feat: allow mounting containerd socket as a directory #768
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In our testing we learned that spegel is not able to continue functioning after containerd on a node was restarted, while the rest of the node continues functioning fine. This can be seen by it generating a lot of "connection refused" messages in the logs. containerd restarts are of course not a common occurrence, but they can happen (and in our case we intentionally trigger them sometimes). This PR adds an option to make spegel compatible with restarts.
The reason why the current chart configuration is unable to deal with this is that it mounts the socket file directly, which will cause containerd to mount the socket as a pointer to the underlying inode. When containerd is restarted that socket file is removed and re-created, giving it a new inode. So at this point, the mounted socket is pointing to an inode that is not in use anymore, leading to the broken connection. Instead, we can mount the socket parent directory, as this one is not re-created. The socket within then gets updated in the mount as well, which in turn allows the containerd library used by spegel to re-connect.
I added this as an option that will lead to no templated differences for people using the defaults, so that there are no unexpected consequences for those that upgrade their spegel charts from previous versions. Directory mounts have some additional security concerns that people might want to check before they start using them, as this will give the container access to more files than it had before.