allow arbitrary mounts into process's container

Recursive, read/write, bind mount paths specified by release-author into
the process's container. The path inside the container will mirror the
path on the host.

[finishes #149683751]

Signed-off-by: James Myers <jfmyers9@gmail.com>

Author: aramprice

docs/config.md

@@ -22,8 +22,7 @@ limits:
   open_files: 100
 
 volumes:
-- name: certificates
-- name: sockets
+- /var/vcap/data/certificates
 
 hooks:
   pre_start: /var/vcap/job/program/bin/bpm-pre-start

docs/runtime.md

@@ -54,24 +54,6 @@ This storage area is shared between all processes in your job. It is your
 responsibility to make sure that the data saved by each of your job's processes
 does not collide.
 
-### Shared Data
-
-> **Note:** This feature has been added to enable support for older jobs which
-> use the file system to communicate with other jobs. It is preferable in nearly
-> all cases to use the network to communicate across job boundaries. Using the
-> network reduces scheduling constraints such that a job can be un-collocated
-> and allows more modern access control (key rotation, etc.) of the information
-> being transferred between your jobs.
-
-If your job configuration lists shared volumes then these will be mounted
-under `/var/vcap/data/shared/[VOLUME NAME]`. These volumes will be mounted
-read-write. All collocated jobs which list a particular volume name will be
-given a volume they can all share. If your release already has a data stored
-in the `/var/vcap/data/shared` directory then it is your responsibility to
-move this data to a different path before using shared volumes.
-
-Due to path collisions, job name of `shared` will be rejected.
-
 ### Persistent Data
 
 TODO: Work out if there is anything complex about persistent data across

src/bpm/bpm/config.go

@@ -29,6 +29,7 @@ type Config struct {
 	Args       []string `yaml:"args"`
 	Env        []string `yaml:"env"`
 	Limits     *Limits  `yaml:"limits"`
+	Volumes    []string `yaml:"volumes"`
 	Hooks      *Hooks   `yaml:"hooks"`
 }
 

src/bpm/bpm/config_test.go

@@ -41,6 +41,7 @@ var _ = Describe("Config", func() {
 			Expect(cfg.Env).To(ConsistOf("FOO=BAR", "BAZ=BUZZ"))
 			Expect(cfg.Limits.Memory).To(Equal(&expectedMemoryLimit))
 			Expect(cfg.Limits.OpenFiles).To(Equal(&expectedOpenFilesLimit))
+			Expect(cfg.Volumes).To(ConsistOf("/var/vcap/data/program/foobar", "/var/vcap/data/alternate-program"))
 			Expect(cfg.Hooks.PreStart).To(Equal("/var/vcap/jobs/program/bin/pre"))
 		})
 

src/bpm/bpm/fixtures/example.yml

@@ -9,5 +9,8 @@ env:
 limits:
   memory: 100G
   open_files: 100
+volumes:
+  - /var/vcap/data/program/foobar
+  - /var/vcap/data/alternate-program
 hooks:
   pre_start: /var/vcap/jobs/program/bin/pre

src/bpm/runc/adapter/adapter.go

@@ -33,7 +33,11 @@ func NewRuncAdapter() *RuncAdapter {
 	return &RuncAdapter{}
 }
 
-func (a *RuncAdapter) CreateJobPrerequisites(systemRoot, jobName, procName string, user specs.User) (string, *os.File, *os.File, error) {
+func (a *RuncAdapter) CreateJobPrerequisites(
+	systemRoot, jobName, procName string,
+	cfg *bpm.Config,
+	user specs.User,
+) (string, *os.File, *os.File, error) {
 	bpmPidDir := filepath.Join(systemRoot, "sys", "run", "bpm", jobName)
 	jobLogDir := filepath.Join(systemRoot, "sys", "log", jobName)
 	stdoutFileLocation := filepath.Join(jobLogDir, fmt.Sprintf("%s.out.log", procName))
@@ -64,18 +68,30 @@ func (a *RuncAdapter) CreateJobPrerequisites(systemRoot, jobName, procName strin
 		return "", nil, nil, err
 	}
 
-	err = os.MkdirAll(dataDir, 0700)
+	err = createDirFor(dataDir, int(user.UID), int(user.GID))
 	if err != nil {
 		return "", nil, nil, err
 	}
-	err = os.Chown(dataDir, int(user.UID), int(user.GID))
-	if err != nil {
-		return "", nil, nil, err
+
+	for _, vol := range cfg.Volumes {
+		err := createDirFor(vol, int(user.UID), int(user.GID))
+		if err != nil {
+			return "", nil, nil, err
+		}
 	}
 
 	return bpmPidDir, stdout, stderr, nil
 }
 
+func createDirFor(path string, uid, gid int) error {
+	err := os.MkdirAll(path, 0700)
+	if err != nil {
+		return err
+	}
+
+	return os.Chown(path, uid, gid)
+}
+
 func createFileFor(path string, uid, gid int) (*os.File, error) {
 	f, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0600)
 	if err != nil {
@@ -107,6 +123,7 @@ func (a *RuncAdapter) BuildSpec(
 	mounts := defaultMounts()
 	mounts = append(mounts, boshMounts(systemRoot, jobName, procName)...)
 	mounts = append(mounts, systemIdentityMounts()...)
+	mounts = append(mounts, userProvidedIdentityMounts(cfg.Volumes)...)
 
 	var resources *specs.LinuxResources
 	if cfg.Limits != nil {
@@ -291,3 +308,18 @@ func systemIdentityMounts() []specs.Mount {
 		},
 	}
 }
+
+func userProvidedIdentityMounts(volumes []string) []specs.Mount {
+	var mnts []specs.Mount
+
+	for _, vol := range volumes {
+		mnts = append(mnts, specs.Mount{
+			Destination: vol,
+			Type:        "bind",
+			Source:      vol,
+			Options:     []string{"rbind", "rw"},
+		})
+	}
+
+	return mnts
+}

src/bpm/runc/adapter/adapter_test.go

@@ -40,6 +40,8 @@ var _ = Describe("RuncAdapter", func() {
 		procName,
 		systemRoot string
 		user specs.User
+
+		cfg *bpm.Config
 	)
 
 	BeforeEach(func() {
@@ -52,6 +54,13 @@ var _ = Describe("RuncAdapter", func() {
 		var err error
 		systemRoot, err = ioutil.TempDir("", "runc-adapter-system-files")
 		Expect(err).NotTo(HaveOccurred())
+
+		cfg = &bpm.Config{
+			Volumes: []string{
+				filepath.Join(systemRoot, "some", "directory"),
+				filepath.Join(systemRoot, "another", "location"),
+			},
+		}
 	})
 
 	AfterEach(func() {
@@ -60,7 +69,7 @@ var _ = Describe("RuncAdapter", func() {
 
 	Describe("CreateJobPrerequisites", func() {
 		It("creates the job prerequisites", func() {
-			pidDir, stdout, stderr, err := runcAdapter.CreateJobPrerequisites(systemRoot, jobName, procName, user)
+			pidDir, stdout, stderr, err := runcAdapter.CreateJobPrerequisites(systemRoot, jobName, procName, cfg, user)
 			Expect(err).NotTo(HaveOccurred())
 
 			logDir := filepath.Join(systemRoot, "sys", "log", jobName)
@@ -100,12 +109,19 @@ var _ = Describe("RuncAdapter", func() {
 			Expect(dataDirInfo.Mode() & os.ModePerm).To(Equal(os.FileMode(0700)))
 			Expect(dataDirInfo.Sys().(*syscall.Stat_t).Uid).To(Equal(uint32(200)))
 			Expect(dataDirInfo.Sys().(*syscall.Stat_t).Gid).To(Equal(uint32(300)))
+
+			//Volumes
+			for _, vol := range cfg.Volumes {
+				volDirInfo, err := os.Stat(vol)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(volDirInfo.Mode() & os.ModePerm).To(Equal(os.FileMode(0700)))
+				Expect(volDirInfo.Sys().(*syscall.Stat_t).Uid).To(Equal(uint32(200)))
+				Expect(volDirInfo.Sys().(*syscall.Stat_t).Gid).To(Equal(uint32(300)))
+			}
 		})
 	})
 
 	Describe("BuildSpec", func() {
-		var cfg *bpm.Config
-
 		BeforeEach(func() {
 			cfg = &bpm.Config{
 				Executable: "/var/vcap/packages/example/bin/example",
@@ -117,6 +133,10 @@ var _ = Describe("RuncAdapter", func() {
 					"RAVE=true",
 					"ONE=two",
 				},
+				Volumes: []string{
+					"/path/to/volume/1",
+					"/path/to/volume/2",
+				},
 			}
 		})
 
@@ -246,6 +266,18 @@ var _ = Describe("RuncAdapter", func() {
 					Source:      filepath.Join(systemRoot, "sys", "log", jobName),
 					Options:     []string{"rbind", "rw"},
 				},
+				{
+					Destination: "/path/to/volume/1",
+					Type:        "bind",
+					Source:      "/path/to/volume/1",
+					Options:     []string{"rbind", "rw"},
+				},
+				{
+					Destination: "/path/to/volume/2",
+					Type:        "bind",
+					Source:      "/path/to/volume/2",
+					Options:     []string{"rbind", "rw"},
+				},
 			}))
 
 			Expect(spec.Linux.RootfsPropagation).To(Equal("private"))

src/bpm/runc/lifecycle/lifecycle.go

@@ -56,7 +56,7 @@ type CommandRunner interface {
 //go:generate counterfeiter . RuncAdapter
 
 type RuncAdapter interface {
-	CreateJobPrerequisites(systemRoot, jobName, procName string, user specs.User) (string, *os.File, *os.File, error)
+	CreateJobPrerequisites(systemRoot, jobName, procName string, cfg *bpm.Config, user specs.User) (string, *os.File, *os.File, error)
 	BuildSpec(systemRoot, jobName, procName string, cfg *bpm.Config, user specs.User) (specs.Spec, error)
 }
 
@@ -106,7 +106,7 @@ func (j *RuncLifecycle) StartJob(jobName, procName string, cfg *bpm.Config) erro
 		return err
 	}
 
-	pidDir, stdout, stderr, err := j.runcAdapter.CreateJobPrerequisites(j.systemRoot, jobName, procName, user)
+	pidDir, stdout, stderr, err := j.runcAdapter.CreateJobPrerequisites(j.systemRoot, jobName, procName, cfg, user)
 	if err != nil {
 		return fmt.Errorf("failed to create system files: %s", err.Error())
 	}

src/bpm/runc/lifecycle/lifecycle_test.go

@@ -124,14 +124,15 @@ var _ = Describe("RuncJobLifecycle", func() {
 			Expect(fakeUserFinder.LookupArgsForCall(0)).To(Equal(usertools.VcapUser))
 
 			Expect(fakeRuncAdapter.CreateJobPrerequisitesCallCount()).To(Equal(1))
-			systemRoot, jobName, procName, user := fakeRuncAdapter.CreateJobPrerequisitesArgsForCall(0)
+			systemRoot, jobName, procName, cfg, user := fakeRuncAdapter.CreateJobPrerequisitesArgsForCall(0)
 			Expect(systemRoot).To(Equal(expectedSystemRoot))
 			Expect(jobName).To(Equal(expectedJobName))
 			Expect(procName).To(Equal(expectedProcName))
+			Expect(cfg).To(Equal(jobConfig))
 			Expect(user).To(Equal(expectedUser))
 
 			Expect(fakeRuncAdapter.BuildSpecCallCount()).To(Equal(1))
-			systemRoot, jobName, procName, cfg, user := fakeRuncAdapter.BuildSpecArgsForCall(0)
+			systemRoot, jobName, procName, cfg, user = fakeRuncAdapter.BuildSpecArgsForCall(0)
 			Expect(systemRoot).To(Equal(expectedSystemRoot))
 			Expect(jobName).To(Equal(expectedJobName))
 			Expect(procName).To(Equal(expectedProcName))