virtcontainers: Add support for ephemeral volumes

[harche]

Ephemeral volumes should not be passed at 9pfs mounts.
They should be created inside the VM.

This patch disables ephemeral volumes from getting
mounted as 9pfs from the host and instead a corresponding
tmpfs is created inside the VM.

Fixes : #61

Signed-off-by: Harshal Patil [email protected]

[harche]

There will be the corresponding PR on agent project.

[harche]

Corresponding PR in agent, kata-containers/agent#236

[egernst]

Can you clarify the expected format of the original Source str in a comment?

[harche]

@egernst A typical ephemeral storage path looks like, /var/lib/kubelet/pods/366c3a75-4869-11e8-b479-507b9ddd5ce4/volumes/kubernetes.io~empty-dir/cache-volume

I will update the code with this sample path in code comments.

[egernst]

Looks good. One ask for an added comment, and small nit on commit message: I think

Ephemeral volumes should not be passed at 9pfs mounts.

should have s/at/as

[egernst]

@WeiZhang555 @amshinde - PTAL

[WeiZhang555]

@harche Sorry I didn't participate the discussion before. Need to confirm the cases first, I see in the issue #61 , you mentioned the volume is backed by tmpfs

# mount |grep 366c3a75
tmpfs on /var/lib/kubelet/pods/366c3a75-4869-11e8-b479-507b9ddd5ce4/volumes/kubernetes.io~empty-dir/cache-volume type tmpfs (rw,relatime)
tmpfs on /var/lib/kubelet/pods/366c3a75-4869-11e8-b479-507b9ddd5ce4/volumes/kubernetes.io~secret/default-token-2w6d4 type tmpfs (rw,relatime)

So in this PR, you only handled kubernetes.io~empty-dir but let the kubernetes.io~secret/ go, I guess it's because we need to write data to "kubernetes.io~secret"from host so we should keep it bind-mounted.

The question here is, are we sure there's no scenario we will write data to kubernetes.io~empty-dir from host? Because if this happens it will fail after we merge this. And it will also fail when container tries to write to K8S~empty-dir and someone wants to read from host side.

Another concern is, is this code too "K8S" specific?

[jodh-intel]

As noted on kata-containers/agent#236, I am concerned that although this might work today, since the code is parsing a path name it could easily break if k8s decide to change their naming for some reason.

[WeiZhang555]

Yep, this is also what I am worrying about now, it's a bit too "K8S" specific.

[bergwolf]

Can we move the detection to kata cli to keep the knowledge out of virtcontainers? We can add a tmpfs device type for it in container DeviceInfos and kata cli is responsible for detecting ephemeral volumes and construct proper deviceinfo there.

[harche]

@WeiZhang555 any solution to handle ephemeral volumes will be very specific to the k8s. Ephemeral volumes are k8s concept after all. But we are interested in bringing them in kata because it helps to increase the isolation with the host. If you have a scenario where you need to share the data between say, k8s init and regular containers of the pod then those containers can share the data amongst themselves without explicitly putting it on the host filesystem.

@jodh-intel ephemeral volumes are define in k8s yaml at pod level like this,

apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod
  annotations:
    io.kubernetes.cri.untrusted-workload: "true"
  labels:
    app: myapp
spec:
  containers:
  # Application Container
  - name: myapp-container
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
    imagePullPolicy: IfNotPresent 
    image: localhost:5000/app_image:latest
    command: ['sh']
  initContainers:
  - name: data-container
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
    imagePullPolicy: IfNotPresent 
    image: localhost:5000/data_image:latest
    command: ['sh', '-c', 'cp /test.gpg /cache/']
  volumes:
  - name: cache-volume
    emptyDir:
      medium: "Memory"

So far the SanboxConfig.Volumes (https://github.com/kata-containers/runtime/blob/master/virtcontainers/sandbox.go#L444) doens't register this volume type.

This is the reason I resorted to parsing the OCI mounts of the invidual container mounts to infer if there are any k8s ephemeral volumes.

[katabuilder]

PSS Measurement:
Qemu: 142172 KB
Proxy: 6730 KB
Shim: 13117 KB

Memory inside container:
Total Memory: 2045972 KB
Free Memory: 2010968 KB

[bergwolf]

The check is too k8s specific to be in the virtcontainers library. Please move it to kata cli and use a new device type to describe the ephemeral storage in container config.

[harche]

@bergwolf Need some clarification so just to make sure we are on the same page.

When you say to use a new DeviceType, do you mean the one declared here - https://github.com/kata-containers/runtime/blob/master/virtcontainers/device/config/config.go#L19 ?

Also, you suggested using container config to describe the storage. Staying within the cli package I could imagine the new device can be added at this point, https://github.com/kata-containers/runtime/blob/master/cli/create.go#L261 (by appending to contConfig.DeviceInfos). Because after that point the code jumps into the virtcontainer library.

Coming back to the DeviceType, it's used in the driver implementations in virtcontainer library https://github.com/kata-containers/runtime/tree/master/virtcontainers/device/drivers

All the uses of the DeviceType including its declaration are in virtcontainers only. So this isn't helping us taking the code away from virtcontainers and putting it in cli package.

To me, this seems like an overkill to implement all those methods in those drivers when we aren't even going to use any real device from the host.

Maybe I am missing something, would you like to elaborate more on what you have in mind here?

[bergwolf]

Yes, your understand is correct. I asked for it because this is the device/storage model of virtcontainers. We want all devices/storage to follow the same flow. ephemeral is just another storage. I don't think we should make it a special case and handle it differently.

Besides, IsEphemeralStroage is totally bound to k8s. You cannot create an ephemeral storage unless the source path has strict k8s empty dir pattern. That is not flexible at all. We want a generic API that one can create ephemeral storage with any source path. In fact, for ephemeral storage, the source path should not matter at all.

[harche]

@bergwolf The current code in this PR which uses pb.Storage.Mountpoint is implemented as per our discussion here, #61 (comment)

I think the only thing we should address here is to remove the strong coupling with kubernetes. If we somehow are able to detect if the given path is for the ephemeral storage without having to explicitly depend upon kubernetes specific paths then we should be good.

What if we loop over the container mounts, and match with the /proc/mounts of the host to see if that path is backed by tmpfs? If it is, then I think we can safely assume it's for ephemeral storage. This will remove our dependency on k8s specific paths.

A typical characteristic of an ephemeral storage would be,

1. A directory on the host (may or may not be backed by tmpfs)
2. This directory is bind mounted to all the containers of the same pod so that they can share the data.

@bergwolf @egernst @amshinde @WeiZhang555 @jodh-intel

[bergwolf]

The current code in this PR which uses pb.Storage.Mountpoint is implemented as per our discussion here, #61 (comment)

That comment only describes the fact that the tmpfs storage is already supported by the agent grpc protocol. You have done a great job to implement it in kata agent. But the runtime PR does not satisfy the virtcontainer API we would like to merge.

At the runtime API level, we want an explicit API to let callers specify a tmpfs storage and its mountpoint. It can be a better workaround to check /proc/mounts for tmpfs storage, but again, the detection needs to be done at the kata cli level and the virtcontainers API need to be explicit about using a tmpfs storage, instead of trying to do the auto-detection internally.

IOW, what you did is an API change and we need to be explicit about using a tmpfs storage.

[WeiZhang555]

@harche

A typical characteristic of an ephemeral storage would be,

1. A directory on the host (may or may not be backed by tmpfs)
2. This directory is bind mounted to all the containers of the same pod so that they can share the data.

I wonder if this is a trusted detection point, I think ephemeral storage has another difference with normal tmpfs storage that a normal tmpfs storage DOES allow you to share contents between host and guest but ephemeral storage DOESN'T .

So if user wants to share host contents with all containers in pod and this volume happens to base on tmpfs(I think this is also valid use case), the case could be broken.

[sboeuf]

Trying to catch up here, and trying to summarize, we don't have a reliable way to detect this specific use case, right ?
The reason being: a volume backed by tmpfs could be either a directory with some data the host want to share with the container, or an ephemeral volume that is an empty directory.

What about checking both the tmpfs and the content of the source path provided ?

Now that being said, I realize that ephemeral volume support in Kata Containers is more an improvement thing since it's already supported if two containers link to the same ephemeral volume on the host via 9p, right @harche ?
Following this, do we really need this "improvement" since it seems to me that we'll have to rely on strong assumptions to detect the case ?

[harche]

We use ephemeral volumes regularly for sharing the data between containers of the pod (especially between init and regular containers). Some of the applications are sensitive to the security and this is where we would love to use kata in our kubernetes environment for the added isolation it provides. With upcoming techonologies like Intel's TME and MKTME, IBM Ultravisor or AMD memory encryption we can take the isolation provided by kata to the next level.

Using those technologies you will be able to encrypt the memory pages of the guest, this is where this patch will enable kata to play a crucial role in providing the strongest isolation any runtime can provide for security sensitive kubernetes workloads. Since you will place the ephemeral volume inside the guest, which in turn has encrypted memory pages, even a compromised host won't be able to read the data containers are sharing between them.

I strongly believe this work aligns with the kata's mission to provide the more secure environment for the container workloads.

@WeiZhang555 @bergwolf @sboeuf @amshinde

[sboeuf]

Thanks for the explanation @harche. This makes sense to support this case, but it's annoying that is something we have to detect based on the path name (as mentioned by @WeiZhang555)

[bergwolf]

teststorage is not a good variable name :)

[harche]

:) sorry. I will clean it and update the patch.

[amshinde]

@harche Are ephemeral volumes meant to be shared, that is created once for the sandbox and bind-mounted by the rest of the containers?

[harche]

@amshinde Yes.

[WeiZhang555]

I don't feel very good about this "improvement" though it can be useful in K8S scenarios.
All the judgement of "ephemeral volumes" is based on the file path which is not a really good decision, this is extremely customized code and isn't generic at all, even after move the code from virtcontainers/ to cli/.
I'm leaning to -1 on this, unless we find a better way to detect ephemeral volume

[harche]

Edited subject to work in progress since we are yet to arrive at the consensus.

[harche]

What happened here? it says merged?

[grahamwhaley]

I think that 'merged' a little way down the thread was for a PR that referenced this one. This one now says 'closed', by you @harche .

[harche]

We use ephemeral volumes regularly for sharing the data between containers of the pod (especially between init and regular containers). Some of the applications are sensitive to the security and this is where we would love to use kata in our kubernetes environment for the added isolation it provides. With upcoming techonologies like Intel's TME and MKTME, IBM Ultravisor or AMD memory encryption we can take the isolation provided by kata to the next level.

Using those technologies you will be able to encrypt the memory pages of the guest, this is where this patch will enable kata to play a crucial role in providing the strongest isolation any runtime can provide for security sensitive kubernetes workloads. Since you will place the ephemeral volume inside the guest, which in turn has encrypted memory pages, even a compromised host won't be able to read the data containers are sharing between them.

I strongly believe this work aligns with the kata's mission to provide the more secure environment for the container workloads.

@WeiZhang555 @bergwolf @sboeuf @amshinde @jodh-intel

[harche]

@bergwolf I have moved ephemeral volume detection to cli package. Let me know what do you think.

[katabuilder]

PSS Measurement:
Qemu: 159832 KB
Proxy: 6715 KB
Shim: 8945 KB

Memory inside container:
Total Memory: 2045972 KB
Free Memory: 1996880 KB

[bergwolf]

Please define the new device type in device/config/config.go, and compare m.Source with devInfo.ContainerPath instead.

And for epheVol, you don't need to put it in the shared mounts. Let me explain how it works:

1. on kata cli side, add a device to container config, where devinfo.type is epheVol, and a Mount to container config, where m.Source == devinfo.ContainerPath
2. in kata runtime, skip epheVol by NOT adding it to sharedMounts
3. in kata_agent.go, create tmpfs storage where its mountpoint is devinfo.ContainerPath

This would follow the same storage/device devinfo semantics as other types of devices/storages.

[bergwolf]

Thanks for the update! It looks good overall. Just one comment inline.

[bergwolf]

IIUC you need "/ephemeralPath/" + filepath.Base(devInfo.ContainerPath) here, to match line 744 below?

[harche]

Thanks for pointing that out. Turns out I was looping over a wrong slice. Instead of looping over ociSpec.Mounts I was looping over newMounts. The reason it worked during testing because I kept the source path intact, which meant it created a path like, /var/lib/kubelet/pods/366c3a75-4869-11e8-b479-507b9ddd5ce4/volumes/kubernetes.io~empty-dir/cache-volume inside a VM.

I will update the PR with the fix.

[WeiZhang555]

I'll mark this as "need change" in case we forget and merge it in accidently.

[katacontainersbot]

PSS Measurement:
Qemu: 145911 KB
Proxy: 4712 KB
Shim: 8848 KB

Memory inside container:
Total Memory: 2045972 KB
Free Memory: 2007308 KB

[harche]

@WeiZhang555 @sboeuf @bergwolf I have updated the PR

[harche]

Removing [WIP] from the title.

[sboeuf]

s/TestIsEphemeralStroage/TestIsEphemeralStorage/

[sboeuf]

Please define a global variable for kubernetes.io~empty-dir

[sboeuf]

I don't like this kind of syntax, it's not really Go friendly.

[sboeuf]

In order to avoid the goto here, please use something like this:

                loopOver := false
                for _, devInfo := range c.config.DeviceInfos {
			if devInfo.DevType == "e" && devInfo.ContainerPath == m.Source {
				// We are not going to bind mount host ephemeral directory
				// provided by k8s, instead at later stage we are going to
				// create a tmpfs inside a VM and use it to bind mount to the
				// containers of the pod.
				loopOver = true
                                break
			}
		}

                if loopOver {
                            continue
                }

[sboeuf]

Thanks @harche ! LGTM

[sboeuf]

@WeiZhang555 please give it another review !

[amshinde]

If the Base guaranteed to be unique here? If not, I would append this with a randomly generated string to make sure there are no conflicts.

[harche]

Yes, the Base is guaranteed to be unique. In k8s ephemeral volume is defined by,

  volumes:
  - name: cache-volume
    emptyDir:
      medium: "Memory"

In the pod yaml.

The Base comes from name of the volume which is unique within the pod (which in the example above would be cache-volume)

[amshinde]

LGTM overall.
Thanks @harche!

You will need to refactor the code introduced in createContainer and mountSharedDirMounts in separate functions to reduce the cyclomatic complexity. Static checks are failing right now. You will then need to rebase on master to fix a CI issue we had recently.

[katacontainersbot]

PSS Measurement:
Qemu: 144210 KB
Proxy: 4737 KB
Shim: 8776 KB

Memory inside container:
Total Memory: 2045972 KB
Free Memory: 2007308 KB

[harche]

@amshinde code in mountSharedDirMounts already has the cyclomatic complexity of 15 (without my changes). Any new condition will bump it to 16 and above (15 is the cut off right now). I need to have at least one if condition there to decide if that mount source should be skipped or not.

For createContainer too cyclomatic complexity is at 15 without my changes, so this is too on the edge.

Probably I have to refactor beyond my changes.

[WeiZhang555]

The "ephemeral device" design is still weird to me, because it's a fake device, there's no real device type associated with it and it's not even related to device, it's only about "Mount".

@bergwolf I know you suggested this design, I am thinking to just use "Mount" info instead of adding a "Device" type.
For example, from client side, it modify the ephemeral mount to new Mount:

Mount {
"Source": "/var/lib/kubelet/pods/366c3a75-4869-11e8-b479-507b9ddd5ce4/volumes/kubernetes.io~empty-dir/cache-volume",
"Destination": "/container/ephemeral",
"Type": "ephemeral",
}

Then it will be translated into a grpcStorage:

grpc.Storage{
 				Driver:     kataEphemeralDevType,
 				Source:     "tmpfs",
 				Fstype:     "tmpfs",
 				MountPoint: filepath.Join(ephemeralPath, filepath.Base(mount.Source)),
 			}

and a modified OCI spec with modified Mount field to kata-agent as:

Mount {
"Source": filepath.Join(ephemeralPath, filepath.Base(mount.Source)),,
"Destination": "/container/ephemeral",
"Type": "bind",
}

So we can omit a fake device type, instead we introduce a new fake storage type "ephemeral" similar to "tmpfs" or "proc".
My suggestion isn't about saving code lines, it's just because I think the fake device type looks weird and easily confuse users.

What do you think? I didn't try but I think the new design could work. @bergwolf @harche

resolved

[sboeuf]

I like the proposal @WeiZhang555. I think using Storage in this case is a better option than Device.

[bergwolf]

@WeiZhang555 It feels weird because Storage was renamed to Device :)

The main reason I suggested the device description instead of relying only on container Mounts is that there is no sandbox level storage structure that can describe a storage without a real device. There is much in common between storage and device and there is also subtle difference. If we want to exclude fake devices from the device infrastructure, we need a storage structure to allow proper tracking of those storages w/o real devices at the sandbox level.

IWO, we either treat storage the same as device and allow fake devices, or we define storage and device separately and clearly.

For ephemeral storage, your proposal does work and it is actually what @harche did in the first place. But still, it misses a sandbox level description. If we ever want to check for ephemeral storage sharing, we have to iterate through all containers' config in the sandbox.

If we choose to exclude storage w/o real devices from the device handling infrastructure, we need to at least file an issue to say so and that we will add the missing storage abstraction at sandbox level. And then this PR can move forward with your proposal and @harche's original implementation.

[tallclair]

Sorry I'm late to the party, but I think I can provide a bit more context on the Kubernetes side. Long term, the CRI will need to change to really support this case (I've started those conversations, but AFAIK there hasn't been any progress). Without the full k8s support, I have a few concerns with pushing forward with this approach:

• Using tmpfs means that writes to the emptyDir volume will consume pod memory. How is this memory accounted? We don't yet have a notion of pod overhead, so I don't think there's a way to reserve memory for these volumes. An alternative approach is to use a block or "image device" (I'm don't know the correct terminology) that provides disk-backed storage that is opaque to the host.
• How does this interact non-emptyDir volume types that delegate to the emptydir volume handler? This includes: secrets, configmaps, projected, gitRepo, downwardAPI
• We'll eventually want to treat the container's writeable layer the same way (opaque to the host)

Considering all this, I think this should be configureable, and maybe treated as an experimental feature (have per-pod opt-in, as well as a runtime-level configuration to enable it). This also solves the issue of whether the filepath to the volume could ever change, since that could be part of the config.

That was a bit of a ramble, but hopefully it helps. I'm very excited about this feature, thanks for working on it!

[WeiZhang555]

@tallclair 's suggestion is valuable, I think make this configurable is a good idea, we can configure the K8S "ephemeral" volume pattern into the configure file in case the ephemeral volume path changed in higher version of K8S.

[harche]

For people following this issue, I have created a PR that doesn't use devices - #458

[harche]

@tallclair Ephemeral volumes will consume the memory allocated for pod VM. But attaching the block storage to provision ephemeral volumes defeats the main motivation to have this feature in first place. I have explained in this, #307 (comment), in detail on why we need to make sure the ephemeral volume that we provisioned needs to remain in VM memory.

TLDR; Upcoming memory encryption technologies allow us to encrypt VM pages and gaurd against a compromised host from reading that memory. We inject our ephemeral volume in that VM memory so that even a compromised host can't read what containers of that pod are sharing with each other.

[sboeuf]

Replaced by #458, this can be closed.

[tallclair]

@harche couldn't the attached block storage just be encrypted? That said, I think we're currently very far away from being able to protect VM pods running a compromised node, and it will only be possible by taking a holistic look at Kubernetes, possibly rethinking some fundamental concepts. I'm not sure it's worth designing individual features for this use case without the full picture, and I'm worried this is the security equivalent of premature optimization (premature hardening?).