$ kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-with-secret 0/1 Completed 0 11s
$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
run-rf2ba6bb83e014123818fedcdde24ef63.scope loaded active running Kubernetes transient mount for /var/snap/microk8s/common/var/lib/kubelet/pods/62cea6e6-bb30-4a48-a61b-0242d10f0546/volumes/kubernetes.io~secret/secret
$ kubectl delete pods pod-with-secret
pod "pod-with-secret" deleted
Test #2: leaked zero units.
$ kubectl create -f pod-with-secret.yaml
pod/pod-with-secret created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-with-secret 0/1 Completed 0 5s
$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
run-rf2ba6bb83e014123818fedcdde24ef63.scope loaded active running Kubernetes transient mount for /var/snap/microk8s/common/var/lib/kubelet/pods/62cea6e6-bb30-4a48-a61b-0242d10f0546/volumes/kubernetes.io~secret/secret
$ kubectl delete pods pod-with-secret
pod "pod-with-secret" deleted
Test #3: leaked one more unit.
$ kubectl create -f pod-with-secret.yaml
pod/pod-with-secret created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-with-secret 0/1 Completed 0 4s
$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
run-r181f6242dd644256be6f8405eab60ed7.scope loaded active running Kubernetes transient mount for /var/snap/microk8s/common/var/lib/kubelet/pods/a35aee3e-cc0a-443c-a33d-556b94730e1e/volumes/kubernetes.io~secret/secret
run-rf2ba6bb83e014123818fedcdde24ef63.scope loaded active running Kubernetes transient mount for /var/snap/microk8s/common/var/lib/kubelet/pods/62cea6e6-bb30-4a48-a61b-0242d10f0546/volumes/kubernetes.io~secret/secret
Verification done with fix for bug 1846787 on xenial-proposed (systemd 229-4ubuntu21.23).
With the new systemd packages there are no leaked scope units for transient mounts.
cheers,
Mauricio
Setup
---
$ sudo snap install --beta --classic multipass
$ multipass launch --cpus 16 --mem 8G --disk 8G --name lp1847512 xenial
$ multipass shell lp1847512 hwe-16. 04 && sudo reboot
$ sudo apt update && sudo apt -y upgrade && sudo apt -y install linux-generic-
$ multipass shell lp1847512
$ lsb_release -cs
xenial
$ uname -rv
4.15.0-72-generic #81~16.04.1-Ubuntu SMP Tue Nov 26 16:34:21 UTC 2019
$ sudo snap install microk8s --channel= 1.16/stable --classic
$ sudo snap alias microk8s.kubectl kubectl
$ sudo usermod -a -G microk8s $USER
$ newgrp microk8s
$ kubectl create secret generic secret-for-pod --from- literal= key=value
$ cat <<EOF > pod-with- secret. yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-with-secret
spec:
containers:
- name: container
image: debian:stretch
args: ["/bin/true"]
volumeMounts:
- name: secret
mountPath: /secret
volumes:
- name: secret
secret:
secretName: secret-for-pod
restartPolicy: Never
EOF
xenial-updates: there are leaked scope units over time. (bad)
---
$ multipass shell lp1847512
$ dpkg -s systemd | grep ^Version:
Version: 229-4ubuntu21.22
No scope units at the beginning:
$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
$
Test #1: leaked one unit.
$ kubectl create -f pod-with- secret. yaml
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-with-secret 0/1 Completed 0 11s
$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for' 014123818fedcdd e24ef63. scope loaded active running Kubernetes transient mount for /var/snap/ microk8s/ common/ var/lib/ kubelet/ pods/62cea6e6- bb30-4a48- a61b-0242d10f05 46/volumes/ kubernetes. io~secret/ secret
run-rf2ba6bb83e
$ kubectl delete pods pod-with-secret
pod "pod-with-secret" deleted
Test #2: leaked zero units.
$ kubectl create -f pod-with- secret. yaml
pod/pod-with-secret created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-with-secret 0/1 Completed 0 5s
$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for' 014123818fedcdd e24ef63. scope loaded active running Kubernetes transient mount for /var/snap/ microk8s/ common/ var/lib/ kubelet/ pods/62cea6e6- bb30-4a48- a61b-0242d10f05 46/volumes/ kubernetes. io~secret/ secret
run-rf2ba6bb83e
$ kubectl delete pods pod-with-secret
pod "pod-with-secret" deleted
Test #3: leaked one more unit.
$ kubectl create -f pod-with- secret. yaml
pod/pod-with-secret created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-with-secret 0/1 Completed 0 4s
$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for' 644256be6f8405e ab60ed7. scope loaded active running Kubernetes transient mount for /var/snap/ microk8s/ common/ var/lib/ kubelet/ pods/a35aee3e- cc0a-443c- a33d-556b94730e 1e/volumes/ kubernetes. io~secret/ secret 014123818fedcdd e24ef63. scope loaded active running Kubernetes transient mount for /var/snap/ microk8s/ common/ var/lib/ kubelet/ pods/62cea6e6- bb30-4a48- a61b-0242d10f05 46/volumes/ kubernetes. io~secret/ secret
run-r181f6242dd
run-rf2ba6bb83e
$ kubectl delete pods pod-with-secret
Clean up the leaked units.
$ sudo systemctl stop run-r181f6242dd 644256be6f8405e ab60ed7. scope run-rf2ba6bb83e 014123818fedcdd e24ef63. scope
$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
$
xenial-proposed: there are NO leaked scope units over time. (good)
---
$ echo 'deb http:// archive. ubuntu. com/ubuntu xenial-proposed main' | sudo tee /etc/apt/ sources. list.d/ xenial- proposed. list
$ sudo apt update
$ sudo apt -y install systemd
$ sudo systemctl daemon-reexec
$ dpkg -s systemd | grep ^Version:
Version: 229-4ubuntu21.23
No scope units at the beginning:
$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
$
Test #1: no leaked zero units.
$ kubectl create -f pod-with- secret. yaml
pod/pod-with-secret created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-with-secret 0/1 Completed 0 4s
$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
$
$ kubectl delete pods pod-with-secret
pod "pod-with-secret" deleted
Test #2: no leaked zero units.
$ kubectl create -f pod-with- secret. yaml
pod/pod-with-secret created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-with-secret 0/1 Completed 0 7s
$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
$
$ kubectl delete pods pod-with-secret
pod "pod-with-secret" deleted
Test #3: no leaked zero units.
$ kubectl create -f pod-with- secret. yaml
pod/pod-with-secret created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-with-secret 0/1 Completed 0 4s
$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
$
$ kubectl delete pods pod-with-secret
pod "pod-with-secret" deleted
Test #4: no leaked zero units.
$ kubectl create -f pod-with- secret. yaml
pod/pod-with-secret created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-with-secret 0/1 Completed 0 3s
$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
$