WIP: volume protection by pinning

[tobwen]

Does this PR introduce a user-facing change?

Yes.

* Added `--pinned` flag to `volume create` to create pinned volumes
* Added new `volume pin` commands to pin/unpin existing volumes
* Added `--include-pinned` flag to `volume rm` to allow removing pinned volumes
* Added pinned volume filtering support
* Added support for pinned volumes in `system prune` command
* Added HTTP API and ABI support for volume pinning
* Added runtime methods for handling pinned volumes and pruning

References

Reference #26807
Reference #23217

Actions required

• This is just the first step to demonstrate the function. Things like tunnel/remote implementation are still missing (it's just a stub).
• It needs to be discussed if we want to overload the CLI with volume unpin or rather use volume pin --unpin as supplied.

Note

Those are my first steps with the Podman code - please bear with me.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tobwen
Once this PR has been reviewed and has the lgtm label, please assign ygalblum for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mheon]

Should pinned volumes require --force to remove? It feels like they ought to

[mheon]

Probably better to stick this in state, since it can be toggled on/off

[mheon]

Yeah, this won't work with v.config - that's static data, never changes. You want v.state - which is refreshed by update() and saved by save()

[tobwen]

Should pinned volumes require --force to remove? It feels like they ought to

I've thought about that before, but I figured we should treat it like the immutable flag. If this flag is set, even root can't remove a file with rm -f either. My concern here is protecting important data, and maybe root has some stupid script that sets --force to keep the script running - but then the data is gone (excluding backups for now).

[packit-as-a-service]

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

[packit-as-a-service]

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

[packit-as-a-service]

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

[packit-as-a-service]

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

[github-actions]

A friendly reminder that this PR had no activity for 30 days.

[tobwen]

So sad... all the work for nothing.

[mheon]

We generally don't review things until CI starts passing. In this case, looks like it's yelling about missing a manpage for the new commands? I can do a more thorough review early next week.

[mheon]

System reset still catches them, yes?

[tobwen]

That's a thing we should discuss... My main intention for pinning is to help inexperienced DevOps who are close to reaching capacity limits on their live systems, then execute prune or reset for some reason, and then realize that the volume containing their live database is gone and the backup is two days old.

After checking the implementation I found that Reset() was NOT respecting the pinned flag. Thanks, I fixed this.

[tobwen]

I've added an optional solution for reset: #26846 (comment)

[mheon]

Is there a good reason for this? It feels more natural to podman volume create + podman volume pin but I suppose that could be racey

[tobwen]

While podman volume create + podman volume pin would work, there's a window where the volume could be pruned between those two commands. I added a comment explaining this is to avoid race conditions when atomically creating and pinning a volume.