make 'podman play kube' set local volume mounts

[ikke-t]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

Currently, podman play kube fails to create any kind of persistent pods. Which in case of e.g. database is important. Please add handling for hostPath type of volumes, e.g:

  containers:
   ...
    volumeMounts:
    - mountPath: /var/lib/postgresql/data/pgdata
      name: db-volume
  volumes:
  - name: db-volume
    hostPath:
      # directory location on host
      path: /tmp/pg_data
      # this field is optional
      type: Directory

Podman should

1. recognize there is volumeMounts and hostPath sections
2. create the requested directory if missing (optional)
3. set selinux labels to it (:z or :Z -kind)
4. add the mount to requested mount points
5. do the rest of starting the container

This is already implemented in command line options, so probably just affects the play kube parsing.

Issue is related to this one, but does not require it: #2303. It would just help moving from command line definitions to yaml.

Steps to reproduce the issue:

1. Generate postgres.yml:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: "2019-03-03T12:10:26Z"
  labels:
    app: postgres
  name: postgres
spec:
  containers:
  - command:
    - docker-entrypoint.sh
    - postgres
    env:
    - name: PATH
      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/postgresql/9.6/bin
    - name: TERM
      value: xterm
    - name: HOSTNAME
    - name: container
      value: podman
    - name: PG_VERSION
      value: 9.6.11-1.pgdg90+1
    - name: PGDATA
      value: /var/lib/postgresql/data/pgdata
    - name: POSTGRES_PASSWORD
      value: pg
    - name: POSTGRES_USER
      value: pg
    - name: POSTGRES_DB
      value: test
    - name: GOSU_VERSION
      value: "1.11"
    - name: LANG
      value: en_US.utf8
    - name: PG_MAJOR
      value: "9.6"
    image: docker.io/library/postgres:9.6
    name: postgres
    resources: {}
    securityContext:
      allowPrivilegeEscalation: true
      capabilities: {}
      privileged: false
      readOnlyRootFilesystem: false
    workingDir: /
    volumeMounts:
    - mountPath: /var/lib/postgresql/data/pgdata
      name: db-volume
  volumes:
  - name: db-volume
    hostPath:
      # directory location on host
      path: /tmp/pg_data
      # this field is optional
      type: Directory

2. sudo podman play kube postgres-volume.yml

3. verify mounts exist: sudo podman inspect postgres|less

Describe the results you received:

Currently it totally ignores those sections, no mounts get created.

Describe the results you expected:

Volume mounts to be in place, just like podman run -v would do.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

[ikke@ohuska ~]$ podman version
Version:            1.2.0-dev
RemoteAPI Version:  1
Go Version:         go1.12
OS/Arch:            linux/amd64

[ikke@ohuska ~]$ rpm -qi podman
Name        : podman
Epoch       : 2
Version     : 1.2.0
Release     : 5.dev.git9adcda7.fc31
Architecture: x86_64
Install Date: Sun 03 Mar 2019 02:05:43 PM EET
Group       : Unspecified
Size        : 51676426
License     : ASL 2.0
Signature   : (none)
Source RPM  : podman-1.2.0-5.dev.git9adcda7.fc31.src.rpm
Build Date  : Sat 02 Mar 2019 07:29:35 AM EET
Build Host  : buildvm-28.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : https://podman.io/
Bug URL     : https://bugz.fedoraproject.org/podman
Summary     : Manage Pods, Containers and Container Images
Description :
Manage Pods, Containers and Container Images
libpod provides a library for applications looking to use
the Container Pod concept popularized by Kubernetes.

Output of podman info --debug:

debug:
  compiler: gc
  git commit: ""
  go version: go1.12
  podman version: 1.2.0-dev
host:
  BuildahVersion: 1.7.1
  Conmon:
    package: podman-1.2.0-5.dev.git9adcda7.fc31.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: 3e600fb5a3d38abd075757cce69b14c5c060bdb3'
  Distribution:        
    distribution: fedora
    version: "29"
  MemFree: 220405760          
  MemTotal: 8052445184          
  OCIRuntime:
    package: runc-1.0.0-68.dev.git6635b4f.fc29.x86_64
    path: /usr/bin/runc                            
    version: |-     
      runc version 1.0.0-rc6+dev
      commit: ef9132178ccc3d2775d4fb51f1e431f30cac1398-dirty
      spec: 1.0.1-dev
  SwapFree: 7713058816
  SwapTotal: 8199860224       
  arch: amd64
  cpus: 4                     
  hostname: ohuska.localdomain
  kernel: 4.20.6-200.fc29.x86_64
  os: linux                                             
  rootless: false
  uptime: 229h 44m 38.92s (Approximately 9.54 days)
insecure registries:      
  registries: []
registries:                                      
  registries:                                          
  - docker.io 
  - registry.fedoraproject.org
  - quay.io                     
  - registry.access.redhat.com
  - registry.centos.org    
store:       
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:        
    number: 4                                                                                                                 
  GraphDriverName: overlay
  GraphOptions:    
  - overlay.mountopt=nodev               
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:          
    number: 4
  RunRoot: /var/run/containers/storage                
  VolumePath: /var/lib/containers/storage/volumes

Additional environment details (AWS, VirtualBox, physical, etc.):

[rhatdan]

@haircommander Could you look into this.

[ikke-t]

@haircommander how should this work? It doesn't set the selinux stuff automatically, like with :z or :Z options:

sudo mkdir /tmp/pg_data
sudo chmod 777 /tmp/pg_data/
$ ls -laZ /tmp/pg_data/
total 0
drwxrwxrwx.  2 root root unconfined_u:object_r:user_tmp_t:s0  40 Mar  7 19:20 .
drwxrwxrwt. 17 root root system_u:object_r:tmp_t:s0          340 Mar  7 19:22 ..
$ sudo podman play kube postgres-volume.yml
a container exists with the same name (postgres) as the pod in your YAML file; changing pod name to postgres_pod
ae157ba0270190d270f38e46fc7dcf2dfd0ad8edaaf8309bad432b2f8a161ebd
db-volume
a7a0d09cb7d8fa5e11206f94307f1555d8a582c0710370d778d65e42420acb51
$  sudo podman logs a7a0d09cb7d8
chown: cannot read directory '/var/lib/postgresql/data/pgdata': Permission denied

[rhatdan]

Yes to make this work you would need to set the SELinux label on the file

chcon -t container_file_t /tmp/pgdata

Is there anything in the yaml to indicate whether or not the volume should be relabeled. Usually for builtin labels we relabel to a shared label.

label.Relabel(PATH, mount_label, true)

[rhatdan]

@haircommander ^^

[haircommander]

@rhatdan see #2575 (comment) for a discussion.

[ikke-t]

this was just discussed in irc, play kube needs a way to set selinux label to directory. It happens via

    volumeMounts:
    - mountPath: /var/lib/postgresql/data/pgdata:z

unless @haircommander just removed it.

[ikke-t]

if so, this ticket should be reopened, as long as selinux does not get set right, either :z or :Z

[tisc0]

#9371

[fulminemizzega]

Hello, I ended up here searching for podman play kube and selinux, right now (podman 3.4.4) podman play kube creates named volumes with a shared label, it makes sense because of this: #2575 (comment)
Docs https://docs.podman.io/en/latest/markdown/podman-play-kube.1.html instead only mention that "Note: hostPath volume types created by play kube will be given an SELinux private label (Z)". Today I was playing a bit with this with named volumes and as expected, a shared volume has a shared label:
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0 6 Apr 10 15:34 test
Then, if I create a pod with a container with a private named volume (with :z), generate a kubernetes yaml, remove the pod and the test volume, use podman play kube, the new test volume has a shared label. I understand this message has become a mess, do you think any of this should be reported in another issue?

[rhatdan]

Yes please open a new issue for this.