Use overlay for cached

[udnay]

Use an overlay for dateilager's cached service. Instead of giving each sandbox pod its own hard linked copy of the dl_cache we will mount an overlayfs of the cached's dl_cache

In the pod that's mounting to overlay we can see that we can hardlink between the 2 directories and that the pod can write to the cache and corrupt it.

however on the cached pod the contents are still fine

and additionally if we mount a second pod, it too sees the clean copy.

The pods are configured to use their ephemeral space so any writes to dl_cache will be cleaned up when the pod is killed.

The cached pod stores the "golden cache" at /var/lib/kubelet/dateilager_cache

For a simple example pod lets look at

apiVersion: v1
kind: Pod
metadata:
  name: busybox-csi
spec:
  containers:
  - name: busybox
    image: busybox
    command: 
      - "/bin/sh"
      - "-c"
      - "sleep infinity"
    volumeMounts:
    - name: gadget
      mountPath: /gadget
      subPath: gadget
  volumes:
  - name: gadget
    csi:
      driver: com.gadget.dateilager.cached
      volumeAttributes:
        placeCacheAtPath: "dl_cache"
        mountCache: "true"
      readOnly: false

A pod that is mounting a volume managed by the dateilager-csi will get a new ephemeral dir (like emptyDir) that is on the host /var/lib/kubelet/pods/88064d87-6870-4da5-8ba1-d9ac62b3f3ff/volumes/kubernetes.io~csi/gadget/mount this is the targetPath that comes in on the csi.NodePublishVolumeRequest

The directory structure that we create inside of the target dir is like this

/var/lib/kubelet/pods/
   | -- .../
      | -- gadget/mount/
          | -- gadget/
          | -- gadget_writeable/
          | -- work/

gadget is the target mount point for the overlay. gadget_writeable is the upperdir and work is the workdir

The readonly lowerdir is /var/lib/kubelet/dateilager_cache which contains dl_cache.

[airhorns]

We should consider what value we want for the redirect_dir option. When I was working with overlayfs for making the gadget CI bits that reset the filesystem faster, I had to set it to on, but that's not necessarily true here. https://docs.kernel.org/filesystems/overlayfs.html#redirect-dir

See https://github.com/gadget-inc/gadget/pull/11070/files#diff-37490d715785dc29d4323daef03e84518b414f5fdca4d258c9f415c936080d4f if you are curious

[udnay]

TIL.
We can set it, I'm not sure how often we'll change the cache but it'll be nice to have the option.

What do you mean by

CI bits that reset the filesystem faster

As in, overlay was faster or something else?

[udnay]

@airhorns https://github.com/gadget-inc/gadget/pull/14578 CI is passing with the overlay running. I think this PR is ready for review.

[airhorns]

We gonna try to avoid this extra subfolder if we can after talking IRL

[udnay]

Added this because overlay won't run on mac's so bumping the csi-tests out to be more integration sanity tests.

[udnay]

In github actions we're not running as root, in our deployment we run as root in a privileged container so this is how we can call mount/umount during our tests. If there's a more elegant way to do this let me know.

[airhorns]

I dont know of one 🤷

[udnay]

This did not seem to set the dir to 0777 so I had to add the explicit chmod below.

[airhorns]

Terrifying -- maybe because its a mkdirall, the new perms only apply if it is creating new dirs, but it leaves existing ones alone?

[udnay]

@airhorns I made the changes, I still have some clean up to do but I think this is ready for a quick second pass.

[airhorns]

LGTM, or definitely good enough to canary

[airhorns]

Terrifying -- maybe because its a mkdirall, the new perms only apply if it is creating new dirs, but it leaves existing ones alone?

[airhorns]

I dont know of one 🤷

[airhorns]

Did redirect_dir end up being necessary?

[udnay]

Not entirely, it seems to be useful if there are changes to the lower dir that files don't disappear which seems good in general.