From d7a7244f59e02377bc11905288aac72450132035 Mon Sep 17 00:00:00 2001
From: Jiaxun Song <songjiaxun@google.com>
Date: Thu, 16 Mar 2023 03:51:23 +0000
Subject: [PATCH] fix job exit file ownership issue

---
 cmd/sidecar_mounter/main.go    | 2 +-
 pkg/csi_driver/node.go         | 9 +++++++--
 pkg/csi_mounter/csi_mounter.go | 5 +++++
 pkg/util/util.go               | 2 +-
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/cmd/sidecar_mounter/main.go b/cmd/sidecar_mounter/main.go
index 014feafe5..5cfe3bbc8 100755
--- a/cmd/sidecar_mounter/main.go
+++ b/cmd/sidecar_mounter/main.go
@@ -119,7 +119,7 @@ func main() {
 		ticker := time.NewTicker(5 * time.Second)
 		for {
 			<-ticker.C
-			if _, err := os.Stat("/tmp/.volumes/exit"); err == nil {
+			if _, err := os.Stat(*volumeBasePath + "/exit"); err == nil {
 				klog.Info("all the other containers exited in the Job Pod, exiting the sidecar container.")
 				c <- syscall.SIGTERM
 				return
diff --git a/pkg/csi_driver/node.go b/pkg/csi_driver/node.go
index 9f60a0bda..ff998aa82 100755
--- a/pkg/csi_driver/node.go
+++ b/pkg/csi_driver/node.go
@@ -165,12 +165,17 @@ func (s *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublish
 
 	// Put an exit file to notify the sidecar container to exit
 	if isOwnedByJob && sidecarShouldExit {
-		f, err := os.Create(filepath.Dir(emptyDirBasePath) + "/exit")
+		klog.V(4).Info("all the other containers exited in the Job Pod, put the exit file.")
+		exitFilePath := filepath.Dir(emptyDirBasePath) + "/exit"
+		f, err := os.Create(exitFilePath)
 		if err != nil {
 			return nil, status.Errorf(codes.Internal, "failed to put the exit file: %v", err)
 		}
 		f.Close()
-		klog.V(4).Info("all the other containers exited in the Job Pod, put the exit file.")
+		err = os.Chown(exitFilePath, webhook.NobodyUID, webhook.NobodyGID)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to change ownership on the exit file: %v", err)
+		}
 	}
 
 	// Check if there is any error from the sidecar container
diff --git a/pkg/csi_mounter/csi_mounter.go b/pkg/csi_mounter/csi_mounter.go
index b8162b9be..fb172858b 100644
--- a/pkg/csi_mounter/csi_mounter.go
+++ b/pkg/csi_mounter/csi_mounter.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"path/filepath"
 	"sync"
 	"syscall"
 	"time"
@@ -115,6 +116,10 @@ func (m *Mounter) Mount(source string, target string, fstype string, options []s
 	}
 
 	// Change the socket ownership
+	err = os.Chown(filepath.Dir(emptyDirBasePath), webhook.NobodyUID, webhook.NobodyGID)
+	if err != nil {
+		return fmt.Errorf("failed to change ownership on base of emptyDirBasePath: %v", err)
+	}
 	err = os.Chown(emptyDirBasePath, webhook.NobodyUID, webhook.NobodyGID)
 	if err != nil {
 		return fmt.Errorf("failed to change ownership on emptyDirBasePath: %v", err)
diff --git a/pkg/util/util.go b/pkg/util/util.go
index 8707c2c05..768589ac3 100755
--- a/pkg/util/util.go
+++ b/pkg/util/util.go
@@ -136,7 +136,7 @@ func PrepareEmptyDir(targetPath string, createEmptyDir bool) (string, error) {
 	emptyDirBasePath := r.ReplaceAllString(targetPath, fmt.Sprintf("kubernetes.io~empty-dir/%v/.volumes/$1", webhook.SidecarContainerVolumeName))
 
 	if createEmptyDir {
-		if err := os.MkdirAll(emptyDirBasePath, 0777); err != nil {
+		if err := os.MkdirAll(emptyDirBasePath, 0750); err != nil {
 			return "", fmt.Errorf("mkdir failed for path %q: %v", emptyDirBasePath, err)
 		}
 	}