From d43c61e80f5b05b81f2a021cdfe012e500c3d98e Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Date: Thu, 4 May 2023 17:26:36 +0400
Subject: [PATCH] fix: enforce nolock option for all NFS mounts by default

Talos doesn't have `rpc.statsd` running, so mounting without locking is
the only option. Some places in Kubernetes don't allow to set mount
options for NFS, so setting defaults is the only way.

Fixes #6582

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
---
 Dockerfile                                           | 2 ++
 hack/nfsmount.conf                                   | 2 ++
 internal/app/machined/pkg/system/services/kubelet.go | 1 +
 3 files changed, 5 insertions(+)
 create mode 100644 hack/nfsmount.conf

diff --git a/Dockerfile b/Dockerfile
index 4853945a3..cd5d25a59 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -495,6 +495,7 @@ RUN cleanup.sh /rootfs
 RUN mkdir -pv /rootfs/{boot,etc/cri/conf.d/hosts,lib/firmware,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt}
 COPY --chmod=0644 hack/zoneinfo/Etc/UTC /rootfs/usr/share/zoneinfo/Etc/UTC
 RUN ln -s /usr/share/zoneinfo/Etc/UTC /rootfs/etc/localtime
+COPY --chmod=0644 hack/nfsmount.conf /rootfs/etc/nfsmount.conf
 RUN mkdir -pv /rootfs/{etc/kubernetes/manifests,etc/cni/net.d,usr/libexec/kubernetes}
 RUN mkdir -pv /rootfs/opt/{containerd/bin,containerd/lib}
 COPY --chmod=0644 hack/containerd.toml /rootfs/etc/containerd/config.toml
@@ -547,6 +548,7 @@ RUN cleanup.sh /rootfs
 RUN mkdir -pv /rootfs/{boot,etc/cri/conf.d/hosts,lib/firmware,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt}
 COPY --chmod=0644 hack/zoneinfo/Etc/UTC /rootfs/usr/share/zoneinfo/Etc/UTC
 RUN ln -s /usr/share/zoneinfo/Etc/UTC /rootfs/etc/localtime
+COPY --chmod=0644 hack/nfsmount.conf /rootfs/etc/nfsmount.conf
 RUN mkdir -pv /rootfs/{etc/kubernetes/manifests,etc/cni/net.d,usr/libexec/kubernetes}
 RUN mkdir -pv /rootfs/opt/{containerd/bin,containerd/lib}
 COPY --chmod=0644 hack/containerd.toml /rootfs/etc/containerd/config.toml
diff --git a/hack/nfsmount.conf b/hack/nfsmount.conf
new file mode 100644
index 000000000..22e03b767
--- /dev/null
+++ b/hack/nfsmount.conf
@@ -0,0 +1,2 @@
+[ NFSMount_Global_Options ]
+    nolock=true
diff --git a/internal/app/machined/pkg/system/services/kubelet.go b/internal/app/machined/pkg/system/services/kubelet.go
index 82c87ab9b..36d9d57cf 100644
--- a/internal/app/machined/pkg/system/services/kubelet.go
+++ b/internal/app/machined/pkg/system/services/kubelet.go
@@ -119,6 +119,7 @@ func (k *Kubelet) Runner(r runtime.Runtime) (runner.Runner, error) {
 		{Type: "bind", Destination: constants.CgroupMountPath, Source: constants.CgroupMountPath, Options: []string{"rbind", "rshared", "rw"}},
 		{Type: "bind", Destination: "/lib/modules", Source: "/lib/modules", Options: []string{"bind", "ro"}},
 		{Type: "bind", Destination: "/etc/kubernetes", Source: "/etc/kubernetes", Options: []string{"bind", "rshared", "rw"}},
+		{Type: "bind", Destination: "/etc/nfsmount.conf", Source: "/etc/nfsmount.conf", Options: []string{"bind", "ro"}},
 		{Type: "bind", Destination: "/etc/machine-id", Source: "/etc/machine-id", Options: []string{"bind", "ro"}},
 		{Type: "bind", Destination: "/etc/os-release", Source: "/etc/os-release", Options: []string{"bind", "ro"}},
 		{Type: "bind", Destination: "/etc/cni", Source: "/etc/cni", Options: []string{"rbind", "rshared", "rw"}},