JohnStrunk · May 10, 2024 00:30 · rohantmp · Aug 13, 2019
diff --git a/bd-priv-poc.yml b/bd-priv-poc.yml
 ---

 # PVC for a block device we want to access
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: block-pvc
 spec:
  storageClassName: local-block
  accessModes:
    - ReadWriteOnce
  volumeMode: Block
  resources:
    requests:
      storage: 10Gi

 ---

 kind: Pod
 apiVersion: v1
 metadata:
  name: centos
 spec:
  initContainers:
    # This init container just makes a copy of the block device file into the
    # shared volume so that the privileged container can pick it up.
    - name: blkdevmapper
      image: centos:7
      command: ["/bin/bash", "-c"]
      args: ["cp -a /blkdev /mnt/blkdev"]
      volumeDevices:
        - name: block
          devicePath: "/blkdev"
      volumeMounts:
        - mountPath: "/mnt"
          name: blkdevbridge
  containers:
    - name: centos
      image: centos:7
      command: ["/bin/bash", "-c"]
      args: ["yum install -y lvm2 && sleep infinity"]
      args:
        # From existing gluster containers:
        # - Disable udev
        # - Disable lvmetad
        # Additional stuff:
        # - Change lv scanning to also look in /mnt (where we put the PV block device)
        # - Change device filter rules to only see devices in /mnt
        # The crazy sed line for filter is so that it only replaces the 1st occurrence
        - >-
          yum install -y lvm2 &&
          sed -i -e "s#udev_sync = 1#udev_sync = 0#" /etc/lvm/lvm.conf &&
          sed -i -e "s#udev_rules = 1#udev_rules = 0#" /etc/lvm/lvm.conf &&
          sed -i -e "s#use_lvmetad = 1#use_lvmetad = 0#" /etc/lvm/lvm.conf &&
          sed -i -e 's#scan = \[ "/dev" \]#scan = [ "/dev", "/mnt" ]#'
          /etc/lvm/lvm.conf &&
          sed -i -e '0,/# filter =.*/{s%# filter =.*%
          filter = [ "a|^/mnt/.*|", "r|.*/|" ]%}'
          /etc/lvm/lvm.conf &&
          sleep infinity
      securityContext:
        privileged: true
      # We would like this container to act as though the following were
      # possible:
      # volumeDevices:
      #  - name: block
      #    devicePath: "/mnt/blkdev"
      volumeMounts:
        - mountPath: "/mnt"
          name: blkdevbridge
  volumes:
    - name: block
      persistentVolumeClaim:
        claimName: block-pvc
    # This is a volume shared between the unprivileged init container and the
    # privileged main container so that we can get the block volume in.
    - name: blkdevbridge
      emptyDir:
        medium: Memory
	---

	# PVC for a block device we want to access
	kind: PersistentVolumeClaim
	apiVersion: v1
	metadata:
	name: block-pvc
	spec:
	storageClassName: local-block
	accessModes:
	- ReadWriteOnce
	volumeMode: Block
	resources:
	requests:
	storage: 10Gi

	---

	kind: Pod
	apiVersion: v1
	metadata:
	name: centos
	spec:
	initContainers:
	# This init container just makes a copy of the block device file into the
	# shared volume so that the privileged container can pick it up.
	- name: blkdevmapper
	image: centos:7
	command: ["/bin/bash", "-c"]
	args: ["cp -a /blkdev /mnt/blkdev"]
	volumeDevices:
	- name: block
	devicePath: "/blkdev"
	volumeMounts:
	- mountPath: "/mnt"
	name: blkdevbridge
	containers:
	- name: centos
	image: centos:7
	command: ["/bin/bash", "-c"]
	args: ["yum install -y lvm2 && sleep infinity"]
	args:
	# From existing gluster containers:
	# - Disable udev
	# - Disable lvmetad
	# Additional stuff:
	# - Change lv scanning to also look in /mnt (where we put the PV block device)
	# - Change device filter rules to only see devices in /mnt
	# The crazy sed line for filter is so that it only replaces the 1st occurrence
	- >-
	yum install -y lvm2 &&
	sed -i -e "s#udev_sync = 1#udev_sync = 0#" /etc/lvm/lvm.conf &&
	sed -i -e "s#udev_rules = 1#udev_rules = 0#" /etc/lvm/lvm.conf &&
	sed -i -e "s#use_lvmetad = 1#use_lvmetad = 0#" /etc/lvm/lvm.conf &&
	sed -i -e 's#scan = \[ "/dev" \]#scan = [ "/dev", "/mnt" ]#'
	/etc/lvm/lvm.conf &&
	sed -i -e '0,/# filter =./{s%# filter =.%
	filter = [ "a\|^/mnt/.\|", "r\|./\|" ]%}'
	/etc/lvm/lvm.conf &&
	sleep infinity
	securityContext:
	privileged: true
	# We would like this container to act as though the following were
	# possible:
	# volumeDevices:
	# - name: block
	# devicePath: "/mnt/blkdev"
	volumeMounts:
	- mountPath: "/mnt"
	name: blkdevbridge
	volumes:
	- name: block
	persistentVolumeClaim:
	claimName: block-pvc
	# This is a volume shared between the unprivileged init container and the
	# privileged main container so that we can get the block volume in.
	- name: blkdevbridge
	emptyDir:
	medium: Memory