@@ -1,6 +1,7 @@

 package api

 import (

+	"k8s.io/kubernetes/pkg/api/resource"

 	"k8s.io/kubernetes/pkg/api/unversioned"

 	"k8s.io/kubernetes/pkg/runtime"

 	"k8s.io/kubernetes/pkg/util/sets"

@@ -116,6 +117,23 @@ type NodeConfig struct {

 	// IPTablesSyncPeriod is how often iptable rules are refreshed

 	IPTablesSyncPeriod string

+

+	// VolumeConfig contains options for configuring volumes on the node.

+	VolumeConfig VolumeConfig

+}

+

+// VolumeConfig contains options for configuring volumes on the node.

+type VolumeConfig struct {

+	// LocalQuota contains options for controlling local volume quota on the node.

+	LocalQuota LocalQuota

+}

+

+// LocalQuota contains options for controlling local volume quota on the node.

+type LocalQuota struct {

+	// PerFSGroup can be specified to enable a quota on local storage use per unique FSGroup ID.

+	// At present this is only implemented for emptyDir volumes, and if the underlying

+	// volumeDirectory is on an XFS filesystem.

+	PerFSGroup *resource.Quantity

 }

 // NodeNetworkConfig provides network options for the node

@@ -1,6 +1,7 @@

 package v1

 import (

+	"k8s.io/kubernetes/pkg/api"

 	"k8s.io/kubernetes/pkg/conversion"

 	"k8s.io/kubernetes/pkg/runtime"

 	"k8s.io/kubernetes/pkg/runtime/serializer"

@@ -306,6 +307,7 @@ func addConversionFuncs(scheme *runtime.Scheme) {

 			out.Location = in.Location

 			return nil

 		},

+		api.Convert_resource_Quantity_To_resource_Quantity,

 	)

 	if err != nil {

 		// If one of the conversion functions is malformed, detect it immediately.

@@ -362,6 +362,15 @@ func (LDAPSyncConfig) SwaggerDoc() map[string]string {

 	return map_LDAPSyncConfig

 }

+var map_LocalQuota = map[string]string{

+	"":           "LocalQuota contains options for controlling local volume quota on the node.",

+	"perFSGroup": "FSGroup can be specified to enable a quota on local storage use per unique FSGroup ID. At present this is only implemented for emptyDir volumes, and if the underlying volumeDirectory is on an XFS filesystem.",

+}

+

+func (LocalQuota) SwaggerDoc() map[string]string {

+	return map_LocalQuota

+}

+

 var map_MasterClients = map[string]string{

 	"": "MasterClients holds references to `.kubeconfig` files that qualify master clients for OpenShift and Kubernetes",

 	"openshiftLoopbackKubeConfig":  "OpenShiftLoopbackKubeConfig is a .kubeconfig filename for system components to loopback to this master",

@@ -457,6 +466,7 @@ var map_NodeConfig = map[string]string{

 	"kubeletArguments":    "KubeletArguments are key value pairs that will be passed directly to the Kubelet that match the Kubelet's command line arguments.  These are not migrated or validated, so if you use them they may become invalid. These values override other settings in NodeConfig which may cause invalid configurations.",

 	"proxyArguments":      "ProxyArguments are key value pairs that will be passed directly to the Proxy that match the Proxy's command line arguments.  These are not migrated or validated, so if you use them they may become invalid. These values override other settings in NodeConfig which may cause invalid configurations.",

 	"iptablesSyncPeriod":  "IPTablesSyncPeriod is how often iptable rules are refreshed",

+	"volumeConfig":        "VolumeConfig contains options for configuring volumes on the node.",

 }

 func (NodeConfig) SwaggerDoc() map[string]string {

@@ -750,3 +760,12 @@ var map_UserAgentMatchingConfig = map[string]string{

 func (UserAgentMatchingConfig) SwaggerDoc() map[string]string {

 	return map_UserAgentMatchingConfig

 }

+

+var map_VolumeConfig = map[string]string{

+	"":           "VolumeConfig contains options for configuring volumes on the node.",

+	"localQuota": "LocalQuota contains options for controlling local volume quota on the node.",

+}

+

+func (VolumeConfig) SwaggerDoc() map[string]string {

+	return map_VolumeConfig

+}

@@ -1,6 +1,7 @@

 package v1

 import (

+	"k8s.io/kubernetes/pkg/api/resource"

 	"k8s.io/kubernetes/pkg/api/unversioned"

 	"k8s.io/kubernetes/pkg/runtime"

 )

@@ -68,6 +69,23 @@ type NodeConfig struct {

 	// IPTablesSyncPeriod is how often iptable rules are refreshed

 	IPTablesSyncPeriod string `json:"iptablesSyncPeriod"`

+

+	// VolumeConfig contains options for configuring volumes on the node.

+	VolumeConfig VolumeConfig `json:"volumeConfig"`

+}

+

+// VolumeConfig contains options for configuring volumes on the node.

+type VolumeConfig struct {

+	// LocalQuota contains options for controlling local volume quota on the node.

+	LocalQuota LocalQuota `json:"localQuota"`

+}

+

+// LocalQuota contains options for controlling local volume quota on the node.

+type LocalQuota struct {

+	// FSGroup can be specified to enable a quota on local storage use per unique FSGroup ID.

+	// At present this is only implemented for emptyDir volumes, and if the underlying

+	// volumeDirectory is on an XFS filesystem.

+	PerFSGroup *resource.Quantity `json:"perFSGroup"`

 }

 // NodeAuthConfig holds authn/authz configuration options

@@ -4,6 +4,7 @@ import (

 	"testing"

 	"github.com/ghodss/yaml"

+	"speter.net/go/exp/math/dec/inf"

 	"k8s.io/kubernetes/pkg/api/unversioned"

 	"k8s.io/kubernetes/pkg/runtime"

@@ -11,6 +12,7 @@ import (

 	"k8s.io/kubernetes/pkg/util"

 	internal "github.com/openshift/origin/pkg/cmd/server/api"

+	"github.com/openshift/origin/pkg/cmd/server/api/latest"

 	"github.com/openshift/origin/pkg/cmd/server/api/v1"

 	// install all APIs

@@ -55,6 +57,9 @@ servingInfo:

   clientCA: ""

   keyFile: ""

   namedCertificates: null

+volumeConfig:

+  localQuota:

+    perFSGroup: null

 volumeDirectory: ""

 `

@@ -455,7 +460,7 @@ servingInfo:

 `

 )

-func TestNodeConfig(t *testing.T) {

+func TestSerializeNodeConfig(t *testing.T) {

 	config := &internal.NodeConfig{

 		PodManifestConfig: &internal.PodManifestConfig{},

 	}

@@ -468,6 +473,135 @@ func TestNodeConfig(t *testing.T) {

 	}

 }

+func TestReadNodeConfigLocalVolumeDirQuota(t *testing.T) {

+

+	tests := map[string]struct {

+		config   string

+		expected string

+	}{

+		"null quota": {

+			config: `

+apiVersion: v1

+volumeConfig:

+  localQuota:

+    perFSGroup: null

+`,

+			expected: "",

+		},

+		"missing quota": {

+			config: `

+apiVersion: v1

+volumeConfig:

+  localQuota:

+`,

+			expected: "",

+		},

+		"missing localQuota": {

+			config: `

+apiVersion: v1

+volumeConfig:

+`,

+			expected: "",

+		},

+		"missing volumeConfig": {

+			config: `

+apiVersion: v1

+`,

+			expected: "",

+		},

+		"no unit (bytes) quota": {

+			config: `

+apiVersion: v1

+volumeConfig:

+  localQuota:

+    perFSGroup: 200000

+`,

+			expected: "200000",

+		},

+		"Kb quota": {

+			config: `

+apiVersion: v1

+volumeConfig:

+  localQuota:

+    perFSGroup: 200Ki

+`,

+			expected: "204800",

+		},

+		"Mb quota": {

+			config: `

+apiVersion: v1

+volumeConfig:

+  localQuota:

+    perFSGroup: 512Mi

+`,

+			expected: "536870912",

+		},

+		"Gb quota": {

+			config: `

+apiVersion: v1

+volumeConfig:

+  localQuota:

+    perFSGroup: 2Gi

+`,

+			expected: "2147483648",

+		},

+		"Tb quota": {

+			config: `

+apiVersion: v1

+volumeConfig:

+  localQuota:

+    perFSGroup: 2Ti

+`,

+			expected: "2199023255552",

+		},

+		// This is invalid config, would be caught by validation but just

+		// testing it parses ok:

+		"negative quota": {

+			config: `

+apiVersion: v1

+volumeConfig:

+  localQuota:

+    perFSGroup: -512Mi

+`,

+			expected: "-536870912",

+		},

+		"zero quota": {

+			config: `

+apiVersion: v1

+volumeConfig:

+  localQuota:

+    perFSGroup: 0

+`,

+			expected: "0",

+		},

+	}

+

+	for name, test := range tests {

+		t.Logf("Running test: %s", name)

+		nodeConfig := &internal.NodeConfig{}

+		if err := latest.ReadYAMLInto([]byte(test.config), nodeConfig); err != nil {

+			t.Errorf("Error reading yaml: %s", err.Error())

+		}

+		if test.expected == "" && nodeConfig.VolumeConfig.LocalQuota.PerFSGroup != nil {

+			t.Errorf("Expected empty quota but got: %s", *nodeConfig.VolumeConfig.LocalQuota.PerFSGroup)

+		}

+		if test.expected != "" {

+			if nodeConfig.VolumeConfig.LocalQuota.PerFSGroup == nil {

+				t.Errorf("Expected quota: %s, got: nil", test.expected)

+			} else {

+				amount := nodeConfig.VolumeConfig.LocalQuota.PerFSGroup.Amount

+				t.Logf("%s", amount.String())

+				rounded := new(inf.Dec)

+				rounded.Round(amount, 0, inf.RoundUp)

+				t.Logf("%s", rounded.String())

+				if test.expected != rounded.String() {

+					t.Errorf("Expected quota: %s, got: %s", test.expected, rounded.String())

+				}

+			}

+		}

+	}

+}

+

 type AdmissionPluginTestConfig struct {

 	unversioned.TypeMeta

 	Data string `json:"data"`

@@ -50,6 +50,8 @@ func ValidateNodeConfig(config *api.NodeConfig, fldPath *field.Path) ValidationR

 		validationResults.AddErrors(field.Invalid(fldPath.Child("iptablesSyncPeriod"), config.IPTablesSyncPeriod, fmt.Sprintf("unable to parse iptablesSyncPeriod: %v. Examples with correct format: '5s', '1m', '2h22m'", err)))

 	}

+	validationResults.AddErrors(ValidateVolumeConfig(config.VolumeConfig, fldPath.Child("volumeConfig"))...)

+

 	return validationResults

 }

@@ -113,3 +115,13 @@ func ValidateDockerConfig(config api.DockerConfig, fldPath *field.Path) field.Er

 func ValidateKubeletExtendedArguments(config api.ExtendedArguments, fldPath *field.Path) field.ErrorList {

 	return ValidateExtendedArguments(config, kubeletoptions.NewKubeletServer().AddFlags, fldPath)

 }

+

+func ValidateVolumeConfig(config api.VolumeConfig, fldPath *field.Path) field.ErrorList {

+	allErrs := field.ErrorList{}

+

+	if config.LocalQuota.PerFSGroup != nil && config.LocalQuota.PerFSGroup.Value() < 0 {

+		allErrs = append(allErrs, field.Invalid(fldPath.Child("localQuota", "perFSGroup"), config.LocalQuota.PerFSGroup,

+			"must be a positive integer"))

+	}

+	return allErrs

+}

@@ -3,6 +3,7 @@ package validation

 import (

 	"testing"

+	"k8s.io/kubernetes/pkg/api/resource"

 	"k8s.io/kubernetes/pkg/util/validation/field"

 	configapi "github.com/openshift/origin/pkg/cmd/server/api"

@@ -61,3 +62,30 @@ func TestFailingKubeletArgs(t *testing.T) {

 		t.Errorf("expected %v, got %v", e, a)

 	}

 }

+

+func TestInvalidProjectEmptyDirQuota(t *testing.T) {

+	negQuota := resource.MustParse("-1000Mi")

+	nodeCfg := configapi.NodeConfig{

+		VolumeConfig: configapi.VolumeConfig{

+			LocalQuota: configapi.LocalQuota{

+				PerFSGroup: &negQuota,

+			},

+		},

+	}

+	errs := ValidateNodeConfig(&nodeCfg, nil)

+	// This will result in several errors, one of them should be related to the

+	// project empty dir quota:

+	var emptyDirQuotaError *field.Error

+	for _, err := range errs.Errors {

+		t.Logf("Found error: %s", err.Field)

+		if err.Field == "volumeConfig.localQuota.perFSGroup" {

+			emptyDirQuotaError = err

+		}

+	}

+	if emptyDirQuotaError == nil {

+		t.Fatalf("expected volumeConfig.localQuota.perFSGroup error but got none")

+	}

+	if emptyDirQuotaError.Type != field.ErrorTypeInvalid {

+		t.Errorf("unexpected error for negative volumeConfig.localQuota.perFSGroup: %s", emptyDirQuotaError.Detail)

+	}

+}

@@ -2,6 +2,7 @@ package kubernetes

 import (

 	"crypto/tls"

+	"errors"

 	"fmt"

 	"net"

 	"strconv"

@@ -20,8 +21,9 @@ import (

 	kubeletserver "k8s.io/kubernetes/pkg/kubelet/server"

 	kubelettypes "k8s.io/kubernetes/pkg/kubelet/types"

 	"k8s.io/kubernetes/pkg/util"

-	"k8s.io/kubernetes/pkg/util/errors"

+	kerrors "k8s.io/kubernetes/pkg/util/errors"

 	"k8s.io/kubernetes/pkg/util/oom"

+	"k8s.io/kubernetes/pkg/volume"

 	osdnapi "github.com/openshift/openshift-sdn/plugins/osdn/api"

 	"github.com/openshift/openshift-sdn/plugins/osdn/factory"

@@ -31,6 +33,7 @@ import (

 	"github.com/openshift/origin/pkg/cmd/util/clientcmd"

 	cmdflags "github.com/openshift/origin/pkg/cmd/util/flags"

 	"github.com/openshift/origin/pkg/cmd/util/variable"

+	"github.com/openshift/origin/pkg/volume/empty_dir"

 	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"

 )

@@ -156,7 +159,7 @@ func BuildKubernetesNodeConfig(options configapi.NodeConfig) (*NodeConfig, error

 	// TODO: this should be done in config validation (along with the above) so we can provide

 	// proper errors

 	if err := cmdflags.Resolve(options.KubeletArguments, server.AddFlags); len(err) > 0 {

-		return nil, errors.NewAggregate(err)

+		return nil, kerrors.NewAggregate(err)

 	}

 	proxyconfig, err := buildKubeProxyConfig(options)

@@ -169,6 +172,49 @@ func BuildKubernetesNodeConfig(options configapi.NodeConfig) (*NodeConfig, error

 		return nil, err

 	}

+	// Replace the standard k8s emptyDir volume plugin with a wrapper version

+	// which offers XFS quota functionality, but only if the node config

+	// specifies an empty dir quota to apply to projects:

+	if options.VolumeConfig.LocalQuota.PerFSGroup != nil {

+		glog.V(2).Info("Replacing empty-dir volume plugin with quota wrapper")

+		wrappedEmptyDirPlugin := false

+

+		quotaApplicator, err := empty_dir.NewQuotaApplicator(options.VolumeDirectory)

+		if err != nil {

+			return nil, err

+		}

+

+		// Create a volume spec with emptyDir we can use to search for the

+		// emptyDir plugin with CanSupport:

+		emptyDirSpec := &volume.Spec{

+			Volume: &kapi.Volume{

+				VolumeSource: kapi.VolumeSource{

+					EmptyDir: &kapi.EmptyDirVolumeSource{},

+				},

+			},

+		}

+

+		for idx, plugin := range cfg.VolumePlugins {

+			// Can't really do type checking or use a constant here as they are not exported:

+			if plugin.CanSupport(emptyDirSpec) {

+				wrapper := empty_dir.EmptyDirQuotaPlugin{

+					Wrapped:         plugin,

+					Quota:           *options.VolumeConfig.LocalQuota.PerFSGroup,

+					QuotaApplicator: quotaApplicator,

+				}

+				cfg.VolumePlugins[idx] = &wrapper

+				wrappedEmptyDirPlugin = true

+			}

+		}

+		// Because we can't look for the k8s emptyDir plugin by any means that would

+		// survive a refactor, error out if we couldn't find it:

+		if !wrappedEmptyDirPlugin {

+			return nil, errors.New("unable to wrap emptyDir volume plugin for quota support")

+		}

+	} else {

+		glog.V(2).Info("Skipping replacement of empty-dir volume plugin with quota wrapper, no local fsGroup quota specified")

+	}

+

 	// provide any config overrides

 	cfg.NodeName = options.NodeName

 	cfg.KubeClient = internalclientset.FromUnversionedClient(kubeClient)

@@ -354,7 +400,7 @@ func buildKubeProxyConfig(options configapi.NodeConfig) (*proxyoptions.ProxyServ

 	// Resolve cmd flags to add any user overrides

 	if err := cmdflags.Resolve(options.ProxyArguments, proxyconfig.AddFlags); len(err) > 0 {

-		return nil, errors.NewAggregate(err)

+		return nil, kerrors.NewAggregate(err)

 	}

 	return proxyconfig, nil

new file mode 100644

@@ -0,0 +1,104 @@

+package empty_dir

+

+import (

+	"k8s.io/kubernetes/pkg/api"

+	"k8s.io/kubernetes/pkg/api/resource"

+	"k8s.io/kubernetes/pkg/types"

+	"k8s.io/kubernetes/pkg/volume"

+)

+

+var _ volume.VolumePlugin = &EmptyDirQuotaPlugin{}

+var _ volume.Builder = &emptyDirQuotaBuilder{}

+

+// EmptyDirQuotaPlugin is a simple wrapper for the k8s empty dir plugin builder.

+type EmptyDirQuotaPlugin struct {

+	// wrapped is the actual k8s emptyDir volume plugin we will pass method calls to.

+	Wrapped volume.VolumePlugin

+

+	// The default quota to apply to each node:

+	Quota resource.Quantity

+

+	// QuotaApplicator is passed to actual volume builders so they can apply

+	// quota for the supported filesystem.

+	QuotaApplicator QuotaApplicator

+}

+

+func (plugin *EmptyDirQuotaPlugin) NewBuilder(spec *volume.Spec, pod *api.Pod, opts volume.VolumeOptions) (volume.Builder, error) {

+	volBuilder, err := plugin.Wrapped.NewBuilder(spec, pod, opts)

+	if err != nil {

+		return volBuilder, err

+	}

+

+	// Because we cannot access several fields on the k8s emptyDir struct, and

+	// we do not wish to modify k8s code for this, we have to grab a reference

+	// to them ourselves.

+	// This logic is the same as k8s.io/kubernetes/pkg/volume/empty_dir:

+	medium := api.StorageMediumDefault

+	if spec.Volume.EmptyDir != nil { // Support a non-specified source as EmptyDir.

+		medium = spec.Volume.EmptyDir.Medium

+	}

+

+	// Wrap the builder object with our own to add quota functionality:

+	wrapperEmptyDir := &emptyDirQuotaBuilder{

+		wrapped:         volBuilder,

+		pod:             pod,

+		medium:          medium,

+		quota:           plugin.Quota,

+		quotaApplicator: plugin.QuotaApplicator,

+	}

+	return wrapperEmptyDir, err

+}

+

+func (plugin *EmptyDirQuotaPlugin) Init(host volume.VolumeHost) error {

+	return plugin.Wrapped.Init(host)

+}

+

+func (plugin *EmptyDirQuotaPlugin) Name() string {

+	return plugin.Wrapped.Name()

+}

+

+func (plugin *EmptyDirQuotaPlugin) CanSupport(spec *volume.Spec) bool {

+	return plugin.Wrapped.CanSupport(spec)

+}

+

+func (plugin *EmptyDirQuotaPlugin) NewCleaner(volName string, podUID types.UID) (volume.Cleaner, error) {

+	return plugin.Wrapped.NewCleaner(volName, podUID)

+}

+

+// emptyDirQuotaBuilder is a wrapper plugin builder for the k8s empty dir builder itself.

+// This plugin just extends and adds the functionality to apply a

+// quota for the pods FSGroup on an XFS filesystem.

+type emptyDirQuotaBuilder struct {

+	wrapped         volume.Builder

+	pod             *api.Pod

+	medium          api.StorageMedium

+	quota           resource.Quantity

+	quotaApplicator QuotaApplicator

+}

+

+// Must implement SetUp as well, otherwise the internal Builder.SetUp calls it's

+// own SetUpAt method, not the one we need.

+

+func (edq *emptyDirQuotaBuilder) SetUp(fsGroup *int64) error {

+	return edq.SetUpAt(edq.GetPath(), fsGroup)

+}

+

+func (edq *emptyDirQuotaBuilder) SetUpAt(dir string, fsGroup *int64) error {

+	err := edq.wrapped.SetUpAt(dir, fsGroup)

+	if err == nil {

+		err = edq.quotaApplicator.Apply(dir, edq.medium, edq.pod, fsGroup, edq.quota)

+	}

+	return err

+}

+

+func (edq *emptyDirQuotaBuilder) GetAttributes() volume.Attributes {

+	return edq.wrapped.GetAttributes()

+}

+

+func (edq *emptyDirQuotaBuilder) GetMetrics() (*volume.Metrics, error) {

+	return edq.wrapped.GetMetrics()

+}

+

+func (edq *emptyDirQuotaBuilder) GetPath() string {

+	return edq.wrapped.GetPath()

+}

new file mode 100644

@@ -0,0 +1,192 @@

+package empty_dir

+

+import (

+	"bytes"

+	"fmt"

+	"os/exec"

+	"strings"

+

+	"github.com/golang/glog"

+	"k8s.io/kubernetes/pkg/api"

+	"k8s.io/kubernetes/pkg/api/resource"

+)

+

+// QuotaApplicator is used to apply quota to an emptyDir volume.

+type QuotaApplicator interface {

+	// Apply the quota to the given EmptyDir path:

+	Apply(dir string, medium api.StorageMedium, pod *api.Pod, fsGroup *int64, quota resource.Quantity) error

+}

+

+type xfsQuotaApplicator struct {

+	cmdRunner quotaCommandRunner

+}

+

+// NewQuotaApplicator checks the filesystem type for the configured volume directory

+// and returns an appropriate implementation of the quota applicator. If the filesystem

+// does not appear to be a type we support quotas on, an error is returned.

+func NewQuotaApplicator(volumeDirectory string) (QuotaApplicator, error) {

+

+	cmdRunner := &realQuotaCommandRunner{}

+	isXFS, err := isXFS(cmdRunner, volumeDirectory)

+	if err != nil {

+		return nil, err

+	}

+	if isXFS {

+		// Make sure xfs_quota is on the PATH, otherwise we're not going to get very far:

+		_, pathErr := exec.LookPath("xfs_quota")

+		if pathErr != nil {

+			return nil, pathErr

+		}

+

+		return &xfsQuotaApplicator{

+			cmdRunner: cmdRunner,

+		}, nil

+	}

+

+	// If we were unable to find a quota supported filesystem type, return an error:

+	return nil, fmt.Errorf("%s is not on a supported filesystem for local volume quota", volumeDirectory)

+}

+

+// quotaCommandRunner interface is used to abstract the actual running of

+// commands so we can unit test more behavior.

+type quotaCommandRunner interface {

+	RunFSTypeCommand(dir string) (string, string, error)

+	RunFSDeviceCommand(dir string) (string, string, error)

+	RunApplyQuotaCommand(fsDevice string, quota resource.Quantity, fsGroup int64) (string, string, error)

+}

+

+type realQuotaCommandRunner struct {

+}

+

+func (cr *realQuotaCommandRunner) RunFSTypeCommand(dir string) (string, string, error) {

+	args := []string{"-f", "-c", "%T", dir}

+	outBytes, err := exec.Command("stat", args...).Output()

+	return string(outBytes), "", err

+}

+

+func (cr *realQuotaCommandRunner) RunFSDeviceCommand(dir string) (string, string, error) {

+	outBytes, err := exec.Command("df", "--output=source", dir).Output()

+	return string(outBytes), "", err

+}

+

+func (cr *realQuotaCommandRunner) RunApplyQuotaCommand(fsDevice string, quota resource.Quantity, fsGroup int64) (string, string, error) {

+	args := []string{"-x", "-c",

+		fmt.Sprintf("limit -g bsoft=%d bhard=%d %d", quota.Value(), quota.Value(), fsGroup),

+		fsDevice,

+	}

+

+	cmd := exec.Command("xfs_quota", args...)

+	var stderr bytes.Buffer

+	cmd.Stderr = &stderr

+

+	err := cmd.Run()

+	glog.V(5).Infof("Ran: xfs_quota %s", args)

+	return "", stderr.String(), err

+}

+

+// Apply sets the actual quota on a device for an emptyDir volume if possible. Will return an error

+// if anything goes wrong during the process. (not an XFS filesystem, etc) If the volume medium is set

+// to memory, or no FSGroup is provided (indicating the request matched an SCC set to RunAsAny), this

+// method will effectively no-op.

+func (xqa *xfsQuotaApplicator) Apply(dir string, medium api.StorageMedium, pod *api.Pod, fsGroup *int64, quota resource.Quantity) error {

+

+	if medium == api.StorageMediumMemory {

+		glog.V(5).Infof("Skipping quota application due to memory storage medium.")

+		return nil

+	}

+	isXFS, err := isXFS(xqa.cmdRunner, dir)

+	if err != nil {

+		return err

+	}

+	if !isXFS {

+		return fmt.Errorf("unable to apply quota: %s is not on an XFS filesystem", dir)

+	}

+	if fsGroup == nil {

+		// This indicates the operation matched an SCC with FSGroup strategy RunAsAny.

+		// Not an error condition.

+		glog.V(5).Infof("Unable to apply XFS quota, no FSGroup specified.")

+		return nil

+	}

+

+	volDevice, err := xqa.getFSDevice(dir)

+	if err != nil {

+		return err

+	}

+

+	err = xqa.applyQuota(volDevice, quota, *fsGroup)

+	if err != nil {

+		return err

+	}

+

+	return nil

+}

+

+func (xqa *xfsQuotaApplicator) applyQuota(volDevice string, quota resource.Quantity, fsGroupID int64) error {

+	_, stderr, err := xqa.cmdRunner.RunApplyQuotaCommand(volDevice, quota, fsGroupID)

+	if err != nil {

+		return err

+	}

+	// xfs_quota is very happy to fail but return a success code, likely due to its

+	// interactive shell approach. Grab stderr, if we see anything written to it we'll

+	// consider this an error.

+	if len(stderr) > 0 {

+		return fmt.Errorf("xfs_quota wrote to stderr: %s", stderr)

+	}

+

+	glog.V(4).Infof("XFS quota applied: device=%s, quota=%d, fsGroup=%d", volDevice, quota.Value(), fsGroupID)

+	return nil

+}

+

+func (xqa *xfsQuotaApplicator) getFSDevice(dir string) (string, error) {

+	return getFSDevice(dir, xqa.cmdRunner)

+}

+

+// GetFSDevice returns the filesystem device for a given path. To do this we

+// run df on the path, returning a header line and the line we're

+// interested in. The first string token in that line will be the device name.

+func GetFSDevice(dir string) (string, error) {

+	return getFSDevice(dir, &realQuotaCommandRunner{})

+}

+

+func getFSDevice(dir string, cmdRunner quotaCommandRunner) (string, error) {

+	out, _, err := cmdRunner.RunFSDeviceCommand(dir)

+	if err != nil {

+		return "", fmt.Errorf("unable to find filesystem device for emptyDir volume %s: %s", dir, err)

+	}

+	fsDevice, parseErr := parseFSDevice(out)

+	return fsDevice, parseErr

+}

+

+func parseFSDevice(dfOutput string) (string, error) {

+	// Need to skip the df header line starting with "Filesystem", and grab the first

+	// word of the following line which will be our device path.

+	lines := strings.Split(dfOutput, "\n")

+	if len(lines) < 2 {

+		return "", fmt.Errorf("%s: %s", unexpectedLineCountError, dfOutput)

+	}

+

+	fsDevice := strings.Split(lines[1], " ")[0]

+	// Make sure it looks like a device:

+	if !strings.HasPrefix(fsDevice, "/") {

+		return "", fmt.Errorf("%s: %s", invalidFilesystemError, fsDevice)

+	}

+

+	return fsDevice, nil

+}

+

+// isXFS checks if the empty dir is on an XFS filesystem.

+func isXFS(cmdRunner quotaCommandRunner, dir string) (bool, error) {

+	out, _, err := cmdRunner.RunFSTypeCommand(dir)

+	if err != nil {

+		return false, fmt.Errorf("unable to check filesystem type for emptydir volume %s: %s", dir, err)

+	}

+	if strings.TrimSpace(out) == "xfs" {

+		return true, nil

+	}

+	return false, nil

+}

+

+const (

+	invalidFilesystemError   = "found invalid filesystem device"

+	unexpectedLineCountError = "unexpected line count in df output"

+)

new file mode 100644

@@ -0,0 +1,249 @@

+package empty_dir

+

+import (

+	"errors"

+	"strings"

+	"testing"

+

+	kapi "k8s.io/kubernetes/pkg/api"

+	"k8s.io/kubernetes/pkg/api/resource"

+)

+

+const expectedDevice = "/dev/sdb2"

+

+func TestParseFSDevice(t *testing.T) {

+	tests := map[string]struct {

+		dfOutput  string

+		expDevice string

+		expError  string

+	}{

+		"happy path": {

+			dfOutput:  "Filesystem\n/dev/sdb2",

+			expDevice: expectedDevice,

+		},

+		"happy path multi-token": {

+			dfOutput:  "Filesystem\n/dev/sdb2           16444592     8  16444584   1% /var/openshift.local.volumes/",

+			expDevice: expectedDevice,

+		},

+		"invalid tmpfs": {

+			dfOutput: "Filesystem\ntmpfs",

+			expError: invalidFilesystemError,

+		},

+		"invalid empty": {

+			dfOutput: "",

+			expError: unexpectedLineCountError,

+		},

+		"invalid one line": {

+			dfOutput: "Filesystem\n",

+			expError: invalidFilesystemError,

+		},

+		"invalid blank second line": {

+			dfOutput: "Filesystem\n\n",

+			expError: invalidFilesystemError,

+		},

+		"invalid too many lines": {

+			dfOutput:  "Filesystem\n/dev/sdb2\ntmpfs\nwhatisgoingon",

+			expDevice: expectedDevice,

+		},

+	}

+	for name, test := range tests {

+		t.Logf("running TestParseFSDevice: %s", name)

+		device, err := parseFSDevice(test.dfOutput)

+		if test.expDevice != "" && test.expDevice != device {

+			t.Errorf("Unexpected filesystem device, expected: %s, got: %s", test.expDevice, device)

+		}

+		if test.expError != "" && (err == nil || !strings.Contains(err.Error(), test.expError)) {

+			t.Errorf("Unexpected filesystem error, expected: %s, got: %s", test.expError, err)

+		}

+	}

+}

+

+// Avoid running actual commands to manage XFS quota:

+type mockQuotaCommandRunner struct {

+	RunFSDeviceCommandResponse *cmdResponse

+	RunFSTypeCommandResponse   *cmdResponse

+

+	RanApplyQuotaFSDevice string

+	RanApplyQuota         *resource.Quantity

+	RanApplyQuotaFSGroup  int64

+}

+

+func (m *mockQuotaCommandRunner) RunFSTypeCommand(dir string) (string, string, error) {

+	if m.RunFSTypeCommandResponse != nil {

+		return m.RunFSTypeCommandResponse.Stdout, m.RunFSTypeCommandResponse.Stderr, m.RunFSTypeCommandResponse.Error

+	}

+	return "xfs", "", nil

+}

+

+func (m *mockQuotaCommandRunner) RunFSDeviceCommand(dir string) (string, string, error) {

+	if m.RunFSDeviceCommandResponse != nil {

+		return m.RunFSDeviceCommandResponse.Stdout, m.RunFSDeviceCommandResponse.Stderr, m.RunFSDeviceCommandResponse.Error

+	}

+	return "Filesystem\n/dev/sdb2", "", nil

+}

+

+func (m *mockQuotaCommandRunner) RunApplyQuotaCommand(fsDevice string, quota resource.Quantity, fsGroup int64) (string, string, error) {

+	// Store these for assertions in tests:

+	m.RanApplyQuotaFSDevice = fsDevice

+	m.RanApplyQuota = &quota

+	m.RanApplyQuotaFSGroup = fsGroup

+	return "", "", nil

+}

+

+// Small struct for specifying how we want the various quota command runners to

+// respond in tests:

+type cmdResponse struct {

+	Stdout string

+	Stderr string

+	Error  error

+}

+

+func TestApplyQuota(t *testing.T) {

+

+	var defaultFSGroup int64

+	defaultFSGroup = 1000050000

+

+	tests := map[string]struct {

+		FSGroupID *int64

+		Quota     string

+

+		FSTypeCmdResponse     *cmdResponse

+		FSDeviceCmdResponse   *cmdResponse

+		ApplyQuotaCmdResponse *cmdResponse

+

+		ExpFSDevice string

+		ExpError    string // sub-string to be searched for in error message

+		ExpSkipped  bool

+	}{

+		"happy path": {

+			Quota:     "512",

+			FSGroupID: &defaultFSGroup,

+		},

+		"zero quota": {

+			Quota:     "0",

+			FSGroupID: &defaultFSGroup,