Change-Id: I94afabfc634ae22fb6e0e4ab2e1d17810f6f7c80 Closes-Bug: #1758218
3.5 KiB
Local Volume Integration
Related Launchpad Blueprint:
https://blueprints.launchpad.net/zun/+spec/support-volume-binds
Zun has introduced an option for users to bind-mount Cinder volumes to containers. However, users can't bind-mount file or directory in local file system into the container. This function is like the option '-v' of docker run/create: $ docker run -v /host/path:/container/path <image> The above command will bind-mount the directory with path '/host/path' into path '/container/path' inside the container.
Problem description
Some special application containers need use the files/directories in localhost for initializing process or getting a large amount of data. So zun should implement the option, and this option should work well with the cinder volume together.
Proposed change
This spec proposes the following changes.
- It's unsafe to mount the host directory into the container, so only admin can bind-mount file or directory in local file system into the container.
- We leverage the --mount option for cinder volume bindmount. It is better to reuse this option for bind-mounting local file system. For example: $ zun run --mount type=<local|cinder>,source=...,destination=... <image>
- Zun introduces a config (called 'allowed_mount_path.conf'). Operators can tune this config to restrict the path for bind-mounting.
- The administrator would be aware that a special container should be scheduled on which nodes. Users may combine --mount and --hint options to create a container.
Workflow
The typical workflow to create a container with a Local volume will be as following:
A user calls Zun APIs to create a container with a local volume:
$ zun run --mount type=local,source=/proc,destination=/proc \ --hint <key=value> centosAfter receiving this request, Zun will check if the mount info has local volumes. Then it will check the user has administrator permissions operation.
Zun will create an item for local volume, and store in the volume_mapping table.
Zun will choose a node by the option --hint, and check the local volume whether in the volume lists in forbidden_volume.conf.
Zun will calls Docker API to create a container and use the option "-v".
$ docker run -d -v /proc:/proc centos
Security impact
- Only admin can bind-mount file or directory in local file system into the container.
- Zun introduces a config (called 'allowed_mount_path.conf') to check the files/directories can be bind-mounted. When the config is unsetted or empty, zun will raise Exception when using the bind-mounted option.
Notifications impact
None
Other end user impact
None
Performance Impact
None
Other deployer impact
Deployers need to deploy a Cinder.
Developer impact
None
Implementation
Assignee(s)
Primary assignee: Feng Shengqin
Other contributors:
Dependencies
Testing
Each patch will have unit tests, and Tempest functional tests covered.
Documentation Impact
A set of documentation for this new feature will be required.
References
[1] https://docker-py.readthedocs.io/en/stable/containers.html#container-objects.