From 687fb8584f3a244fa73cd8cb5091f496e0316f16 Mon Sep 17 00:00:00 2001 From: Matt Peters Date: Thu, 12 Mar 2020 13:54:44 -0400 Subject: [PATCH] Propagate host mount changes to metricbeat container The metricbeat pod requests a hostPath volume which mounts the rootfs of the host into the container. This is required for metricbeat to read the filesystem usage from within the container. The rootfs mount is also bind mounting all subpath mounts within the container which includes the DRBD filesystems. When SM attempts to unmount the DRBD filesystems as part of the swact operation, the metricbeat container is still holding on to the mounted filesystems, preventing the DRBD devices to be shutdown. To address this, the metricbeat container will specify the mount propagation so that any changes to the host filesystem are also reflected inside the container. This will ensure that when the host performs the unmount, the container will also release the mount reference. In the future, security policies should be added to ensure other application containers do not perform host mount operations without having the necessary privileges to access the host filesystem. Change-Id: I43c6dcbe6a438b357532263be5b04f122b587c70 Closes-Bug: 1866099 Signed-off-by: Matt Peters --- .../stx-monitor-helm/manifests/monitor_manifest.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/stx-monitor-helm/stx-monitor-helm/manifests/monitor_manifest.yaml b/stx-monitor-helm/stx-monitor-helm/manifests/monitor_manifest.yaml index f6319d8..73ccca2 100644 --- a/stx-monitor-helm/stx-monitor-helm/manifests/monitor_manifest.yaml +++ b/stx-monitor-helm/stx-monitor-helm/manifests/monitor_manifest.yaml @@ -563,6 +563,7 @@ data: - name: root mountPath: /hostfs readOnly: true + mountPropagation: HostToContainer extraVolumes: - name: root hostPath: