Comments (7)
It seems bindfs
doesn't support nested mounts, which means it will impact full system... not ideal.
from telepresence.
More OS X resources:
- http://unix.stackexchange.com/questions/198590/what-is-a-bind-mount
- http://osxbook.com/book/bonus/ancient/whatismacosx/arch_fs.html (some parts are no longer available, e.g. synthfs/nullfs).
from telepresence.
The following scheme appears to work on OS X (requires brew cask install osxfuse
and brew install homebrew/fuse/bindfs
):
Create a RAM disk:
$ hdid -nomount ram://1024
/dev/disk2
$ newfs_hfs /dev/disk2
$ mount -t hfs /dev/disk2 ~/temp
$ echo hello > ~/temp/a
$ umount ~/temp
Now bind-mount /
and then union-mount the RAM disk:
$ mkdir ~/staging
$ bindfs / ~/staging
$ mount -t hfs -o union /dev/disk2 ~/staging
~/staging
is a now combination of /
plus extra files from the RAM disk. You can now do:
$ chroot ~/staging
And resulting process now has files available to it both from normal filesystem and additional files from RAM disk. These additional files can be secrets/configmaps/etc. copied over from Kubernetes by parsing the Deployment
volumes.
from telepresence.
Simpler alternative, without RAM disk:
$ mkdir ~/staging
$ echo hello > ~/staging/secret
$ bindfs -o union / ~/staging
$ chroot ~/staging
This will have problems though if /
has stuff that conflicts with paths we want to inject, since it will come last. So possibly more complex scheme is necessary.
from telepresence.
Rather than copying files from Kubernetes, even nicer would be to use sshfs
to just make remote volumes on pod locally accessible.
On Linux bind mounts of root and volumes will do the trick.
On OS X it's tricker. Ideally it would look like this:
$ bindfs / ~/staging # or mount --bind on linux, say
$ sshfs -o union root@pod:/ ~/staging/
The problem is that on Mac only one osxfuse filesystem can be mounted at same time, so this will not actually work... But there is a potential workaround: you can union mount to a parent directory.
On remote pod:
$ cd /
$ mkdir staging
$ mount --bind / /staging
Now, on Mac:
$ mkdir -p ~/mount/staging
$ bindfs / ~/mount/staging
$ sshfs -o union root@pod:/ ~/mount
Now ~/mount/staging
is pod:/staging
, which has same contents as pod:/
, and so we can do the chroot. TADA! 🙈
In practice rather than mount --bind /
on pod, we want to do one bind mount per volume specified in the Kubernetes Deployment so that only actual volumes are made visible in the local process.
from telepresence.
On Linux proot seeminly works... but isn't packaged for Fedora. Another option:
unshare --mount --map-root-user
, which gives new user and mount namespaces.- Create fake root directory, with directories where we want to do bind mounts and then overlayfs
/
on top of that. That gives us normal/
+ a few extra directories. - Bind mount remote volumes on to that.
- chroot on to that.
Downsides: assuming it works, the unshare --map-root-user
makes the user look like root, which is confusing. Also it has... problems with /dev/null/
and the like.
Probably better to go with proot.
from telepresence.
Status report: I have working transparent volume support on both OS X and Linux, with bindfs+chroot and proot respectively.
Unfortunately bindfs has ... issues. The result is that networking doesn't work on OS X anymore, even if volumes do, because bindfs breaks certain things.
The goals, to make them clear, were:
- Transparency: volumes on remote container appear at same path on local machine. This means code can just hard code paths.
- Isolation: local access to remote volumes is limited only to the process being wrapped by --run-shell.
The current solution achieves these both, at the unacceptable cost of breaking networking.
Some options that would preserve transparent and isolated volumes:
- Try to fix bindfs.
- Figure out if fakechroot works/can be made to work on OS X (https://github.com/dex4er/fakechroot/), and somehow combine with sshfs union mounts. In particular it allows symlinks out of the fake chroot, so building up a parallel structure of symlinks, combined with union mount might work. maybe?
- Switch to something like https://github.com/probonopd/user-union, i.e. custom LD_PRELOAD code.
The other option is to give up on transparency. Instead of volumes appearing at same path, they appear inside temporary directory whose address is accessible at an environment variable, e.g. TELEPRESENCE_ROOT
. Users of Telepresence then need to modify their code. E.g. this:
secret_file = open("/app/secrets")
will become:
volume_root = os.environ.get("TELEPRESENCE_ROOT", "/")
secret_file = open(os.path.join(volume_root, "app/secrets"))
from telepresence.
Related Issues (20)
- "Connection refused" with Telepresence 2.19.3 HOT 4
- Can't start telepresence HOT 3
- telepresence helm install outputs success on potential error HOT 1
- Telepresence on Windows can not connect HOT 1
- telepresence intercept: error: found no service with a port that matches a container in pod HOT 11
- Building without "-tags embed_fuseftp" still errors out due to "pattern fuseftp.bits: no matching files found" HOT 2
- Report the use of components with vulnerabilities in telepresence HOT 2
- how to disable traffic agent
- Why do I keep getting reminded about identity verification? HOT 6
- telepresence connect: error: HOT 1
- chart: add option to supply own cert bundle HOT 9
- Intercept with --service option not working when multiple service matching selector HOT 13
- Connecting in Windows WSL with --docker option does not succeed HOT 1
- ReportMetrics failed errors HOT 2
- not able to use telepresence with m3 chip HOT 1
- Provide Homebrew release of OSS version "tel2oss" of Telepresence HOT 1
- Unable to install and run telepresence inside a docker container HOT 7
- [MacOS] Telepresence opens many AWS auth request tabs in the browser even while the computer is asleep HOT 5
- allowConflictingSubnets not recognised in laptop config.yml HOT 2
- DNS Errors after connecting with telepresence on Windows HOT 28
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from telepresence.