Support ReadWriteOnceWithFSType fsGroupPolicy in CSI Driver for non-root user

YashwantGohokar · l-technicore · commit 5d9d3865fe39 · 2024-11-27T16:12:09.000+05:30
diff --git a/pkg/csi/driver/fss_node.go b/pkg/csi/driver/fss_node.go
@@ -36,7 +36,6 @@ import (
 )
 
 const (
-	mountPath                  = "mount"
 	FipsEnabled                = "1"
 	fssMountSemaphoreTimeout   = time.Second * 30
 	fssUnmountSemaphoreTimeout = time.Second * 30
@@ -91,7 +90,7 @@ func (d FSSNodeDriver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVo
 		return nil, status.Errorf(codes.InvalidArgument, "EncryptInTransit must be a boolean value")
 	}
 
-	mounter := mount.New(mountPath)
+	mounter := mount.New("")
 
 	if encryptInTransit {
 		isPackageInstalled, err := csi_util.IsInTransitEncryptionPackageInstalled()
@@ -223,7 +222,7 @@ func (d FSSNodeDriver) NodePublishVolume(ctx context.Context, req *csi.NodePubli
 
 	var fsType = ""
 
-	mounter := mount.New(mountPath)
+	mounter := mount.New("")
 
 	targetPath := req.GetTargetPath()
 	readOnly := req.GetReadonly()
@@ -302,7 +301,7 @@ func (d FSSNodeDriver) NodeUnpublishVolume(ctx context.Context, req *csi.NodeUnp
 
 	logger := d.logger.With("volumeID", req.VolumeId, "targetPath", req.TargetPath)
 
-	mounter := mount.New(mountPath)
+	mounter := mount.New("")
 	targetPath := req.GetTargetPath()
 
 	// Use mount.IsNotMountPoint because mounter.IsLikelyNotMountPoint can't detect bind mounts
@@ -402,7 +401,7 @@ func (d FSSNodeDriver) NodeUnstageVolume(ctx context.Context, req *csi.NodeUnsta
 }
 
 func (d FSSNodeDriver) unmountAndCleanup(logger *zap.SugaredLogger, targetPath string, exportPath string, mountTargetIP string) error {
-	mounter := mount.New(mountPath)
+	mounter := mount.New("")
 	// Use mount.IsNotMountPoint because mounter.IsLikelyNotMountPoint can't detect bind mounts
 	isNotMountPoint, err := mount.IsNotMountPoint(mounter, targetPath)
 	if err != nil {
diff --git a/pkg/csi/driver/lustre_node.go b/pkg/csi/driver/lustre_node.go
@@ -17,6 +17,7 @@ import (
 )
 
 const (
+	mountPath        = "mount"
 	SetupLnet        = "setupLnet"
 	LustreSubnetCidr = "lustreSubnetCidr"
 )
diff --git a/test/e2e/cloud-provider-oci/fss_dynamic.go b/test/e2e/cloud-provider-oci/fss_dynamic.go
@@ -27,7 +27,7 @@ import (
 )
 
 const (
-	defaultExportOptionsJsonString = "[{\"source\":\"10.0.0.0/16\",\"requirePrivilegedSourcePort\":true,\"access\":\"READ_WRITE\",\"identitySquash\":\"NONE\",\"anonymousUid\":0,\"anonymousGid\":0},{\"source\":\"2603:c020:4015:2100::/56\",\"requirePrivilegedSourcePort\":false,\"access\":\"READ_WRITE\",\"identitySquash\":\"NONE\"},{\"source\":\"2603:c020:11:1500::/56\",\"requirePrivilegedSourcePort\":false,\"access\":\"READ_WRITE\",\"identitySquash\":\"NONE\"}]"
+	defaultExportOptionsJsonString = "[{\"source\":\"10.0.0.0/16\",\"requirePrivilegedSourcePort\":false,\"access\":\"READ_WRITE\",\"identitySquash\":\"NONE\",\"anonymousUid\":0,\"anonymousGid\":0},{\"source\":\"2603:c020:4015:2100::/56\",\"requirePrivilegedSourcePort\":false,\"access\":\"READ_WRITE\",\"identitySquash\":\"NONE\"},{\"source\":\"2603:c020:11:1500::/56\",\"requirePrivilegedSourcePort\":false,\"access\":\"READ_WRITE\",\"identitySquash\":\"NONE\"}]"
 )
 
 var _ = Describe("Dynamic FSS test in cluster compartment", func() {
@@ -685,3 +685,20 @@ var _ = Describe("Dynamic FSS test with immediate binding mode", func() {
 		})
 	})
 })
+
+var _ = Describe("Dynamic FSS test with ReadWriteOnce access mode", func() {
+	f := framework.NewDefaultFramework("fss-dynamic")
+
+	Context("[cloudprovider][storage][csi][fss][mtexist][rwo]", func() {
+		It("Create PVC and POD for CSI-FSS with RWO AccessMode ", func() {
+			scParameters := map[string]string{"availabilityDomain": setupF.AdLabel, "mountTargetOcid": setupF.MntTargetOcid, "exportOptions": defaultExportOptionsJsonString}
+			pvcJig := framework.NewPVCTestJig(f.ClientSet, "csi-rwo-fss-dyn-e2e-test")
+			scName := f.CreateStorageClassOrFail(f.Namespace.Name, framework.FssProvisionerType, scParameters, pvcJig.Labels, "Immediate", false, "Delete", nil)
+			f.StorageClasses = append(f.StorageClasses, scName)
+			pvcObject := pvcJig.CreateAndAwaitPVCOrFailDynamicFSS(f.Namespace.Name, "50Gi", scName, v1.ClaimBound, func(pvc *v1.PersistentVolumeClaim) {
+				pvc.Spec.AccessModes = []v1.PersistentVolumeAccessMode{"ReadWriteOnce"}
+			})
+			pvcJig.CheckSinglePodReadWrite(f.Namespace.Name, pvcObject.Name, false, []string{})
+		})
+	})
+})
diff --git a/test/e2e/cloud-provider-oci/fss_static.go b/test/e2e/cloud-provider-oci/fss_static.go
@@ -16,8 +16,10 @@ package e2e
 
 import (
 	"context"
+
 	. "github.com/onsi/ginkgo"
 	"github.com/oracle/oci-cloud-controller-manager/test/e2e/framework"
+	v1 "k8s.io/api/core/v1"
 	v12 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -26,7 +28,7 @@ var _ = Describe("Basic Static FSS test", func() {
 	Context("[cloudprovider][storage][csi][fss][static]", func() {
 		It("Create PVC and POD for CSI-FSS", func() {
 			pvcJig := framework.NewPVCTestJig(f.ClientSet, "csi-fss-e2e-test")
-			pv := pvcJig.CreatePVorFailFSS(f.Namespace.Name, setupF.VolumeHandle, "false", []string{})
+			pv := pvcJig.CreatePVorFailFSS(f.Namespace.Name, setupF.VolumeHandle, "false", "ReadWriteMany", "", []string{})
 			pvc := pvcJig.CreateAndAwaitPVCOrFailStaticFSS(f.Namespace.Name, pv.Name, "50Gi", nil)
 			f.VolumeIds = append(f.VolumeIds, pvc.Spec.VolumeName)
 			pvcJig.CheckSinglePodReadWrite(f.Namespace.Name, pvc.Name, false, []string{})
@@ -50,7 +52,7 @@ var _ = Describe("Mount Options Static FSS test", func() {
 		It("Create PV PVC and POD for CSI-FSS with mount options", func() {
 			pvcJig := framework.NewPVCTestJig(f.ClientSet, "csi-fss-e2e-test")
 			mountOptions := []string{"sync", "hard", "noac", "nolock"}
-			pv := pvcJig.CreatePVorFailFSS(f.Namespace.Name, setupF.VolumeHandle, "false", mountOptions)
+			pv := pvcJig.CreatePVorFailFSS(f.Namespace.Name, setupF.VolumeHandle, "false", "ReadWriteMany", "", mountOptions)
 			pvc := pvcJig.CreateAndAwaitPVCOrFailStaticFSS(f.Namespace.Name, pv.Name, "50Gi", nil)
 			f.VolumeIds = append(f.VolumeIds, pvc.Spec.VolumeName)
 			pvcJig.CheckSinglePodReadWrite(f.Namespace.Name, pvc.Name, false, mountOptions)
@@ -69,7 +71,7 @@ var _ = Describe("Mount Options Static FSS test", func() {
 
 func TestEncryptionType(f *framework.CloudProviderFramework, mountOptions []string) {
 	pvcJig := framework.NewPVCTestJig(f.ClientSet, "csi-fss-e2e-test-intransit")
-	pv := pvcJig.CreatePVorFailFSS(f.Namespace.Name, setupF.VolumeHandle, "true", mountOptions)
+	pv := pvcJig.CreatePVorFailFSS(f.Namespace.Name, setupF.VolumeHandle, "true", "ReadWriteMany", "", mountOptions)
 	pvc := pvcJig.CreateAndAwaitPVCOrFailStaticFSS(f.Namespace.Name, pv.Name, "50Gi", nil)
 	f.VolumeIds = append(f.VolumeIds, pvc.Spec.VolumeName)
 	pvcJig.CheckSinglePodReadWrite(f.Namespace.Name, pvc.Name, true, mountOptions)
@@ -80,7 +82,7 @@ var _ = Describe("Multiple Pods Static FSS test", func() {
 	Context("[cloudprovider][storage][csi][fss][static]", func() {
 		It("Multiple Pods should be able to read write same file", func() {
 			pvcJig := framework.NewPVCTestJig(f.ClientSet, "csi-fss-e2e-test")
-			pv := pvcJig.CreatePVorFailFSS(f.Namespace.Name, setupF.VolumeHandle, "false", []string{})
+			pv := pvcJig.CreatePVorFailFSS(f.Namespace.Name, setupF.VolumeHandle, "false", "ReadWriteMany", "", []string{})
 			pvc := pvcJig.CreateAndAwaitPVCOrFailStaticFSS(f.Namespace.Name, pv.Name, "50Gi", nil)
 			f.VolumeIds = append(f.VolumeIds, pvc.Spec.VolumeName)
 			pvcJig.CheckMultiplePodReadWrite(f.Namespace.Name, pvc.Name, false)
@@ -89,7 +91,7 @@ var _ = Describe("Multiple Pods Static FSS test", func() {
 		It("Multiple Pods should be able to read write same file with InTransit encryption enabled", func() {
 			checkNodeAvailability(f)
 			pvcJig := framework.NewPVCTestJig(f.ClientSet, "csi-fss-e2e-test")
-			pv := pvcJig.CreatePVorFailFSS(f.Namespace.Name, setupF.VolumeHandle, "true", []string{})
+			pv := pvcJig.CreatePVorFailFSS(f.Namespace.Name, setupF.VolumeHandle, "true", "ReadWriteMany", "", []string{})
 			pvc := pvcJig.CreateAndAwaitPVCOrFailStaticFSS(f.Namespace.Name, pv.Name, "50Gi", nil)
 			f.VolumeIds = append(f.VolumeIds, pvc.Spec.VolumeName)
 			pvcJig.CheckMultiplePodReadWrite(f.Namespace.Name, pvc.Name, true)
@@ -114,3 +116,19 @@ func checkNodeAvailability(f *framework.CloudProviderFramework) {
 		Skip("Skipping test due to non-availability of nodes with label \"oke.oraclecloud.com/e2e.oci-fss-util\"")
 	}
 }
+
+var _ = Describe("Static FSS RWO Tests", func() {
+	f := framework.NewDefaultFramework("fss-rwo")
+	Context("[cloudprovider][storage][csi][fss][static][rwo]", func() {
+		It("Verify volume group ownership change for RWO volume when fsType and fsGroup are defined", func() {
+			pvcJig := framework.NewPVCTestJig(f.ClientSet, "csi-rwo-fss-e2e-test")
+			pv := pvcJig.CreatePVorFailFSS(f.Namespace.Name, setupF.VolumeHandle, "false", "ReadWriteOnce", "nfs", []string{})
+			pvc := pvcJig.CreateAndAwaitPVCOrFailStaticFSS(f.Namespace.Name, pv.Name, "50Gi", func(pvc *v1.PersistentVolumeClaim) {
+				pvc.Spec.AccessModes = []v1.PersistentVolumeAccessMode{"ReadWriteOnce"}
+			})
+			f.VolumeIds = append(f.VolumeIds, pvc.Spec.VolumeName)
+			pod := pvcJig.CreateAndAwaitNginxPodOrFail(f.Namespace.Name, pvc, WriteCommand)
+			pvcJig.CheckVolumeOwnership(f.Namespace.Name, pod, "/usr/share/nginx/html/", "1000")
+		})
+	})
+})
diff --git a/test/e2e/cloud-provider-oci/lustre_static.go b/test/e2e/cloud-provider-oci/lustre_static.go
@@ -44,14 +44,14 @@ var _ = Describe("Lustre Static", func() {
 
 			//FSS
 			fssPVCJig := framework.NewPVCTestJig(f.ClientSet, "csi-fss-e2e-test")
-			fssPV := fssPVCJig.CreatePVorFailFSS(f.Namespace.Name, setupF.VolumeHandle, "false", []string{})
+			fssPV := fssPVCJig.CreatePVorFailFSS(f.Namespace.Name, setupF.VolumeHandle, "false", "ReadWriteMany", "", []string{})
 			fssPVC := fssPVCJig.CreateAndAwaitPVCOrFailStaticFSS(f.Namespace.Name, fssPV.Name, "50Gi", nil)
 			f.VolumeIds = append(f.VolumeIds, fssPVC.Spec.VolumeName)
 
 			//LUSTRE
 			lusterPVCJig := framework.NewPVCTestJig(f.ClientSet, "csi-lustre-e2e-test")
 			pvVolumeAttributes := map[string]string{"lustreSubnetCidr": setupF.LustreSubnetCidr, "setupLnet": "true"}
- 			lustrePV := lusterPVCJig.CreatePVorFailLustre(f.Namespace.Name, setupF.LustreVolumeHandle, []string{}, pvVolumeAttributes)
+			lustrePV := lusterPVCJig.CreatePVorFailLustre(f.Namespace.Name, setupF.LustreVolumeHandle, []string{}, pvVolumeAttributes)
 			lustrePVC := lusterPVCJig.CreateAndAwaitPVCOrFailStaticLustre(f.Namespace.Name, lustrePV.Name, "50Gi", nil)
 			f.VolumeIds = append(f.VolumeIds, lustrePVC.Spec.VolumeName)
 
diff --git a/test/e2e/framework/pod_util.go b/test/e2e/framework/pod_util.go
@@ -369,3 +369,17 @@ func (j *PVCTestJig) GetNodeHostnameFromPod(podName, namespace string) string {
 	hostName := pod.Labels[NodeHostnameLabel]
 	return hostName
 }
+
+func (j *PVCTestJig) CheckVolumeOwnership(namespace, podName, mountPath, expectedOwner string) {
+	cmd := "ls -l " + mountPath + " | awk 'NR==2 { print $4 }'"
+	cmdOutput, err := RunHostCmd(namespace, podName, cmd)
+	if err != nil {
+		Failf("Failed to check volume ownership in pod %q: %v", podName, err)
+	}
+	cmdOutput = strings.ReplaceAll(cmdOutput, "\n", "")
+	if cmdOutput == expectedOwner {
+		Logf("Verified volume group owner for PV in pod %q is %v", podName, cmdOutput)
+	} else {
+		Failf("Actual Volume group ownership: %v and expected ownership: %v is not matching", cmdOutput, expectedOwner)
+	}
+}
diff --git a/test/e2e/framework/pvc_util.go b/test/e2e/framework/pvc_util.go
@@ -536,15 +536,16 @@ func (j *PVCTestJig) pvAddMountOptions(pv *v1.PersistentVolume,
 // newPVTemplateFSS returns the default template for this jig, but
 // does not actually create the PV.  The default PV has the same name
 // as the jig
-func (j *PVCTestJig) newPVTemplateFSS(namespace, volumeHandle, enableIntransitEncrypt string, mountOptions []string) *v1.PersistentVolume {
+func (j *PVCTestJig) newPVTemplateFSS(namespace, volumeHandle, enableIntransitEncrypt, accessMode, fsType string, mountOptions []string) *v1.PersistentVolume {
 	pv := j.CreatePVTemplate(namespace, "fss.csi.oraclecloud.com", "", "Retain")
 	pv = j.pvAddVolumeMode(pv, v1.PersistentVolumeFilesystem)
-	pv = j.pvAddAccessMode(pv, "ReadWriteMany")
+	pv = j.pvAddAccessMode(pv, v1.PersistentVolumeAccessMode(accessMode))
 	pv = j.pvAddMountOptions(pv, mountOptions)
 	pv = j.pvAddPersistentVolumeSource(pv, v1.PersistentVolumeSource{
 		CSI: &v1.CSIPersistentVolumeSource{
 			Driver:       driver.FSSDriverName,
 			VolumeHandle: volumeHandle,
+			FSType:       fsType,
 			VolumeAttributes: map[string]string{
 				"encryptInTransit": enableIntransitEncrypt,
 			},
@@ -613,8 +614,8 @@ func (j *PVCTestJig) newPVTemplateCSIHighPerf(namespace string, scName string, o
 // CreatePVForFSSorFail creates a new claim based on the jig's
 // defaults. Callers can provide a function to tweak the claim object
 // before it is created.
-func (j *PVCTestJig) CreatePVorFailFSS(namespace, volumeHandle, encryptInTransit string, mountOptions []string) *v1.PersistentVolume {
-	pv := j.newPVTemplateFSS(namespace, volumeHandle, encryptInTransit, mountOptions)
+func (j *PVCTestJig) CreatePVorFailFSS(namespace, volumeHandle, encryptInTransit, accessMode, fsType string, mountOptions []string) *v1.PersistentVolume {
+	pv := j.newPVTemplateFSS(namespace, volumeHandle, encryptInTransit, accessMode, fsType, mountOptions)
 
 	result, err := j.KubeClient.CoreV1().PersistentVolumes().Create(context.Background(), pv, metav1.CreateOptions{})
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ import (`
`17`	`17`	`)`
`18`	`18`
`19`	`19`	`const (`
	`20`	`+ mountPath = "mount"`
`20`	`21`	`SetupLnet = "setupLnet"`
`21`	`22`	`LustreSubnetCidr = "lustreSubnetCidr"`
`22`	`23`	`)`