Merge pull request #381 from chrishenzie/enforce-node-publish

Enforce SINGLE_NODE_SINGLE_WRITER access mode in NodePublishVolume

Author: k8s-ci-robot

pkg/hostpath/nodeserver.go

@@ -31,10 +31,13 @@ import (
 	"k8s.io/utils/mount"
 )
 
-const TopologyKeyNode = "topology.hostpath.csi/node"
+const (
+	TopologyKeyNode = "topology.hostpath.csi/node"
 
-func (hp *hostPath) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error) {
+	failedPreconditionAccessModeConflict = "volume uses SINGLE_NODE_SINGLE_WRITER access mode and is already mounted at a different target path"
+)
 
+func (hp *hostPath) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error) {
 	// Check arguments
 	if req.GetVolumeCapability() == nil {
 		return nil, status.Error(codes.InvalidArgument, "Volume capability missing in request")
@@ -60,6 +63,8 @@ func (hp *hostPath) NodePublishVolume(ctx context.Context, req *csi.NodePublishV
 	hp.mutex.Lock()
 	defer hp.mutex.Unlock()
 
+	mounter := mount.New("")
+
 	// if ephemeral is specified, create volume here to avoid errors
 	if ephemeralVolume {
 		volID := req.GetVolumeId()
@@ -80,6 +85,10 @@ func (hp *hostPath) NodePublishVolume(ctx context.Context, req *csi.NodePublishV
 		return nil, status.Error(codes.NotFound, err.Error())
 	}
 
+	if hasSingleNodeSingleWriterAccessMode(req) && isMountedElsewhere(req, vol) {
+		return nil, status.Error(codes.FailedPrecondition, failedPreconditionAccessModeConflict)
+	}
+
 	if !ephemeralVolume {
 		if vol.Staged.Empty() {
 			return nil, status.Errorf(codes.FailedPrecondition, "volume %q must be staged before publishing", vol.VolID)
@@ -102,8 +111,6 @@ func (hp *hostPath) NodePublishVolume(ctx context.Context, req *csi.NodePublishV
 			return nil, fmt.Errorf("failed to get the loop device: %w", err)
 		}
 
-		mounter := mount.New("")
-
 		// Check if the target path exists. Create if not present.
 		_, err = os.Lstat(targetPath)
 		if os.IsNotExist(err) {
@@ -130,15 +137,15 @@ func (hp *hostPath) NodePublishVolume(ctx context.Context, req *csi.NodePublishV
 		}
 
 		options := []string{"bind"}
-		if err := mount.New("").Mount(loopDevice, targetPath, "", options); err != nil {
+		if err := mounter.Mount(loopDevice, targetPath, "", options); err != nil {
 			return nil, fmt.Errorf("failed to mount block device: %s at %s: %w", loopDevice, targetPath, err)
 		}
 	} else if req.GetVolumeCapability().GetMount() != nil {
 		if vol.VolAccessType != state.MountAccess {
 			return nil, status.Error(codes.InvalidArgument, "cannot publish a non-mount volume as mount volume")
 		}
 
-		notMnt, err := mount.IsNotMountPoint(mount.New(""), targetPath)
+		notMnt, err := mount.IsNotMountPoint(mounter, targetPath)
 		if err != nil {
 			if os.IsNotExist(err) {
 				if err = os.Mkdir(targetPath, 0750); err != nil {
@@ -173,7 +180,6 @@ func (hp *hostPath) NodePublishVolume(ctx context.Context, req *csi.NodePublishV
 		if readOnly {
 			options = append(options, "ro")
 		}
-		mounter := mount.New("")
 		path := hp.getVolumePath(volumeId)
 
 		if err := mounter.Mount(path, targetPath, "", options); err != nil {
@@ -522,3 +528,21 @@ func makeFile(pathname string) error {
 	}
 	return nil
 }
+
+// hasSingleNodeSingleWriterAccessMode checks if the publish request uses the
+// SINGLE_NODE_SINGLE_WRITER access mode.
+func hasSingleNodeSingleWriterAccessMode(req *csi.NodePublishVolumeRequest) bool {
+	accessMode := req.GetVolumeCapability().GetAccessMode()
+	return accessMode != nil && accessMode.GetMode() == csi.VolumeCapability_AccessMode_SINGLE_NODE_SINGLE_WRITER
+}
+
+// isMountedElsewhere checks if the volume to publish is mounted elsewhere on
+// the node.
+func isMountedElsewhere(req *csi.NodePublishVolumeRequest, vol state.Volume) bool {
+	for _, targetPath := range vol.Published {
+		if targetPath != req.GetTargetPath() {
+			return true
+		}
+	}
+	return false
+}