CSI: prevent stage_publish_base_dir from being subdir of mount_dir (#19441)

2026-01-01 16:05:42 +03:00 · 2023-12-13 11:31:40 -08:00
parent 7e43317e37
commit 9b2e8ae20f
4 changed files with 20 additions and 1 deletions
--- a/.changelog/19441.txt
+++ b/.changelog/19441.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+csi: Added validation to `csi_plugin` blocks to prevent `stage_publish_base_dir` from being a subdirectory of `mount_dir`
+```
--- a/nomad/structs/structs.go
+++ b/nomad/structs/structs.go
@@ -7942,6 +7942,11 @@ func (t *Task) Validate(jobType string, tg *TaskGroup) error {
 			mErr.Errors = append(mErr.Errors, fmt.Errorf("CSIPluginConfig PluginType must be one of 'node', 'controller', or 'monolith', got: \"%s\"", t.CSIPluginConfig.Type))
 		}

+		if t.CSIPluginConfig.StagePublishBaseDir != "" && t.CSIPluginConfig.MountDir != "" &&
+			strings.HasPrefix(t.CSIPluginConfig.StagePublishBaseDir, t.CSIPluginConfig.MountDir) {
+			mErr.Errors = append(mErr.Errors, fmt.Errorf("CSIPluginConfig StagePublishBaseDir must not be a subdirectory of MountDir, got: StagePublishBaseDir=\"%s\" MountDir=\"%s\"", t.CSIPluginConfig.StagePublishBaseDir, t.CSIPluginConfig.MountDir))
+		}
+
 		// TODO: Investigate validation of the PluginMountDir. Not much we can do apart from check IsAbs until after we understand its execution environment though :(
 	}

--- a/nomad/structs/structs_test.go
+++ b/nomad/structs/structs_test.go
@@ -2949,6 +2949,16 @@ func TestTask_Validate_CSIPluginConfig(t *testing.T) {
 			},
 			expectedErr: "CSIPluginConfig PluginType must be one of 'node', 'controller', or 'monolith', got: \"nonsense\"",
 		},
+		{
+			name: "requires staging publish base dir to not be a subdir of mountdir",
+			pc: &TaskCSIPluginConfig{
+				ID:                  "com.hashicorp.csi",
+				Type:                "monolith",
+				MountDir:            "/csi",
+				StagePublishBaseDir: "/csi/local",
+			},
+			expectedErr: "CSIPluginConfig StagePublishBaseDir must not be a subdirectory of MountDir, got: StagePublishBaseDir=\"/csi/local\" MountDir=\"/csi\"",
+		},
 	}

 	for _, tt := range table {
--- a/website/content/docs/job-specification/csi_plugin.mdx
+++ b/website/content/docs/job-specification/csi_plugin.mdx
@@ -49,7 +49,8 @@ csi_plugin {
 - `stage_publish_base_dir` `(string: <optional>)` - The base directory
  path inside the container where the plugin will be instructed to
  stage and publish volumes. This field is typically not required.
-  Refer to your CSI plugin's documentation for details.
+  Refer to your CSI plugin's documentation for details. This can not
+  be a subdirectory of `mount_dir`.

 - `health_timeout` `(duration: <optional>)` - The duration that
  the plugin supervisor will wait before restarting an unhealthy