container_create: net files must be ro when rootfs is ro

we were blindly applying RO mount options but net addons like calico modify those files. This patch sets RO only when container's rootfs is RO, same behavior as docker. Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-14 15:28:13 +02:00 · 2017-06-14 15:28:13 +02:00 · 0dfec710f2
commit 0dfec710f2
parent d2e1d559b7
1 changed files with 8 additions and 2 deletions
--- a/server/container_create.go
+++ b/server/container_create.go
@ -351,12 +351,14 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 			specgen.SetProcessApparmorProfile(appArmorProfileName)
 		}
 	}
+	var readOnlyRootfs bool
 	if containerConfig.GetLinux().GetSecurityContext() != nil {
 		if containerConfig.GetLinux().GetSecurityContext().Privileged {
 			specgen.SetupPrivileged(true)
 		}

 		if containerConfig.GetLinux().GetSecurityContext().ReadonlyRootfs {
+			readOnlyRootfs = true
 			specgen.SetRootReadonly(true)
 		}
 	}
@ -511,14 +513,18 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 	// bind mount the pod shm
 	specgen.AddBindMount(sb.shmPath, "/dev/shm", []string{"rw"})

+	options := []string{"rw"}
+	if readOnlyRootfs {
+		options = []string{"ro"}
+	}
 	if sb.resolvPath != "" {
 		// bind mount the pod resolver file
-		specgen.AddBindMount(sb.resolvPath, "/etc/resolv.conf", []string{"ro"})
+		specgen.AddBindMount(sb.resolvPath, "/etc/resolv.conf", options)
 	}

 	// Bind mount /etc/hosts for host networking containers
 	if hostNetwork(containerConfig) {
-		specgen.AddBindMount("/etc/hosts", "/etc/hosts", []string{"ro"})
+		specgen.AddBindMount("/etc/hosts", "/etc/hosts", options)
 	}

 	if sb.hostname != "" {