Add pre-created mount points to images:

- cdi-apiserver
- cdi-cloner
- cdi-controller
- cdi-importer
- cdi-operator
- dvcr
- dvcr-importer
- dvcr-uploader
- kube-api-rewriter
- virt-api
- virt-controller
- virt-handler
- virt-launcher
- virt-operator
- virtualization-api
- virtualization-audit
- virtualization-controller
- hp pods

Some notes:

- Create /var/run subdirectories in /run, as /var/run is a symlink to ../run.
- Add /var, /run and symlink /var/run -> ../run in 'distroless' base image.
- Pre-create /var, /run and symlink /var/run -> ../run in kube-api-rewriter image.
- Remove unused extraheaders settings in dvcr-importer and dvcr-uploader.

Signed-off-by: Ivan Mikheykin <[email protected]>

Author: diafour

.prettierignore

@@ -1,6 +1,7 @@
 **/*.git
 **/.svn
 **/.hg
+images/**/mount-points.yaml
 **/werf*.yaml
 **/werf*.yml
 .werf/**

.werf/defines/image-mountpoints.tmpl

@@ -1,22 +1,30 @@
-# add mount points from file mount_points.yaml in the build dir
+{{/*
 
+Template to bake mount points in the image. These static mount points
+are required so containerd can start a container with image integrity check.
+
+Problem: each directory specified in volumeMounts items should exist
+in image, containerd is unable to create mount point for us when
+integrity check is enabled.
+
+Solution: define all possible mount points in mount-points.yaml file and
+include this template in git section of the werf.inc.yaml.
+
+*/}}
+{{/* NOTE: Keep in sync with version in Deckhouse CSE */}}
 {{- define "image mount points" }}
 {{-   $mountPoints := ($.Files.Get (printf "images/%s/mount-points.yaml" $.ImageName) | fromYaml) }}
 {{-   $context := . }}
 {{-   range $v := $mountPoints.dirs }}
-- add: {{ $context.ModuleDir }}/tools/mounts/mountdir
-  to: {{ $v }}
-  owner: 64535
-  group: 64535
+- add: /tools/mounts/mountdir
+  to: {{ $v | trimSuffix "/" }}
   stageDependencies:
     install:
     - "**/*"
 {{-   end }}
 {{-   range $v := $mountPoints.files }}
-- add: {{ $context.ModuleDir }}/tools/mounts/mountfile
+- add: /tools/mounts/mountfile
   to: {{ $v }}
-  owner: 64535
-  group: 64535
   stageDependencies:
     install:
     - "**/*"

.werf/images.yaml

@@ -42,7 +42,6 @@ dockerfile: Dockerfile
 {{-   $_ := set $ctx "SVACE_ANALYZE_SSH_USER" $Root.SVACE_ANALYZE_SSH_USER }}
 {{-   $_ := set $ctx "SVACE_ANALYZE_HOST" $Root.SVACE_ANALYZE_HOST }}
 {{-   $_ := set $ctx "SVACE_IMAGE_SUFFIX" $Root.SVACE_IMAGE_SUFFIX }}
-{{-   $_ := set $ctx "Files" $.Files }}
 
 
 {{-   include "module_image_template" $ctx }}

images/cdi-apiserver/mount-points.yaml

@@ -0,0 +1,7 @@
+# A list of pre-created mount points for containerd strict mode.
+
+dirs:
+  # Create dirs in /run, as /var/run is a symlink to /run.
+  - /run/certs/cdi-apiserver-signer-bundle
+  - /run/certs/cdi-apiserver-server-cert
+  - /kubeconfig.local

images/cdi-apiserver/werf.inc.yaml

@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}cdi-artifact
   add: /cdi-binaries

images/cdi-cloner/mount-points.yaml

@@ -0,0 +1,7 @@
+# A list of pre-created mount points for containerd strict mode.
+#
+# See https://github.com/deckhouse/3p-containerized-data-importer/blob/80d763d788e06b3decaf22e4762076cec64582b3/pkg/controller/clone-controller.go#L699
+
+dirs:
+  # Create dirs in /run, as /var/run is a symlink to /run.
+  - /run/cdi/clone/source

images/cdi-cloner/werf.inc.yaml

@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}{{ .ImageName }}-bins
   add: /relocate

images/cdi-controller/mount-points.yaml

@@ -0,0 +1,13 @@
+# A list of pre-created mount points for containerd strict mode.
+#
+# Some volume mounts are ignored:
+# - /tmp - already in the 'distroless' base image.
+
+dirs:
+  # Create dirs in /run, as /var/run is a symlink to /run.
+  - /run/cdi/token/keys
+  - /run/certs/cdi-uploadserver-signer
+  - /run/certs/cdi-uploadserver-client-signer
+  - /run/ca-bundle/cdi-uploadserver-signer-bundle
+  - /run/ca-bundle/cdi-uploadserver-client-signer-bundle
+  - /kubeconfig.local

images/cdi-controller/werf.inc.yaml

@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}{{ .ImageName }}-bins
   add: /relocate

images/cdi-importer/mount-points.yaml

@@ -0,0 +1,17 @@
+# A list of pre-created mount points for containerd strict mode.
+#
+# See https://github.com/deckhouse/3p-containerized-data-importer/blob/d5fa5124b8a645521843814fffecdf385b74b379/pkg/controller/import-controller.go#L962
+#
+# Some volume mounts are ignored:
+# - /extraheaders - Etra headers not implemented in virtualization-controller.
+# - /google - No support for GCS data source in VirtualImage.
+# - /tmp - already in the 'distroless' base image.
+
+dirs:
+  - /certs
+  - /data
+  - /opt
+  - /proxycerts
+  - /scratch
+  - /shared
+