Bind external folders to Kubelet with mount propagation?

adampl · November 9, 2021, 7:58pm

Hi When I bind an external folder to Kubelet via the extra_binds option, the binds are created with the default rprivate mount propagation option, which makes any host-originating mounts in that folder invisible to Kubelet - and pods mounting it, even if they use mountPropagation: HostToContainer. You can check it by inspecting the Kubelet container:

# docker container inspect kubelet
"Mounts": [
{
    "Type": "bind",
    "Source": "/local",
    "Destination": "/local",
    "Mode": "",
    "RW": true,
    "Propagation": "rprivate"
},
...

This is the result of cluster.yaml containing this config:

services:
  kubelet:
    extra_binds:
      - "/local:/local"

Here’s how to do it in Docker: Use bind mounts | Docker Documentation

But how do I tell Rancher to bind the folder with an rslave or rshared option instead of rprivate?

adampl · November 10, 2021, 6:48pm

In order to bind with eg. rslave propagation, I had to add :rslave suffix to the bind spec, like this:

services:
  kubelet:
    extra_binds:
      - "/local:/local:rslave"

Which is reflected in Kubelet container config (when cluster update is complete):

# docker container inspect kubelet
"Mounts": [
{
    "Type": "bind",
    "Source": "/local",
    "Destination": "/local",
    "Mode": "rslave",
    "RW": true,
    "Propagation": "rslave"
},
...

However, existing mounts inside the /local folder are not propagated to pods, only the new mounts
Moreover, the pods which got new mounts propagated to /local, cannot be deleted until the mounts are first unmounted by the host

adampl · November 11, 2021, 4:42pm

Bug reported:

github.com/rancher/rancher

Wrong behavior of bind propagation in local volumes

opened 04:31PM - 11 Nov 21 UTC

adampl

**Rancher Server Setup** - Rancher version: 5.2.8 - Installation option: Docke…r **Information about the Cluster** - Kubernetes version: 1.21 - Cluster Type: Custom **Describe the bug** - Mount propagation doesn't propagate mounts existing in a volume before the pod creation - Pod cannot be deleted before mounts propagated to the volume are unmounted **To Reproduce** 1. Create empty folders `/local` and `/local/bar` on the host 2. Edit cluster YAML to add the necessary bind mount with the `rslave` option: ```yaml services: kubelet: extra_binds: - "/local:/local:rslave" ``` 3. Save and wait for cluster update to complete 4. Create a Persistent Volume of type Local, pointing to `/local` 5. Create a PV Claim to claim the PV 6. Create a Pod that mounts this PVC at `/foo`, with the `mountPropagation: HostToContainer` option 7. On the host, bind-mount some non-empty folder like `/bar` at `/local/bar` (`mount --bind /bar /local/bar`) 8. Execute shell in the pod and observe that `/foo/bar` is _not_ empty (good - the new mount propagates) 9. Delete the pod and notice that it never completes (bad - pod should be deleted) 10. Unmount `/local/bar` on the host (`umount /local/bar`) 11. Observe that now the pod can be deleted 12. Again mount `/local/bar` on the host 13. Then create a pod like the previous one (after the mount) 14. Execute shell in the pod and observe that `/foo/bar` _is_ empty (bad - preexisting mount doesn't propagate) **Result** - Existing mounts don't propagate to pod - Pods with new mounts propagated cannot be deleted **Expected Result** - Existing mounts should propagate - Pods with new mounts propagated should be deleted normally **Additional context** My thread on the Rancher forum: https://forums.rancher.com/t/bind-external-folders-to-kubelet-with-mount-propagation/36137 Useful command: `findmnt -o SOURCE,TARGET,PROPAGATION | grep local` Useful docs: https://rancher.com/docs/rke/latest/en/config-options/services/services-extras/#extra-binds https://kubernetes.io/docs/concepts/storage/volumes/#local https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation https://docs.docker.com/storage/bind-mounts/ https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt

Topic		Replies	Views
How to add a new extra_binds argument to kubelet service of RKE cluster that was provisioned with Rancher Rancher	2	1964	November 24, 2020
How to submit a workload with a bind mounted volume with mount propagation? Rancher	2	931	November 15, 2018
[SOLVED] Rancher-agent kubelet extra_binds Rancher	2	2462	March 10, 2022
Has anyone Seen this: rshared/rprivate error on daemon root "/var/lib/docker" Rancher 1.x	1	2135	April 12, 2018
Bind-mount from node - does it work? Rancher	1	2318	November 24, 2018

Bind external folders to Kubelet with mount propagation?

Related topics