diff --git a/go.mod b/go.mod index 14f5071775d..43bf3b46f4c 100644 --- a/go.mod +++ b/go.mod @@ -36,11 +36,11 @@ require ( k8s.io/api v0.30.3 k8s.io/apimachinery v0.30.3 k8s.io/client-go v12.0.0+incompatible - k8s.io/cloud-provider v0.30.2 + k8s.io/cloud-provider v0.30.3 k8s.io/klog/v2 v2.130.1 - k8s.io/kubernetes v1.30.2 - k8s.io/mount-utils v0.30.2 - k8s.io/pod-security-admission v0.30.2 + k8s.io/kubernetes v1.30.3 + k8s.io/mount-utils v0.30.3 + k8s.io/pod-security-admission v0.30.3 k8s.io/utils v0.0.0-20230726121419-3b25d923346b sigs.k8s.io/controller-runtime v0.18.4 ) @@ -172,11 +172,11 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.30.1 // indirect - k8s.io/apiserver v0.30.2 // indirect - k8s.io/component-base v0.30.2 // indirect - k8s.io/component-helpers v0.30.2 // indirect - k8s.io/controller-manager v0.30.2 // indirect - k8s.io/kms v0.30.2 // indirect + k8s.io/apiserver v0.30.3 // indirect + k8s.io/component-base v0.30.3 // indirect + k8s.io/component-helpers v0.30.3 // indirect + k8s.io/controller-manager v0.30.3 // indirect + k8s.io/kms v0.30.3 // indirect k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect k8s.io/kubectl v0.0.0 // indirect k8s.io/kubelet v0.0.0 // indirect @@ -204,35 +204,35 @@ replace ( // // k8s.io/kubernetes depends on these k8s.io packages, but unversioned // - k8s.io/api => k8s.io/api v0.30.2 - k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.30.2 - k8s.io/apimachinery => k8s.io/apimachinery v0.30.2 - k8s.io/apiserver => k8s.io/apiserver v0.30.2 - k8s.io/cli-runtime => k8s.io/cli-runtime v0.30.2 - k8s.io/client-go => k8s.io/client-go v0.30.2 - k8s.io/cloud-provider => k8s.io/cloud-provider v0.30.2 - k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.30.2 - k8s.io/code-generator => k8s.io/code-generator v0.30.2 - k8s.io/component-base => k8s.io/component-base v0.30.2 - k8s.io/component-helpers => k8s.io/component-helpers v0.30.2 - k8s.io/controller-manager => k8s.io/controller-manager v0.30.2 - k8s.io/cri-api => k8s.io/cri-api v0.30.2 - k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.30.2 - k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.30.2 - k8s.io/endpointslice => k8s.io/endpointslice v0.30.2 - k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.30.2 - k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.30.2 - k8s.io/kube-proxy => k8s.io/kube-proxy v0.30.2 - k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.30.2 - k8s.io/kubectl => k8s.io/kubectl v0.30.2 - k8s.io/kubelet => k8s.io/kubelet v0.30.2 - k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.2 - k8s.io/metrics => k8s.io/metrics v0.30.2 + k8s.io/api => k8s.io/api v0.30.3 + k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.30.3 + k8s.io/apimachinery => k8s.io/apimachinery v0.30.3 + k8s.io/apiserver => k8s.io/apiserver v0.30.3 + k8s.io/cli-runtime => k8s.io/cli-runtime v0.30.3 + k8s.io/client-go => k8s.io/client-go v0.30.3 + k8s.io/cloud-provider => k8s.io/cloud-provider v0.30.3 + k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.30.3 + k8s.io/code-generator => k8s.io/code-generator v0.30.3 + k8s.io/component-base => k8s.io/component-base v0.30.3 + k8s.io/component-helpers => k8s.io/component-helpers v0.30.3 + k8s.io/controller-manager => k8s.io/controller-manager v0.30.3 + k8s.io/cri-api => k8s.io/cri-api v0.30.3 + k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.30.3 + k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.30.3 + k8s.io/endpointslice => k8s.io/endpointslice v0.30.3 + k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.30.3 + k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.30.3 + k8s.io/kube-proxy => k8s.io/kube-proxy v0.30.3 + k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.30.3 + k8s.io/kubectl => k8s.io/kubectl v0.30.3 + k8s.io/kubelet => k8s.io/kubelet v0.30.3 + k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.3 + k8s.io/metrics => k8s.io/metrics v0.30.3 // TODO: replace with latest once https://github.com/ceph/ceph-csi/issues/4633 is fixed k8s.io/mount-utils => k8s.io/mount-utils v0.29.3 - k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.30.2 - k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.30.2 + k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.30.3 + k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.30.3 // layeh.com seems to be misbehaving layeh.com/radius => github.com/layeh/radius v0.0.0-20190322222518-890bc1058917 ) diff --git a/go.sum b/go.sum index 149c794f52d..0ff025dea96 100644 --- a/go.sum +++ b/go.sum @@ -2552,27 +2552,27 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= -k8s.io/api v0.30.2 h1:+ZhRj+28QT4UOH+BKznu4CBgPWgkXO7XAvMcMl0qKvI= -k8s.io/api v0.30.2/go.mod h1:ULg5g9JvOev2dG0u2hig4Z7tQ2hHIuS+m8MNZ+X6EmI= -k8s.io/apiextensions-apiserver v0.30.2 h1:l7Eue2t6QiLHErfn2vwK4KgF4NeDgjQkCXtEbOocKIE= -k8s.io/apiextensions-apiserver v0.30.2/go.mod h1:lsJFLYyK40iguuinsb3nt+Sj6CmodSI4ACDLep1rgjw= -k8s.io/apimachinery v0.30.2 h1:fEMcnBj6qkzzPGSVsAZtQThU62SmQ4ZymlXRC5yFSCg= -k8s.io/apimachinery v0.30.2/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= -k8s.io/apiserver v0.30.2 h1:ACouHiYl1yFI2VFI3YGM+lvxgy6ir4yK2oLOsLI1/tw= -k8s.io/apiserver v0.30.2/go.mod h1:BOTdFBIch9Sv0ypSEcUR6ew/NUFGocRFNl72Ra7wTm8= -k8s.io/client-go v0.30.2 h1:sBIVJdojUNPDU/jObC+18tXWcTJVcwyqS9diGdWHk50= -k8s.io/client-go v0.30.2/go.mod h1:JglKSWULm9xlJLx4KCkfLLQ7XwtlbflV6uFFSHTMgVs= -k8s.io/cloud-provider v0.30.2 h1:yov6r02v7sMUNNvzEz51LtL2krn2c1wsC+dy/8BxKQI= -k8s.io/cloud-provider v0.30.2/go.mod h1:w69t2dSjDtI9BYK6SEqj6HmMKIojEk08fXRoUzjFN2I= -k8s.io/code-generator v0.30.2/go.mod h1:RQP5L67QxqgkVquk704CyvWFIq0e6RCMmLTXxjE8dVA= -k8s.io/component-base v0.30.2 h1:pqGBczYoW1sno8q9ObExUqrYSKhtE5rW3y6gX88GZII= -k8s.io/component-base v0.30.2/go.mod h1:yQLkQDrkK8J6NtP+MGJOws+/PPeEXNpwFixsUI7h/OE= -k8s.io/component-helpers v0.30.2 h1:kDMYLiWEYeWU7H6jBI+Ua1i2hqNh0DzqDHNIppFC3po= -k8s.io/component-helpers v0.30.2/go.mod h1:tI0anfS6AbRqooaICkGg7UVAQLedOauVSQW9srDBnJw= -k8s.io/controller-manager v0.30.2 h1:tC7V7IdGUW2I4de3bXx4m2fS3naP7VlCYlECCajK9fU= -k8s.io/controller-manager v0.30.2/go.mod h1:CYltIHGhCgldEkXT5vS2JHCCWM1WyBI4kA2UfP9cZvY= -k8s.io/csi-translation-lib v0.30.2 h1:ZcFVMWDHg7feW3mtdl+xClgmw1Yxv7m9ysOKt8h3K8Y= -k8s.io/csi-translation-lib v0.30.2/go.mod h1:jFT8vquP6eSDUwDHk0mKT6uKFWlZp60ecUEUhmlGsOY= +k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= +k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= +k8s.io/apiextensions-apiserver v0.30.3 h1:oChu5li2vsZHx2IvnGP3ah8Nj3KyqG3kRSaKmijhB9U= +k8s.io/apiextensions-apiserver v0.30.3/go.mod h1:uhXxYDkMAvl6CJw4lrDN4CPbONkF3+XL9cacCT44kV4= +k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= +k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/apiserver v0.30.3 h1:QZJndA9k2MjFqpnyYv/PH+9PE0SHhx3hBho4X0vE65g= +k8s.io/apiserver v0.30.3/go.mod h1:6Oa88y1CZqnzetd2JdepO0UXzQX4ZnOekx2/PtEjrOg= +k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= +k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= +k8s.io/cloud-provider v0.30.3 h1:SNWZmllTymOTzIPJuhtZH6il/qVi75dQARRQAm9k6VY= +k8s.io/cloud-provider v0.30.3/go.mod h1:Ax0AVdHnM7tMYnJH1Ycy4SMBD98+4zA+tboUR9eYsY8= +k8s.io/code-generator v0.30.3/go.mod h1:PFgBiv+miFV7TZYp+RXgROkhA+sWYZ+mtpbMLofMke8= +k8s.io/component-base v0.30.3 h1:Ci0UqKWf4oiwy8hr1+E3dsnliKnkMLZMVbWzeorlk7s= +k8s.io/component-base v0.30.3/go.mod h1:C1SshT3rGPCuNtBs14RmVD2xW0EhRSeLvBh7AGk1quA= +k8s.io/component-helpers v0.30.3 h1:KPc8l0eGx9Wg2OcKc58k9ozNcVcOInAi3NGiuS2xJ/c= +k8s.io/component-helpers v0.30.3/go.mod h1:VOQ7g3q+YbKWwKeACG2BwPv4ftaN8jXYJ5U3xpzuYAE= +k8s.io/controller-manager v0.30.3 h1:QRFGkWWD5gi/KCSU0qxyUoZRbt+BKgiCUXiTD1RO95w= +k8s.io/controller-manager v0.30.3/go.mod h1:F95rjHCOH2WwV9XlVxRo71CtddKLhF3FzE+s1lc7E/0= +k8s.io/csi-translation-lib v0.30.3 h1:wBaPWnOi14/vANRIrp8pmbdx/Pgz2QRcroH7wkodezc= +k8s.io/csi-translation-lib v0.30.3/go.mod h1:3AizNZbDttVDH1RO0x1yGEQP74e9Xbfb60IBP1oWO1o= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70/go.mod h1:VH3AT8AaQOqiGjMF9p0/IM1Dj+82ZwjfxUP1IxaHE+8= k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= @@ -2583,22 +2583,22 @@ k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kms v0.30.2 h1:VSZILO/tkzrz5Tu2j+yFQZ2Dc5JerQZX2GqhFJbQrfw= -k8s.io/kms v0.30.2/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4= +k8s.io/kms v0.30.3 h1:NLg+oN45S2Y3U0WiLRzbS61AY/XrS5JBMZp531Z+Pho= +k8s.io/kms v0.30.3/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4= k8s.io/kube-openapi v0.0.0-20180731170545-e3762e86a74c/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= -k8s.io/kubectl v0.30.2 h1:cgKNIvsOiufgcs4yjvgkK0+aPCfa8pUwzXdJtkbhsH8= -k8s.io/kubectl v0.30.2/go.mod h1:rz7GHXaxwnigrqob0lJsiA07Df8RE3n1TSaC2CTeuB4= -k8s.io/kubelet v0.30.2 h1:Ck4E/pHndI20IzDXxS57dElhDGASPO5pzXF7BcKfmCY= -k8s.io/kubelet v0.30.2/go.mod h1:DSwwTbLQmdNkebAU7ypIALR4P9aXZNFwgRmedojUE94= -k8s.io/kubernetes v1.30.2 h1:11WhS78OYX/lnSy6TXxPO6Hk+E5K9ZNrEsk9JgMSX8I= -k8s.io/kubernetes v1.30.2/go.mod h1:yPbIk3MhmhGigX62FLJm+CphNtjxqCvAIFQXup6RKS0= +k8s.io/kubectl v0.30.3 h1:YIBBvMdTW0xcDpmrOBzcpUVsn+zOgjMYIu7kAq+yqiI= +k8s.io/kubectl v0.30.3/go.mod h1:IcR0I9RN2+zzTRUa1BzZCm4oM0NLOawE6RzlDvd1Fpo= +k8s.io/kubelet v0.30.3 h1:KvGWDdhzD0vEyDyGTCjsDc8D+0+lwRMw3fJbfQgF7ys= +k8s.io/kubelet v0.30.3/go.mod h1:D9or45Vkzcqg55CEiqZ8dVbwP3Ksj7DruEVRS9oq3Ys= +k8s.io/kubernetes v1.30.3 h1:A0qoXI1YQNzrQZiff33y5zWxYHFT/HeZRK98/sRDJI0= +k8s.io/kubernetes v1.30.3/go.mod h1:yPbIk3MhmhGigX62FLJm+CphNtjxqCvAIFQXup6RKS0= k8s.io/mount-utils v0.29.3 h1:iEcqPP7Vv8UClH8nnMfovtmy/04fIloRW9JuSXykoZ0= k8s.io/mount-utils v0.29.3/go.mod h1:9IWJTMe8tG0MYMLEp60xK9GYVeCdA3g4LowmnVi+t9Y= -k8s.io/pod-security-admission v0.30.2 h1:UlHnkvvOr+rgQplOqD+SHzLUF8EgKIOCpDU8kaMeTQQ= -k8s.io/pod-security-admission v0.30.2/go.mod h1:gMUJUG9zOgNBk0VIz5BS7uIYiYPEoXkBSeHh6rG2m8c= +k8s.io/pod-security-admission v0.30.3 h1:UDGZWR3ry/XrN/Ki/w7qrp49OwgQsKyh+6xWbexvJi8= +k8s.io/pod-security-admission v0.30.3/go.mod h1:T1EQSOLl9YyDMnXNJfsq2jeci6uoymY0mrRkkKihd98= k8s.io/utils v0.0.0-20190506122338-8fab8cb257d5/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= diff --git a/internal/cephfs/nodeserver.go b/internal/cephfs/nodeserver.go index cfeefa0bd67..9b46e846cc6 100644 --- a/internal/cephfs/nodeserver.go +++ b/internal/cephfs/nodeserver.go @@ -151,7 +151,7 @@ func maybeUnlockFileEncryption( } defer ioctx.Destroy() - res, err := ioctx.LockExclusive(volOptions.VolID, lockName, lockCookie, lockDesc, lockDuration, &flags) + res, err := ioctx.LockExclusive(string(volID), lockName, lockCookie, lockDesc, lockDuration, &flags) if res != 0 { switch res { case -int(syscall.EBUSY): diff --git a/internal/csi-addons/rbd/identity.go b/internal/csi-addons/rbd/identity.go index 749d708bd0e..6a8cbfe67cb 100644 --- a/internal/csi-addons/rbd/identity.go +++ b/internal/csi-addons/rbd/identity.go @@ -114,6 +114,12 @@ func (is *IdentityServer) GetCapabilities( Type: identity.Capability_VolumeGroup_LIMIT_VOLUME_TO_ONE_VOLUME_GROUP, }, }, + }, &identity.Capability{ + Type: &identity.Capability_VolumeGroup_{ + VolumeGroup: &identity.Capability_VolumeGroup{ + Type: identity.Capability_VolumeGroup_MODIFY_VOLUME_GROUP, + }, + }, }) } diff --git a/internal/csi-addons/rbd/volumegroup.go b/internal/csi-addons/rbd/volumegroup.go index 9844c93c465..e96831b5d54 100644 --- a/internal/csi-addons/rbd/volumegroup.go +++ b/internal/csi-addons/rbd/volumegroup.go @@ -18,6 +18,7 @@ package rbd import ( "context" + "slices" "github.com/ceph/ceph-csi/internal/rbd" "github.com/ceph/ceph-csi/internal/rbd/types" @@ -215,3 +216,150 @@ func (vs *VolumeGroupServer) DeleteVolumeGroup( return &volumegroup.DeleteVolumeGroupResponse{}, nil } + +// ModifyVolumeGroupMembership RPC call to modify a volume group. +// +// From the spec: +// This RPC will be called by the CO to modify an existing volume group on +// behalf of a user. volume_ids provided in the +// ModifyVolumeGroupMembershipRequest will be compared to the ones in the +// existing volume group. New volume_ids in the modified volume group will be +// added to the volume group. Existing volume_ids not in the modified volume +// group will be removed from the volume group. If volume_ids is empty, the +// volume group will be removed of all existing volumes. This operation MUST be +// idempotent. +// +// File-based storage systems usually do not support this PRC. Block-based +// storage systems usually support this PRC. +// +// By adding an existing volume to a group, however, there is no way to pass in +// parameters to influence placement when provisioning a volume. +// +// It is out of the scope of the CSI spec to determine whether a group is +// consistent or not. It is up to the storage provider to clarify that in the +// vendor specific documentation. This is true either when creating a new +// volume with a group id or adding an existing volume to a group. +// +// CSI drivers supporting MODIFY_VOLUME_GROUP_MEMBERSHIP MUST implement +// ModifyVolumeGroupMembership RPC. +// +// Note: +// +// The implementation works as the following: +// - resolve the existing volume group +// - get the CSI-IDs of all volumes +// - create a list of volumes that should be removed +// - create a list of volume IDs that should be added +// - remove the volumes from the group +// - add the volumes to the group +// +// Also, MODIFY_VOLUME_GROUP_MEMBERSHIP does not exist, it is called +// MODIFY_VOLUME_GROUP instead. +func (vs *VolumeGroupServer) ModifyVolumeGroupMembership( + ctx context.Context, + req *volumegroup.ModifyVolumeGroupMembershipRequest, +) (*volumegroup.ModifyVolumeGroupMembershipResponse, error) { + mgr := rbd.NewManager(vs.csiID, nil, req.GetSecrets()) + defer mgr.Destroy(ctx) + + // resolve the volume group + vg, err := mgr.GetVolumeGroupByID(ctx, req.GetVolumeGroupId()) + if err != nil { + return nil, status.Errorf( + codes.NotFound, + "could not find volume group %q: %s", + req.GetVolumeGroupId(), + err.Error()) + } + defer vg.Destroy(ctx) + + beforeVolumes, err := vg.ListVolumes(ctx) + if err != nil { + return nil, status.Errorf( + codes.Internal, + "failed to list volumes of volume group %q: %v", + vg, + err) + } + + // beforeIDs contains the csiID as key, volume as value + beforeIDs := make(map[string]types.Volume, len(beforeVolumes)) + for _, vol := range beforeVolumes { + id, idErr := vol.GetID(ctx) + if idErr != nil { + return nil, status.Errorf( + codes.InvalidArgument, + "failed to get the CSI ID of volume %q: %v", + vol, + err) + } + + beforeIDs[id] = vol + } + + // check which volumes should not be part of the group + afterIDs := req.GetVolumeIds() + toRemove := make([]string, 0) + for id := range beforeIDs { + if !slices.Contains(afterIDs, id) { + toRemove = append(toRemove, id) + } + } + + // check which volumes are new to the group + toAdd := make([]string, 0) + for _, id := range afterIDs { + if _, ok := beforeIDs[id]; !ok { + toAdd = append(toAdd, id) + } + } + + // remove the volume that should not be part of the group + for _, id := range toRemove { + vol := beforeIDs[id] + err = vg.RemoveVolume(ctx, vol) + if err != nil { + return nil, status.Errorf( + codes.Internal, + "failed to remove volume %q from volume group %q: %v", + vol, + vg, + err) + } + } + + // add the new volumes to the group + for _, id := range toAdd { + vol, getErr := mgr.GetVolumeByID(ctx, id) + if getErr != nil { + return nil, status.Errorf( + codes.NotFound, + "failed to find a volume with CSI ID %q: %v", + id, + err) + } + + err = vg.AddVolume(ctx, vol) + if err != nil { + return nil, status.Errorf( + codes.Internal, + "failed to add volume %q to volume group %q: %v", + vol, + vg, + err) + } + } + + csiVG, err := vg.ToCSI(ctx) + if err != nil { + return nil, status.Errorf( + codes.Internal, + "failed to convert volume group %q to CSI format: %v", + vg, + err) + } + + return &volumegroup.ModifyVolumeGroupMembershipResponse{ + VolumeGroup: csiVG, + }, nil +} diff --git a/internal/rbd/manager.go b/internal/rbd/manager.go index 50e278ce63a..48b5130d9bb 100644 --- a/internal/rbd/manager.go +++ b/internal/rbd/manager.go @@ -192,7 +192,7 @@ func (mgr *rbdManager) CreateVolumeGroup(ctx context.Context, name string) (type } var uuid string - if vgData != nil && vgData.GroupName != "" { + if vgData != nil && vgData.GroupUUID != "" { uuid = vgData.GroupUUID } else { log.DebugLog(ctx, "the journal does not contain a reservation for a volume group with name %q yet", name) diff --git a/vendor/k8s.io/kubernetes/pkg/securitycontext/util.go b/vendor/k8s.io/kubernetes/pkg/securitycontext/util.go index 5895df0c718..28771b6df27 100644 --- a/vendor/k8s.io/kubernetes/pkg/securitycontext/util.go +++ b/vendor/k8s.io/kubernetes/pkg/securitycontext/util.go @@ -188,7 +188,7 @@ func AddNoNewPrivileges(sc *v1.SecurityContext) bool { var ( // These *must* be kept in sync with moby/moby. - // https://github.com/moby/moby/blob/master/oci/defaults.go#L105-L123 + // https://github.com/moby/moby/blob/master/oci/defaults.go#L105-L124 // @jessfraz will watch changes to those files upstream. defaultMaskedPaths = []string{ "/proc/asound", @@ -201,6 +201,7 @@ var ( "/proc/sched_debug", "/proc/scsi", "/sys/firmware", + "/sys/devices/virtual/powercap", } defaultReadonlyPaths = []string{ "/proc/bus", diff --git a/vendor/k8s.io/kubernetes/pkg/util/filesystem/defaultfs.go b/vendor/k8s.io/kubernetes/pkg/util/filesystem/defaultfs.go index 39673a95899..ef99bd3bc46 100644 --- a/vendor/k8s.io/kubernetes/pkg/util/filesystem/defaultfs.go +++ b/vendor/k8s.io/kubernetes/pkg/util/filesystem/defaultfs.go @@ -72,9 +72,8 @@ func (fs *DefaultFs) Rename(oldpath, newpath string) error { return os.Rename(oldpath, newpath) } -// MkdirAll via os.MkdirAll func (fs *DefaultFs) MkdirAll(path string, perm os.FileMode) error { - return os.MkdirAll(fs.prefix(path), perm) + return MkdirAll(fs.prefix(path), perm) } // MkdirAllWithPathCheck checks if path exists already. If not, it creates a directory @@ -97,7 +96,7 @@ func MkdirAllWithPathCheck(path string, perm os.FileMode) error { return fmt.Errorf("path %v exists but is not a directory", path) } // If existence of path not known, attempt to create it. - if err := os.MkdirAll(path, perm); err != nil { + if err := MkdirAll(path, perm); err != nil { return err } return nil diff --git a/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_unix.go b/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_unix.go index 863deb0f9cc..bb7fad9e851 100644 --- a/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_unix.go +++ b/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_unix.go @@ -37,6 +37,16 @@ func IsUnixDomainSocket(filePath string) (bool, error) { return true, nil } +// Chmod is the same as os.Chmod on Linux. +func Chmod(name string, mode os.FileMode) error { + return os.Chmod(name, mode) +} + +// MkdirAll is the same as os.MkdirAll on Linux. +func MkdirAll(path string, perm os.FileMode) error { + return os.MkdirAll(path, perm) +} + // IsAbs is same as filepath.IsAbs on Unix. func IsAbs(path string) bool { return filepath.IsAbs(path) diff --git a/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_windows.go b/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_windows.go index 459477d36e7..5cdc586d61e 100644 --- a/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_windows.go +++ b/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_windows.go @@ -29,6 +29,8 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/klog/v2" + + "golang.org/x/sys/windows" ) const ( @@ -88,6 +90,160 @@ func IsUnixDomainSocket(filePath string) (bool, error) { return true, nil } +// On Windows os.Mkdir all doesn't set any permissions so call the Chown function below to set +// permissions once the directory is created. +func MkdirAll(path string, perm os.FileMode) error { + klog.V(6).InfoS("Function MkdirAll starts", "path", path, "perm", perm) + err := os.MkdirAll(path, perm) + if err != nil { + return fmt.Errorf("Error creating directory %s: %v", path, err) + } + + err = Chmod(path, perm) + if err != nil { + return fmt.Errorf("Error setting permissions for directory %s: %v", path, err) + } + + return nil +} + +const ( + // These aren't defined in the syscall package for Windows :( + USER_READ = 0x100 + USER_WRITE = 0x80 + USER_EXECUTE = 0x40 + GROUP_READ = 0x20 + GROUP_WRITE = 0x10 + GROUP_EXECUTE = 0x8 + OTHERS_READ = 0x4 + OTHERS_WRITE = 0x2 + OTHERS_EXECUTE = 0x1 + USER_ALL = USER_READ | USER_WRITE | USER_EXECUTE + GROUP_ALL = GROUP_READ | GROUP_WRITE | GROUP_EXECUTE + OTHERS_ALL = OTHERS_READ | OTHERS_WRITE | OTHERS_EXECUTE +) + +// On Windows os.Chmod only sets the read-only flag on files, so we need to use Windows APIs to set the desired access on files / directories. +// The OWNER mode will set file permissions for the file owner SID, the GROUP mode will set file permissions for the file group SID, +// and the OTHERS mode will set file permissions for BUILTIN\Users. +// Please note that Windows containers can be run as one of two user accounts; ContainerUser or ContainerAdministrator. +// Containers run as ContainerAdministrator will inherit permissions from BUILTIN\Administrators, +// while containers run as ContainerUser will inherit permissions from BUILTIN\Users. +// Windows containers do not have the ability to run as a custom user account that is known to the host so the OTHERS group mode +// is used to grant / deny permissions of files on the hosts to the ContainerUser account. +func Chmod(path string, filemode os.FileMode) error { + klog.V(6).InfoS("Function Chmod starts", "path", path, "filemode", filemode) + // Get security descriptor for the file + sd, err := windows.GetNamedSecurityInfo( + path, + windows.SE_FILE_OBJECT, + windows.DACL_SECURITY_INFORMATION|windows.PROTECTED_DACL_SECURITY_INFORMATION|windows.OWNER_SECURITY_INFORMATION|windows.GROUP_SECURITY_INFORMATION) + if err != nil { + return fmt.Errorf("Error getting security descriptor for file %s: %v", path, err) + } + + // Get owner SID from the security descriptor for assigning USER permissions + owner, _, err := sd.Owner() + if err != nil { + return fmt.Errorf("Error getting owner SID for file %s: %v", path, err) + } + ownerString := owner.String() + + // Get the group SID from the security descriptor for assigning GROUP permissions + group, _, err := sd.Group() + if err != nil { + return fmt.Errorf("Error getting group SID for file %s: %v", path, err) + } + groupString := group.String() + + mask := uint32(windows.ACCESS_MASK(filemode)) + + // Build a new Discretionary Access Control List (DACL) with the desired permissions using + //the Security Descriptor Definition Language (SDDL) format. + // https://learn.microsoft.com/windows/win32/secauthz/security-descriptor-definition-language + // the DACL is a list of Access Control Entries (ACEs) where each ACE represents the permissions (Allow or Deny) for a specific SID. + // Each ACE has the following format: + // (AceType;AceFlags;Rights;ObjectGuid;InheritObjectGuid;AccountSid) + // We can leave ObjectGuid and InheritObjectGuid empty for our purposes. + + dacl := "D:" + + // build the owner ACE + dacl += "(A;OICI;" + if mask&USER_ALL == USER_ALL { + dacl += "FA" + } else { + if mask&USER_READ == USER_READ { + dacl += "FR" + } + if mask&USER_WRITE == USER_WRITE { + dacl += "FW" + } + if mask&USER_EXECUTE == USER_EXECUTE { + dacl += "FX" + } + } + dacl += ";;;" + ownerString + ")" + + // Build the group ACE + dacl += "(A;OICI;" + if mask&GROUP_ALL == GROUP_ALL { + dacl += "FA" + } else { + if mask&GROUP_READ == GROUP_READ { + dacl += "FR" + } + if mask&GROUP_WRITE == GROUP_WRITE { + dacl += "FW" + } + if mask&GROUP_EXECUTE == GROUP_EXECUTE { + dacl += "FX" + } + } + dacl += ";;;" + groupString + ")" + + // Build the others ACE + dacl += "(A;OICI;" + if mask&OTHERS_ALL == OTHERS_ALL { + dacl += "FA" + } else { + if mask&OTHERS_READ == OTHERS_READ { + dacl += "FR" + } + if mask&OTHERS_WRITE == OTHERS_WRITE { + dacl += "FW" + } + if mask&OTHERS_EXECUTE == OTHERS_EXECUTE { + dacl += "FX" + } + } + dacl += ";;;BU)" + + klog.V(6).InfoS("Setting new DACL for path", "path", path, "dacl", dacl) + + // create a new security descriptor from the DACL string + newSD, err := windows.SecurityDescriptorFromString(dacl) + if err != nil { + return fmt.Errorf("Error creating new security descriptor from DACL string: %v", err) + } + + // get the DACL in binary format from the newly created security descriptor + newDACL, _, err := newSD.DACL() + if err != nil { + return fmt.Errorf("Error getting DACL from new security descriptor: %v", err) + } + + // Write the new security descriptor to the file + return windows.SetNamedSecurityInfo( + path, + windows.SE_FILE_OBJECT, + windows.DACL_SECURITY_INFORMATION|windows.PROTECTED_DACL_SECURITY_INFORMATION, + nil, // owner SID + nil, // group SID + newDACL, + nil) // SACL +} + // IsAbs returns whether the given path is absolute or not. // On Windows, filepath.IsAbs will not return True for paths prefixed with a slash, even // though they can be used as absolute paths (https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats). diff --git a/vendor/k8s.io/kubernetes/test/utils/image/manifest.go b/vendor/k8s.io/kubernetes/test/utils/image/manifest.go index 65691f6f065..9fae113f477 100644 --- a/vendor/k8s.io/kubernetes/test/utils/image/manifest.go +++ b/vendor/k8s.io/kubernetes/test/utils/image/manifest.go @@ -237,7 +237,7 @@ func initImageConfigs(list RegistryList) (map[ImageID]Config, map[ImageID]Config configs[BusyBox] = Config{list.PromoterE2eRegistry, "busybox", "1.36.1-1"} configs[CudaVectorAdd] = Config{list.PromoterE2eRegistry, "cuda-vector-add", "1.0"} configs[CudaVectorAdd2] = Config{list.PromoterE2eRegistry, "cuda-vector-add", "2.3"} - configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.5.5"} + configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.5.6"} configs[Etcd] = Config{list.GcEtcdRegistry, "etcd", "3.5.12-0"} configs[Httpd] = Config{list.PromoterE2eRegistry, "httpd", "2.4.38-4"} configs[HttpdNew] = Config{list.PromoterE2eRegistry, "httpd", "2.4.39-4"} diff --git a/vendor/modules.txt b/vendor/modules.txt index 1ffec3c15a4..b689b27b510 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -990,7 +990,7 @@ k8s.io/api/storage/v1 k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1beta1 k8s.io/api/storagemigration/v1alpha1 -# k8s.io/apiextensions-apiserver v0.30.1 => k8s.io/apiextensions-apiserver v0.30.2 +# k8s.io/apiextensions-apiserver v0.30.1 => k8s.io/apiextensions-apiserver v0.30.3 ## explicit; go 1.22.0 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 @@ -1059,7 +1059,7 @@ k8s.io/apimachinery/pkg/watch k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/netutil k8s.io/apimachinery/third_party/forked/golang/reflect -# k8s.io/apiserver v0.30.2 => k8s.io/apiserver v0.30.2 +# k8s.io/apiserver v0.30.3 => k8s.io/apiserver v0.30.3 ## explicit; go 1.22.0 k8s.io/apiserver/pkg/admission k8s.io/apiserver/pkg/admission/configuration @@ -1207,7 +1207,7 @@ k8s.io/apiserver/plugin/pkg/audit/webhook k8s.io/apiserver/plugin/pkg/authenticator/token/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook/metrics -# k8s.io/client-go v12.0.0+incompatible => k8s.io/client-go v0.30.2 +# k8s.io/client-go v12.0.0+incompatible => k8s.io/client-go v0.30.3 ## explicit; go 1.22.0 k8s.io/client-go/applyconfigurations/admissionregistration/v1 k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1 @@ -1541,7 +1541,7 @@ k8s.io/client-go/util/homedir k8s.io/client-go/util/keyutil k8s.io/client-go/util/retry k8s.io/client-go/util/workqueue -# k8s.io/cloud-provider v0.30.2 => k8s.io/cloud-provider v0.30.2 +# k8s.io/cloud-provider v0.30.3 => k8s.io/cloud-provider v0.30.3 ## explicit; go 1.22.0 k8s.io/cloud-provider k8s.io/cloud-provider/app/config @@ -1556,7 +1556,7 @@ k8s.io/cloud-provider/names k8s.io/cloud-provider/options k8s.io/cloud-provider/volume k8s.io/cloud-provider/volume/helpers -# k8s.io/component-base v0.30.2 => k8s.io/component-base v0.30.2 +# k8s.io/component-base v0.30.3 => k8s.io/component-base v0.30.3 ## explicit; go 1.22.0 k8s.io/component-base/cli/flag k8s.io/component-base/config @@ -1579,13 +1579,13 @@ k8s.io/component-base/metrics/testutil k8s.io/component-base/tracing k8s.io/component-base/tracing/api/v1 k8s.io/component-base/version -# k8s.io/component-helpers v0.30.2 => k8s.io/component-helpers v0.30.2 +# k8s.io/component-helpers v0.30.3 => k8s.io/component-helpers v0.30.3 ## explicit; go 1.22.0 k8s.io/component-helpers/node/util/sysctl k8s.io/component-helpers/scheduling/corev1 k8s.io/component-helpers/scheduling/corev1/nodeaffinity k8s.io/component-helpers/storage/volume -# k8s.io/controller-manager v0.30.2 => k8s.io/controller-manager v0.30.2 +# k8s.io/controller-manager v0.30.3 => k8s.io/controller-manager v0.30.3 ## explicit; go 1.22.0 k8s.io/controller-manager/config k8s.io/controller-manager/config/v1 @@ -1608,7 +1608,7 @@ k8s.io/klog/v2/internal/severity k8s.io/klog/v2/internal/sloghandler k8s.io/klog/v2/internal/verbosity k8s.io/klog/v2/textlogger -# k8s.io/kms v0.30.2 +# k8s.io/kms v0.30.3 ## explicit; go 1.22.0 k8s.io/kms/apis/v1beta1 k8s.io/kms/apis/v2 @@ -1635,15 +1635,15 @@ k8s.io/kube-openapi/pkg/validation/errors k8s.io/kube-openapi/pkg/validation/spec k8s.io/kube-openapi/pkg/validation/strfmt k8s.io/kube-openapi/pkg/validation/strfmt/bson -# k8s.io/kubectl v0.0.0 => k8s.io/kubectl v0.30.2 +# k8s.io/kubectl v0.0.0 => k8s.io/kubectl v0.30.3 ## explicit; go 1.22.0 k8s.io/kubectl/pkg/scale k8s.io/kubectl/pkg/util/podutils -# k8s.io/kubelet v0.0.0 => k8s.io/kubelet v0.30.2 +# k8s.io/kubelet v0.0.0 => k8s.io/kubelet v0.30.3 ## explicit; go 1.22.0 k8s.io/kubelet/pkg/apis k8s.io/kubelet/pkg/apis/stats/v1alpha1 -# k8s.io/kubernetes v1.30.2 +# k8s.io/kubernetes v1.30.3 ## explicit; go 1.22.0 k8s.io/kubernetes/pkg/api/legacyscheme k8s.io/kubernetes/pkg/api/service @@ -1708,10 +1708,10 @@ k8s.io/kubernetes/test/utils k8s.io/kubernetes/test/utils/format k8s.io/kubernetes/test/utils/image k8s.io/kubernetes/test/utils/kubeconfig -# k8s.io/mount-utils v0.30.2 => k8s.io/mount-utils v0.29.3 +# k8s.io/mount-utils v0.30.3 => k8s.io/mount-utils v0.29.3 ## explicit; go 1.21 k8s.io/mount-utils -# k8s.io/pod-security-admission v0.30.2 => k8s.io/pod-security-admission v0.30.2 +# k8s.io/pod-security-admission v0.30.3 => k8s.io/pod-security-admission v0.30.3 ## explicit; go 1.22.0 k8s.io/pod-security-admission/api k8s.io/pod-security-admission/policy @@ -1799,31 +1799,31 @@ sigs.k8s.io/yaml/goyaml.v2 # github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.18.0 # github.com/prometheus/common => github.com/prometheus/common v0.47.0 # gomodules.xyz/jsonpatch/v2 => github.com/gomodules/jsonpatch/v2 v2.2.0 -# k8s.io/api => k8s.io/api v0.30.2 -# k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.30.2 -# k8s.io/apimachinery => k8s.io/apimachinery v0.30.2 -# k8s.io/apiserver => k8s.io/apiserver v0.30.2 -# k8s.io/cli-runtime => k8s.io/cli-runtime v0.30.2 -# k8s.io/client-go => k8s.io/client-go v0.30.2 -# k8s.io/cloud-provider => k8s.io/cloud-provider v0.30.2 -# k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.30.2 -# k8s.io/code-generator => k8s.io/code-generator v0.30.2 -# k8s.io/component-base => k8s.io/component-base v0.30.2 -# k8s.io/component-helpers => k8s.io/component-helpers v0.30.2 -# k8s.io/controller-manager => k8s.io/controller-manager v0.30.2 -# k8s.io/cri-api => k8s.io/cri-api v0.30.2 -# k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.30.2 -# k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.30.2 -# k8s.io/endpointslice => k8s.io/endpointslice v0.30.2 -# k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.30.2 -# k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.30.2 -# k8s.io/kube-proxy => k8s.io/kube-proxy v0.30.2 -# k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.30.2 -# k8s.io/kubectl => k8s.io/kubectl v0.30.2 -# k8s.io/kubelet => k8s.io/kubelet v0.30.2 -# k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.2 -# k8s.io/metrics => k8s.io/metrics v0.30.2 +# k8s.io/api => k8s.io/api v0.30.3 +# k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.30.3 +# k8s.io/apimachinery => k8s.io/apimachinery v0.30.3 +# k8s.io/apiserver => k8s.io/apiserver v0.30.3 +# k8s.io/cli-runtime => k8s.io/cli-runtime v0.30.3 +# k8s.io/client-go => k8s.io/client-go v0.30.3 +# k8s.io/cloud-provider => k8s.io/cloud-provider v0.30.3 +# k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.30.3 +# k8s.io/code-generator => k8s.io/code-generator v0.30.3 +# k8s.io/component-base => k8s.io/component-base v0.30.3 +# k8s.io/component-helpers => k8s.io/component-helpers v0.30.3 +# k8s.io/controller-manager => k8s.io/controller-manager v0.30.3 +# k8s.io/cri-api => k8s.io/cri-api v0.30.3 +# k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.30.3 +# k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.30.3 +# k8s.io/endpointslice => k8s.io/endpointslice v0.30.3 +# k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.30.3 +# k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.30.3 +# k8s.io/kube-proxy => k8s.io/kube-proxy v0.30.3 +# k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.30.3 +# k8s.io/kubectl => k8s.io/kubectl v0.30.3 +# k8s.io/kubelet => k8s.io/kubelet v0.30.3 +# k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.3 +# k8s.io/metrics => k8s.io/metrics v0.30.3 # k8s.io/mount-utils => k8s.io/mount-utils v0.29.3 -# k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.30.2 -# k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.30.2 +# k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.30.3 +# k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.30.3 # layeh.com/radius => github.com/layeh/radius v0.0.0-20190322222518-890bc1058917