Verification done with fix for bug 1846787 on xenial-proposed (systemd 229-4ubuntu21.23).

With the new systemd packages there are no leaked scope units for transient mounts.

cheers,
Mauricio


Setup
---

$ sudo snap install --beta --classic multipass

$ multipass launch --cpus 16 --mem 8G --disk 8G --name lp1847512 xenial

$ multipass shell lp1847512
$ sudo apt update && sudo apt -y upgrade && sudo apt -y install linux-generic-hwe-16.04 && sudo reboot

$ multipass shell lp1847512

$ lsb_release -cs
xenial

$ uname -rv
4.15.0-72-generic #81~16.04.1-Ubuntu SMP Tue Nov 26 16:34:21 UTC 2019

$ sudo snap install microk8s --channel=1.16/stable --classic
$ sudo snap alias microk8s.kubectl kubectl
$ sudo usermod -a -G microk8s $USER
$ newgrp microk8s

$ kubectl create secret generic secret-for-pod --from-literal=key=value

$ cat <<EOF > pod-with-secret.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-with-secret
spec:
  containers:
  - name: container
image: debian:stretch
args: ["/bin/true"]
volumeMounts:
- name: secret
  mountPath: /secret
  volumes:
  - name: secret
secret:
  secretName: secret-for-pod
  restartPolicy: Never
EOF



xenial-updates: there are leaked scope units over time. (bad)
---

$ multipass shell lp1847512

$ dpkg -s systemd | grep ^Version:
Version: 229-4ubuntu21.22

No scope units at the beginning:

$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
$


Test #1: leaked one unit.

$ kubectl create -f pod-with-secret.yaml

$ kubectl get pods
NAME  READY   STATUS  RESTARTS   AGE
pod-with-secret   0/1 Completed   0  11s

$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
run-rf2ba6bb83e014123818fedcdde24ef63.scope loaded active running Kubernetes transient mount for /var/snap/microk8s/common/var/lib/kubelet/pods/62cea6e6-bb30-4a48-a61b-0242d10f0546/volumes/kubernetes.io~secret/secret

$ kubectl delete pods pod-with-secret
pod "pod-with-secret" deleted


Test #2: leaked zero units.

$ kubectl create -f pod-with-secret.yaml
pod/pod-with-secret created

$ kubectl get pods
NAME  READY   STATUS  RESTARTS   AGE
pod-with-secret   0/1 Completed   0  5s

$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
run-rf2ba6bb83e014123818fedcdde24ef63.scope loaded active running Kubernetes transient mount for /var/snap/microk8s/common/var/lib/kubelet/pods/62cea6e6-bb30-4a48-a61b-0242d10f0546/volumes/kubernetes.io~secret/secret

$ kubectl delete pods pod-with-secret
pod "pod-with-secret" deleted


Test #3: leaked one more unit.

$ kubectl create -f pod-with-secret.yaml
pod/pod-with-secret created

$ kubectl get pods
NAME  READY   STATUS  RESTARTS   AGE
pod-with-secret   0/1 Completed   0  4s

$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
run-r181f6242dd644256be6f8405eab60ed7.scope loaded active running Kubernetes transient mount for /var/snap/microk8s/common/var/lib/kubelet/pods/a35aee3e-cc0a-443c-a33d-556b94730e1e/volumes/kubernetes.io~secret/secret
run-rf2ba6bb83e014123818fedcdde24ef63.scope loaded active running Kubernetes transient mount for /var/snap/microk8s/common/var/lib/kubelet/pods/62cea6e6-bb30-4a48-a61b-0242d10f0546/volumes/kubernetes.io~secret/secret

$ kubectl delete pods pod-with-secret



Clean up the leaked units.

$ sudo systemctl stop run-r181f6242dd644256be6f8405eab60ed7.scope run-rf2ba6bb83e014123818fedcdde24ef63.scope
$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
$ 






xenial-proposed: there are NO leaked scope units over time. (good)
---

$ echo 'deb http://archive.ubuntu.com/ubuntu xenial-proposed main' | sudo tee /etc/apt/sources.list.d/xenial-proposed.list
$ sudo apt update
$ sudo apt -y install systemd
$ sudo systemctl daemon-reexec

$ dpkg -s systemd | grep ^Version:
Version: 229-4ubuntu21.23

No scope units at the beginning:

$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
$ 


Test #1: no leaked zero units.

$ kubectl create -f pod-with-secret.yaml
pod/pod-with-secret created

$ kubectl get pods
NAME  READY   STATUS  RESTARTS   AGE
pod-with-secret   0/1 Completed   0  4s

$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
$ 

$ kubectl delete pods pod-with-secret
pod "pod-with-secret" deleted


Test #2: no leaked zero units.

$ kubectl create -f pod-with-secret.yaml
pod/pod-with-secret created

$ kubectl get pods
NAME  READY   STATUS  RESTARTS   AGE
pod-with-secret   0/1 Completed   0  7s

$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
$

$ kubectl delete pods pod-with-secret
pod "pod-with-secret" deleted


Test #3: no leaked zero units.

$ kubectl create -f pod-with-secret.yaml
pod/pod-with-secret created

$ kubectl get pods
NAME  READY   STATUS  RESTARTS   AGE
pod-with-secret   0/1 Completed   0  4s

$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
$

$ kubectl delete pods pod-with-secret
pod "pod-with-secret" deleted


Test #4: no leaked zero units.


$ kubectl create -f pod-with-secret.yaml
pod/pod-with-secret created

$ kubectl get pods
NAME  READY   STATUS  RESTARTS   AGE
pod-with-secret   0/1 Completed   0  3s

$ systemctl list-units --type=scope | grep 'Kubernetes transient mount for'
$