Merge pull request #1984 from tesshuflower/rsync-tls-symlink-munging

Rsync tls symlink munging

Author: openshift-merge-bot[bot]

Dockerfile

@@ -122,14 +122,14 @@ RUN microdnf --refresh update -y && \
         openssh         `# rsync/ssh - ssh key generation in operator` \
         openssh-clients `# rsync/ssh - ssh client` \
         openssh-server  `# rsync/ssh - ssh server` \
-        python3         `# rsync/ssh - rrsync script` \
+        python3         `# rsync/ssh - rrsync, munge-symlinks scripts` \
         stunnel         `# rsync-tls` \
         openssl         `# syncthing - server certs` \
         vim-minimal     `# for mover debug` \
         tar             `# for mover debug` \
     && microdnf --setopt=install_weak_deps=0 install -y \
         `# docs are needed so rrsync gets installed for ssh variant` \
-        rsync           `# rsync/ssh, rsync-tls - rsync, rrsync` \
+        rsync           `# rsync/ssh, rsync-tls - rsync, rrsync, munge-symlinks` \
     && microdnf clean all && \
     rm -rf /var/cache/yum
 
@@ -158,6 +158,7 @@ RUN chmod a+rx /mover-rsync/*.sh
 RUN ln -s /keys/destination /etc/ssh/ssh_host_rsa_key && \
     ln -s /keys/destination.pub /etc/ssh/ssh_host_rsa_key.pub && \
     install /usr/share/doc/rsync/support/rrsync /usr/local/bin && \
+    install /usr/share/doc/rsync/support/munge-symlinks /usr/local/bin && \
     \
     SSHD_CONFIG="/etc/ssh/sshd_config" && \
     sed -ir 's|^[#\s]*\(.*/etc/ssh/ssh_host_ecdsa_key\)$|#\1|' "$SSHD_CONFIG" && \

custom-scorecard-tests/config-downstream.yaml

@@ -155,6 +155,16 @@ stages:
     storage:
       spec:
         mountPath: {}
+  - entrypoint:
+    - volsync-custom-scorecard-tests
+    - test_rsync_tls_priv_manyfiles.yml
+    image: quay.io/backube/volsync-custom-scorecard-tests:latest
+    labels:
+      suite: volsync-e2e
+      test: test_rsync_tls_priv_manyfiles.yml
+    storage:
+      spec:
+        mountPath: {}
   - entrypoint:
     - volsync-custom-scorecard-tests
     - test_simple_rsync.yml

custom-scorecard-tests/config.yaml

@@ -155,6 +155,16 @@ stages:
     storage:
       spec:
         mountPath: {}
+  - entrypoint:
+    - volsync-custom-scorecard-tests
+    - test_rsync_tls_priv_manyfiles.yml
+    image: quay.io/backube/volsync-custom-scorecard-tests:latest
+    labels:
+      suite: volsync-e2e
+      test: test_rsync_tls_priv_manyfiles.yml
+    storage:
+      spec:
+        mountPath: {}
   - entrypoint:
     - volsync-custom-scorecard-tests
     - test_simple_rsync.yml

custom-scorecard-tests/scorecard/bases/patches/e2e-tests-stage1.yaml

@@ -141,6 +141,16 @@
     storage:
       spec:
         mountPath: {}
+  - entrypoint:
+    - volsync-custom-scorecard-tests
+    - test_rsync_tls_priv_manyfiles.yml
+    image: quay.io/backube/volsync-custom-scorecard-tests:latest
+    labels:
+      suite: volsync-e2e
+      test: test_rsync_tls_priv_manyfiles.yml
+    storage:
+      spec:
+        mountPath: {}
   - entrypoint:
     - volsync-custom-scorecard-tests
     - test_simple_rsync.yml

mover-rsync-tls/client.sh

@@ -153,11 +153,23 @@ while [[ $rc -ne 0 && $RETRY -lt $MAX_RETRIES ]]; do
         find "${SOURCE}" -mindepth 1 -maxdepth 1 -printf '/%P\n' > /tmp/filelist.txt
         if [[ -s /tmp/filelist.txt ]]; then
             # 1st run preserves as much as possible, but excludes the root directory
-            rsync -aAhHSxz -r --exclude=lost+found --itemize-changes --info=stats2,misc2 --files-from=/tmp/filelist.txt ${SOURCE}/ rsync://127.0.0.1:$STUNNEL_LISTEN_PORT/data
+            rsync -aAhHSxz -r --exclude=lost+found --itemize-changes --info=stats2,misc2 --files-from=/tmp/filelist.txt ${SOURCE}/ rsync://127.0.0.1:$STUNNEL_LISTEN_PORT/data | tee /tmp/rsync-full.log
+            rc_a=$?
+
+            if [[ $rc_a -eq 0 ]]; then
+                # Symlinks - if any symlinks were created or modified, create a control file containing the list of symlinks
+                # Symlinks in rsync --itemize-changes output are prefixed with 'cL' when sent to rsync daemon
+                grep -E '^cL' /tmp/rsync-full.log | awk -F' -> ' '{print $1}' | sed 's/^[^ ]* //' >> /tmp/symlink-munging-file
+                if [[ -s /tmp/symlink-munging-file ]]; then
+                    echo "Symlinks were created or modified, sending symlink munging file to destination..."
+                    rsync /tmp/symlink-munging-file rsync://127.0.0.1:$STUNNEL_LISTEN_PORT/control/symlink-munging-file
+                    rc_a=$?
+                fi
+            fi
         else
             echo "Skipping sync of empty source directory"
+            rc_a=0
         fi
-        rc_a=$?
 
         # To delete extra files, must sync at the directory-level, but need to avoid
         # trying to modify the directory itself. This pass will only delete files

mover-rsync-tls/server.sh

@@ -4,6 +4,7 @@ set -e -o pipefail
 
 RSYNC_PID_FILE=/tmp/rsyncd.pid
 CONTROL_FILE=/tmp/control/complete
+CONTROL_FILE_SYMLINK_MUNGING_FILE=/tmp/control/symlink-munging-file
 RSYNCD_CONF=/tmp/rsyncd.conf
 STUNNEL_CONF=/tmp/stunnel.conf
 STUNNEL_PID_FILE=/tmp/stunnel.pid
@@ -110,7 +111,7 @@ log file = $RSYNC_LOG
 max verbosity = 10
 use chroot = false
 numeric ids = true
-munge symlinks = false
+munge symlinks = true
 open noatime = true
 reverse lookup = false
 transfer logging = true
@@ -166,6 +167,7 @@ STUNNEL_CONF
     TAIL_PID="$!"
 
     rm -f "$CONTROL_FILE"
+    rm -f "$CONTROL_FILE_SYMLINK_MUNGING_FILE"
 fi
 
 if test -b $BLOCK_TARGET; then
@@ -218,6 +220,29 @@ done
 
 sleep 5  # Give time for the rsync connection to finish
 
+# Before shutting down, read the symlink munging file if it exists, and process
+if [[ -s $CONTROL_FILE_SYMLINK_MUNGING_FILE ]]; then
+    echo "Symlink munging file found, processing..."
+    #while read -r symlink; do
+    while IFS= read -r symlink; do
+        symlinkfullpath="${TARGET}/${symlink}"
+        echo "Processing symlink: ${symlinkfullpath}"
+
+        symlink_uid_gid=""
+        if [[ $PRIVILEGED_MOVER -ne 0 ]]; then
+            # If privileged mover, save uid/gid of the symlink for later
+            symlink_uid_gid=$(stat -c '%u:%g' "${symlinkfullpath}")
+        fi
+
+        munge-symlinks --unmunge "${symlinkfullpath}"
+
+        if [[ $PRIVILEGED_MOVER -ne 0 && -n "${symlink_uid_gid}" ]]; then
+            # If privileged mover, restore uid/gid of the symlink after unmunging
+            chown -h "${symlink_uid_gid}" "${symlinkfullpath}"
+        fi
+    done < "$CONTROL_FILE_SYMLINK_MUNGING_FILE"
+fi
+
 ##############################
 ## Terminate stunnel
 echo "Shutting down..."

test-e2e/roles/compare_pvc_data/templates/job.yml.j2

@@ -23,21 +23,48 @@ spec:
               id
 
               echo "Validating contents: PVC1 -> PVC2"
-              find /mnt -type f | \
-                xargs sha256sum | \
+              find /mnt -type f -print0 | \
+                xargs -0 sha256sum | \
                 sed 's| /mnt/| /mnt2/|g' | \
                 grep -v lost+found | \
                 sha256sum -c
 
               echo "Validating contents: PVC2 -> PVC1"
-              find /mnt2 -type f | \
-                xargs sha256sum | \
+              find /mnt2 -type f -print0 | \
+                xargs -0 sha256sum | \
                 sed 's| /mnt2/| /mnt/|' | \
                 grep -v lost+found | \
                 sha256sum -c
 
               echo "... all file contents matched"
 
+              echo "Validating symlinks: PVC1 -> PVC2"
+              find /mnt -type l | { grep -v lost+found || true; } | sort | while IFS= read -r f; do
+                f2=$(echo "$f" | sed 's|^/mnt/|/mnt2/|')
+                if [ ! -L "$f2" ]; then
+                  echo "MISSING SYMLINK: $f exists but $f2 does not"
+                  exit 1
+                fi
+                link1=$(readlink "$f")
+                link2=$(readlink "$f2")
+                if [ "$link1" != "$link2" ]; then
+                  echo "MISMATCH: $f -> $link1, but $f2 -> $link2"
+                  exit 1
+                fi
+                echo "OK: $f -> $link1"
+              done
+
+              echo "Validating symlinks: PVC2 -> PVC1"
+              find /mnt2 -type l | { grep -v lost+found || true; } | sort | while IFS= read -r f; do
+                f1=$(echo "$f" | sed 's|^/mnt2/|/mnt/|')
+                if [ ! -L "$f1" ]; then
+                  echo "EXTRA SYMLINK: $f exists but $f1 does not"
+                  exit 1
+                fi
+              done
+
+              echo "... all symlinks matched"
+
               echo "File attributes:"
               find /mnt -exec stat -c "{{ properties_to_verify }}" {} \; | \
                 grep -v lost+found | \
@@ -47,6 +74,9 @@ spec:
                 grep -v lost+found | \
                 sort > /tmp/attributes-mnt2
 
+{% if skip_symlink_ownership_check | default(false) %}
+              sed -i 's/\(symbolic link\) uid:[0-9]*/\1/; s/\(symbolic link.*\) gid:[0-9]*/\1/' /tmp/attributes-mnt /tmp/attributes-mnt2
+{% endif %}
               echo "Looking for differences:"
               diff /tmp/attributes-mnt /tmp/attributes-mnt2
               echo "... none found"

test-e2e/roles/gather_cluster_info/tasks/main.yml

@@ -36,12 +36,19 @@
             }
           }, recursive=True) }}
 
+- name: Save kubernetes minor version as integer
+  ansible.builtin.set_fact:
+    cluster_info: >
+      {{ cluster_info | combine({
+        'kubernetes_minor_version': cluster_info.version.server.kubernetes.minor | regex_replace("[A-Za-z+]", "") | int
+      }, recursive=True) }}
+
 # AnyVolumeDataSource feature gate enabled by default in 1.24 and above
 - name: Determine if volume populator is supported
   ansible.builtin.set_fact:
     cluster_info: >
       {{ cluster_info | combine({
-        'volumepopulator_supported': cluster_info.version.server.kubernetes.minor | regex_replace("[A-Za-z+]", "") | int >= 24
+        'volumepopulator_supported': cluster_info.kubernetes_minor_version >= 24
       }, recursive=True) }}
 
 - name: Print volumepopulator_supported

test-e2e/roles/write_to_pvc/templates/job.yml.j2

@@ -21,7 +21,7 @@ spec:
               set -x -e -o pipefail
 
               id
-              mkdir -p `dirname /mnt/{{ path }}`
+              mkdir -p "$(dirname '/mnt/{{ path }}')"
               echo '{{ data }}' > '/mnt/{{ path }}'
               stat '/mnt/{{ path }}'
 
@@ -31,6 +31,13 @@ spec:
                 counter=$((counter+1))
               done
 
+{% if symlinks is defined %}
+{% for symlink in symlinks %}
+              mkdir -p "$(dirname '/mnt/{{ symlink.path }}')"
+              ln -s '{{ symlink.target }}' '/mnt/{{ symlink.path }}'
+              stat '/mnt/{{ symlink.path }}'
+{% endfor %}
+{% endif %}
               sync
           securityContext:
             allowPrivilegeEscalation: false

test-e2e/test_rsync_tls_normal_manyfiles.yml

@@ -4,6 +4,7 @@
     - e2e
     - rsync_tls
     - manyfiles
+    - symlinks
     - unprivileged
     - volumepopulator
   tasks:
@@ -113,24 +114,54 @@
         file_count: 21000
         pvc_name: 'data-source'
 
-    - name: Write file that starts with a hash char
+    - name: Write file that has spaces in the name
       include_role:
         name: write_to_pvc
       vars:
         data: '000111'
-        path: '/#filestartswithhash'
+        path: '/file with spaces.txt'
         file_count: 1
         pvc_name: 'data-source'
 
-    - name: Write dir that starts with a hash char
+    - name: Write dir that has spaces in the name
       include_role:
         name: write_to_pvc
       vars:
         data: '222333444555'
-        path: '/#dirtartswithhash/#subfile'
+        path: '/dir with spaces/subfile wspaces.txt'
         file_count: 1
         pvc_name: 'data-source'
 
+    - name: Write file that starts with a hash char
+      include_role:
+        name: write_to_pvc
+      vars:
+        data: '000111'
+        path: '/#filestartswithhash'
+        file_count: 1
+        pvc_name: 'data-source'
+
+    - name: Write symlinks
+      include_role:
+        name: write_to_pvc
+      vars:
+        data: '000111'
+        path: '/mysymlinktargetfile.txt'
+        pvc_name: 'data-source'
+        symlinks:
+          # Relative symlinks
+          - path: '/link-relative'
+            target: 'mysymlinktargetfile.txt'
+          - path: '/subdir/link-relative-parent'
+            target: '../mysymlinktargetfile.txt'
+          # Absolute symlinks that point outside of the PVC
+          - path: '/link-absolute'
+            target: '/opt/test/somefile.txt'
+          - path: '/subdir/symlink-absolute-parent/another-symlink'
+            target: '/tmp/testing/another-symlink-target'
+          - path: '/dir with spaces/another simlink with spaces'
+            target: '/tmp/testing/another symlink target with spaces'
+
     - name: Wait for key and address to be ready
       kubernetes.core.k8s_info:
         api_version: volsync.backube/v1alpha1
@@ -268,3 +299,6 @@
         pvc1_name: data-source
         pvc2_name: data-dest
         timeout: 900
+        # Skip comparing uids/gids on symlinks for older k8s versions - old host-path driver (<1.17.1) had an issue with
+        # restoring symlinks in a snapshot, which meant symlinks were created with uid/gid of 0
+        skip_symlink_ownership_check: "{{ cluster_info.kubernetes_minor_version < 24 }}"