mirror of
https://github.com/aljazceru/kata-containers.git
synced 2025-12-18 14:54:19 +01:00
6a93e5d593
Add support for watchable-bind storage driver. When watchable-bind storage is present, the agent will create a watchable path in a tmpfs, and poll the watchable-bind source to keep this new mount-point up to date. This poll will allow the agent to present the mount-point to the container, allowing for inotify usage by the container workload. If a mount becomes too large, either in file count or in overall size, we want to stop treating it as watchable, and instead just treat as a bindmount. This'll help avoid DoS by growing tmpfs too large, as well as limiting time spent scanning files. If a watchable-bind grows beyond 8 files (arbitrary sane number for certs/secrets) or 1MB (limit on ConfigMap size), we treat it as a normal bind. Fixes: #1879 Signed-off-by: Eric Ernst <eric_ernst@apple.com> Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com> Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com> agent: watcher: SandboxStorages check loop cleanup