1
//go:build !remote && (linux || freebsd)
14
"github.com/containers/podman/v5/libpod/define"
15
"github.com/containers/podman/v5/libpod/events"
16
volplugin "github.com/containers/podman/v5/libpod/plugin"
17
"github.com/containers/storage"
18
"github.com/containers/storage/drivers/quota"
19
"github.com/containers/storage/pkg/fileutils"
20
"github.com/containers/storage/pkg/idtools"
21
"github.com/containers/storage/pkg/stringid"
22
pluginapi "github.com/docker/go-plugins-helpers/volume"
23
"github.com/opencontainers/selinux/go-selinux"
24
"github.com/sirupsen/logrus"
27
const volumeSuffix = "+volume"
29
// NewVolume creates a new empty volume
30
func (r *Runtime) NewVolume(ctx context.Context, options ...VolumeCreateOption) (*Volume, error) {32
return nil, define.ErrRuntimeStopped
34
return r.newVolume(ctx, false, options...)
37
// newVolume creates a new empty volume with the given options.
38
// The createPluginVolume can be set to true to make it not create the volume in the volume plugin,
39
// this is required for the UpdateVolumePlugins() function. If you are not sure, set this to false.
40
func (r *Runtime) newVolume(ctx context.Context, noCreatePluginVolume bool, options ...VolumeCreateOption) (_ *Volume, deferredErr error) {41
volume := newVolume(r)
42
for _, option := range options {43
if err := option(volume); err != nil {44
return nil, fmt.Errorf("running volume create option: %w", err)48
if volume.config.Name == "" {49
volume.config.Name = stringid.GenerateRandomID()
51
if volume.config.Driver == "" {52
volume.config.Driver = define.VolumeDriverLocal
54
volume.config.CreatedTime = time.Now()
56
// Check if volume with given name exists.
57
exists, err := r.state.HasVolume(volume.config.Name)
59
return nil, fmt.Errorf("checking if volume with name %s exists: %w", volume.config.Name, err)62
if volume.ignoreIfExists {63
existingVolume, err := r.state.Volume(volume.config.Name)
65
return nil, fmt.Errorf("reading volume from state: %w", err)67
return existingVolume, nil
69
return nil, fmt.Errorf("volume with name %s already exists: %w", volume.config.Name, define.ErrVolumeExists)73
// Plugin can be nil if driver is local, but that's OK - superfluous
74
// assignment doesn't hurt much.
75
plugin, err := r.getVolumePlugin(volume.config)
77
return nil, fmt.Errorf("volume %s uses volume plugin %s but it could not be retrieved: %w", volume.config.Name, volume.config.Driver, err)79
volume.plugin = plugin
81
if volume.config.Driver == define.VolumeDriverLocal {82
logrus.Debugf("Validating options for local driver")84
for key, val := range volume.config.Options {85
switch strings.ToLower(key) {87
if strings.ToLower(volume.config.Options["type"]) == define.TypeBind {88
if err := fileutils.Exists(val); err != nil {89
return nil, fmt.Errorf("invalid volume option %s for driver 'local': %w", key, err)92
case "o", "type", "uid", "gid", "size", "inodes", "noquota", "copy", "nocopy":
93
// Do nothing, valid keys
95
return nil, fmt.Errorf("invalid mount option %s for driver 'local': %w", key, define.ErrInvalidArg)98
} else if volume.config.Driver == define.VolumeDriverImage && !volume.UsesVolumeDriver() {99
logrus.Debugf("Creating image-based volume")102
for key, val := range volume.config.Options {103
switch strings.ToLower(key) {107
return nil, fmt.Errorf("invalid mount option %s for driver 'image': %w", key, define.ErrInvalidArg)112
return nil, fmt.Errorf("must provide an image name when creating a volume with the image driver: %w", define.ErrInvalidArg)116
image, _, err := r.libimageRuntime.LookupImage(imgString, nil)
118
return nil, fmt.Errorf("looking up image %s to create volume failed: %w", imgString, err)121
// Generate a c/storage name and ID for the volume.
122
// Use characters Podman does not allow for the name, to ensure
123
// no collision with containers.
124
volume.config.StorageID = stringid.GenerateRandomID()
125
volume.config.StorageName = volume.config.Name + volumeSuffix
126
volume.config.StorageImageID = image.ID()
128
// Create a backing container in c/storage.
129
storageConfig := storage.ContainerOptions{130
LabelOpts: []string{"filetype:container_file_t", "level:s0"},132
if len(volume.config.MountLabel) > 0 {133
context, err := selinux.NewContext(volume.config.MountLabel)
135
return nil, fmt.Errorf("failed to get SELinux context from %s: %w", volume.config.MountLabel, err)137
storageConfig.LabelOpts = []string{fmt.Sprintf("filetype:%s", context["type"])}139
if _, err := r.storageService.CreateContainerStorage(ctx, r.imageContext, imgString, image.ID(), volume.config.StorageName, volume.config.StorageID, storageConfig); err != nil {140
return nil, fmt.Errorf("creating backing storage for image driver: %w", err)143
if deferredErr != nil {144
if err := r.storageService.DeleteContainer(volume.config.StorageID); err != nil {145
logrus.Errorf("Error removing volume %s backing storage: %v", volume.config.Name, err)151
// Now we get conditional: we either need to make the volume in the
152
// volume plugin, or on disk if not using a plugin.
153
if volume.plugin != nil && !noCreatePluginVolume {154
// We can't chown, or relabel, or similar the path the volume is
155
// using, because it's not managed by us.
156
// TODO: reevaluate this once we actually have volume plugins in
157
// use in production - it may be safe, but I can't tell without
158
// knowing what the actual plugin does...
159
if err := makeVolumeInPluginIfNotExist(volume.config.Name, volume.config.Options, volume.plugin); err != nil {163
// Create the mountpoint of this volume
164
volPathRoot := filepath.Join(r.config.Engine.VolumePath, volume.config.Name)
165
if err := os.MkdirAll(volPathRoot, 0700); err != nil {166
return nil, fmt.Errorf("creating volume directory %q: %w", volPathRoot, err)168
if err := idtools.SafeChown(volPathRoot, volume.config.UID, volume.config.GID); err != nil {169
return nil, fmt.Errorf("chowning volume directory %q to %d:%d: %w", volPathRoot, volume.config.UID, volume.config.GID, err)171
fullVolPath := filepath.Join(volPathRoot, "_data")
172
if err := os.MkdirAll(fullVolPath, 0755); err != nil {173
return nil, fmt.Errorf("creating volume directory %q: %w", fullVolPath, err)175
if err := idtools.SafeChown(fullVolPath, volume.config.UID, volume.config.GID); err != nil {176
return nil, fmt.Errorf("chowning volume directory %q to %d:%d: %w", fullVolPath, volume.config.UID, volume.config.GID, err)178
if err := LabelVolumePath(fullVolPath, volume.config.MountLabel); err != nil {182
case volume.config.DisableQuota:
183
if volume.config.Size > 0 || volume.config.Inodes > 0 {184
return nil, errors.New("volume options size and inodes cannot be used without quota")186
case volume.config.Options["type"] == define.TypeTmpfs:
187
// tmpfs only supports Size
188
if volume.config.Inodes > 0 {189
return nil, errors.New("volume option inodes not supported on tmpfs filesystem")191
case volume.config.Inodes > 0 || volume.config.Size > 0:
192
projectQuotaSupported := false
193
q, err := quota.NewControl(r.config.Engine.VolumePath)
195
projectQuotaSupported = true
197
if !projectQuotaSupported {198
return nil, errors.New("volume options size and inodes not supported. Filesystem does not support Project Quota")200
quota := quota.Quota{201
Inodes: volume.config.Inodes,
202
Size: volume.config.Size,
204
if err := q.SetQuota(fullVolPath, quota); err != nil {205
return nil, fmt.Errorf("failed to set size quota size=%d inodes=%d for volume directory %q: %w", volume.config.Size, volume.config.Inodes, fullVolPath, err)209
volume.config.MountPoint = fullVolPath
212
lock, err := r.lockManager.AllocateLock()
214
return nil, fmt.Errorf("allocating lock for new volume: %w", err)217
volume.config.LockID = volume.lock.ID()
220
if deferredErr != nil {221
if err := volume.lock.Free(); err != nil {222
logrus.Errorf("Freeing volume lock after failed creation: %v", err)229
// Add the volume to state
230
if err := r.state.AddVolume(volume); err != nil {231
return nil, fmt.Errorf("adding volume to state: %w", err)233
defer volume.newVolumeEvent(events.Create)
237
// UpdateVolumePlugins reads all volumes from all configured volume plugins and
238
// imports them into the libpod db. It also checks if existing libpod volumes
239
// are removed in the plugin, in this case we try to remove it from libpod.
240
// On errors we continue and try to do as much as possible. all errors are
241
// returned as array in the returned struct.
242
// This function has many race conditions, it is best effort but cannot guarantee
243
// a perfect state since plugins can be modified from the outside at any time.
244
func (r *Runtime) UpdateVolumePlugins(ctx context.Context) *define.VolumeReload {249
allPluginVolumes = map[string]struct{}{}252
for driverName, socket := range r.config.Engine.VolumePlugins {253
driver, err := volplugin.GetVolumePlugin(driverName, socket, nil, r.config)
255
errs = append(errs, err)
258
vols, err := driver.ListVolumes()
260
errs = append(errs, fmt.Errorf("failed to read volumes from plugin %q: %w", driverName, err))263
for _, vol := range vols {264
allPluginVolumes[vol.Name] = struct{}{}265
if _, err := r.newVolume(ctx, true, WithVolumeName(vol.Name), WithVolumeDriver(driverName)); err != nil {266
// If the volume exists this is not an error, just ignore it and log. It is very likely
267
// that the volume from the plugin was already in our db.
268
if !errors.Is(err, define.ErrVolumeExists) {269
errs = append(errs, err)
272
logrus.Infof("Volume %q already exists: %v", vol.Name, err)275
added = append(added, vol.Name)
279
libpodVolumes, err := r.state.AllVolumes()
281
errs = append(errs, fmt.Errorf("cannot delete dangling plugin volumes: failed to read libpod volumes: %w", err))283
for _, vol := range libpodVolumes {284
if vol.UsesVolumeDriver() {285
if _, ok := allPluginVolumes[vol.Name()]; !ok {286
// The volume is no longer in the plugin. Let's remove it from the libpod db.
287
if err := r.removeVolume(ctx, vol, false, nil, true); err != nil {288
if errors.Is(err, define.ErrVolumeBeingUsed) {289
// Volume is still used by at least one container. This is very bad,
290
// the plugin no longer has this but we still need it.
291
errs = append(errs, fmt.Errorf("volume was removed from the plugin %q but containers still require it: %w", vol.config.Driver, err))294
if errors.Is(err, define.ErrNoSuchVolume) || errors.Is(err, define.ErrVolumeRemoved) || errors.Is(err, define.ErrMissingPlugin) {295
// Volume was already removed, no problem just ignore it and continue.
300
errs = append(errs, err)
303
// Volume was successfully removed
304
removed = append(removed, vol.Name())
309
return &define.VolumeReload{316
// makeVolumeInPluginIfNotExist makes a volume in the given volume plugin if it
317
// does not already exist.
318
func makeVolumeInPluginIfNotExist(name string, options map[string]string, plugin *volplugin.VolumePlugin) error {319
// Ping the volume plugin to see if it exists first.
320
// If it does, use the existing volume in the plugin.
321
// Options may not match exactly, but not much we can do about
322
// that. Not complaining avoids a lot of the sync issues we see
323
// with c/storage and libpod DB.
325
getReq := new(pluginapi.GetRequest)
327
if resp, err := plugin.GetVolume(getReq); err == nil {328
// TODO: What do we do if we get a 200 response, but the
329
// Volume is nil? The docs on the Plugin API are very
330
// nonspecific, so I don't know if this is valid or
334
logrus.Infof("Volume %q already exists in plugin %q, using existing volume", name, plugin.Name)338
createReq := new(pluginapi.CreateRequest)
339
createReq.Name = name
340
createReq.Options = options
341
if err := plugin.CreateVolume(createReq); err != nil {342
return fmt.Errorf("creating volume %q in plugin %s: %w", name, plugin.Name, err)349
// removeVolume removes the specified volume from state as well tears down its mountpoint and storage.
350
// ignoreVolumePlugin is used to only remove the volume from the db and not the plugin,
351
// this is required when the volume was already removed from the plugin, i.e. in UpdateVolumePlugins().
352
func (r *Runtime) removeVolume(ctx context.Context, v *Volume, force bool, timeout *uint, ignoreVolumePlugin bool) error {354
if ok, _ := r.state.HasVolume(v.Name()); !ok {357
return define.ErrVolumeRemoved
361
defer v.lock.Unlock()
363
// Update volume status to pick up a potential removal from state
364
if err := v.update(); err != nil {368
deps, err := r.state.VolumeInUse(v)
373
depsStr := strings.Join(deps, ", ")
375
return fmt.Errorf("volume %s is being used by the following container(s): %s: %w", v.Name(), depsStr, define.ErrVolumeBeingUsed)378
// We need to remove all containers using the volume
379
for _, dep := range deps {380
ctr, err := r.state.Container(dep)
382
// If the container's removed, no point in
384
if errors.Is(err, define.ErrNoSuchCtr) || errors.Is(err, define.ErrCtrRemoved) {388
return fmt.Errorf("removing container %s that depends on volume %s: %w", dep, v.Name(), err)391
logrus.Debugf("Removing container %s (depends on volume %q)", ctr.ID(), v.Name())397
if _, _, err := r.removeContainer(ctx, ctr, opts); err != nil {398
return fmt.Errorf("removing container %s that depends on volume %s: %w", ctr.ID(), v.Name(), err)403
// If the volume is still mounted - force unmount it
404
if err := v.unmount(true); err != nil {406
// If force is set, evict the volume, even if errors
407
// occur. Otherwise we'll never be able to get rid of
409
logrus.Errorf("Unmounting volume %s: %v", v.Name(), err)411
return fmt.Errorf("unmounting volume %s: %w", v.Name(), err)415
// Set volume as invalid so it can no longer be used
420
// If we use a volume plugin, we need to remove from the plugin.
421
if v.UsesVolumeDriver() && !ignoreVolumePlugin {424
// Do we have a volume driver?
427
removalErr = fmt.Errorf("cannot remove volume %s from plugin %s, but it has been removed from Podman: %w", v.Name(), v.Driver(), define.ErrMissingPlugin)429
// Ping the plugin first to verify the volume still
431
// We're trying to be very tolerant of missing volumes
432
// in the backend, to avoid the problems we see with
433
// sync between c/storage and the Libpod DB.
434
getReq := new(pluginapi.GetRequest)
435
getReq.Name = v.Name()
436
if _, err := v.plugin.GetVolume(getReq); err != nil {438
removalErr = fmt.Errorf("volume %s could not be retrieved from plugin %s, but it has been removed from Podman: %w", v.Name(), v.Driver(), err)442
req := new(pluginapi.RemoveRequest)
444
if err := v.plugin.RemoveVolume(req); err != nil {445
return fmt.Errorf("volume %s could not be removed from plugin %s: %w", v.Name(), v.Driver(), err)448
} else if v.config.Driver == define.VolumeDriverImage {449
if err := v.runtime.storageService.DeleteContainer(v.config.StorageID); err != nil {450
// Storage container is already gone, no problem.
451
if !(errors.Is(err, storage.ErrNotAContainer) || errors.Is(err, storage.ErrContainerUnknown)) {452
return fmt.Errorf("removing volume %s storage: %w", v.Name(), err)454
logrus.Infof("Storage for volume %s already removed", v.Name())458
// Remove the volume from the state
459
if err := r.state.RemoveVolume(v); err != nil {460
if removalErr != nil {461
logrus.Errorf("Removing volume %s from plugin %s: %v", v.Name(), v.Driver(), removalErr)463
return fmt.Errorf("removing volume %s: %w", v.Name(), err)466
// Free the volume's lock
467
if err := v.lock.Free(); err != nil {468
if removalErr == nil {469
removalErr = fmt.Errorf("freeing lock for volume %s: %w", v.Name(), err)471
logrus.Errorf("Freeing lock for volume %q: %v", v.Name(), err)475
// Delete the mountpoint path of the volume, that is delete the volume
476
// from /var/lib/containers/storage/volumes
477
if err := v.teardownStorage(); err != nil {478
if removalErr == nil {479
removalErr = fmt.Errorf("cleaning up volume storage for %q: %w", v.Name(), err)481
logrus.Errorf("Cleaning up volume storage for volume %q: %v", v.Name(), err)485
defer v.newVolumeEvent(events.Remove)
486
logrus.Debugf("Removed volume %s", v.Name())