container_create: net files must be ro when rootfs is ro
we were blindly applying RO mount options but net addons like calico modify those files. This patch sets RO only when container's rootfs is RO, same behavior as docker. Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
parent
d2e1d559b7
commit
0dfec710f2
1 changed files with 8 additions and 2 deletions
|
@ -351,12 +351,14 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
||||||
specgen.SetProcessApparmorProfile(appArmorProfileName)
|
specgen.SetProcessApparmorProfile(appArmorProfileName)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
var readOnlyRootfs bool
|
||||||
if containerConfig.GetLinux().GetSecurityContext() != nil {
|
if containerConfig.GetLinux().GetSecurityContext() != nil {
|
||||||
if containerConfig.GetLinux().GetSecurityContext().Privileged {
|
if containerConfig.GetLinux().GetSecurityContext().Privileged {
|
||||||
specgen.SetupPrivileged(true)
|
specgen.SetupPrivileged(true)
|
||||||
}
|
}
|
||||||
|
|
||||||
if containerConfig.GetLinux().GetSecurityContext().ReadonlyRootfs {
|
if containerConfig.GetLinux().GetSecurityContext().ReadonlyRootfs {
|
||||||
|
readOnlyRootfs = true
|
||||||
specgen.SetRootReadonly(true)
|
specgen.SetRootReadonly(true)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -511,14 +513,18 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
||||||
// bind mount the pod shm
|
// bind mount the pod shm
|
||||||
specgen.AddBindMount(sb.shmPath, "/dev/shm", []string{"rw"})
|
specgen.AddBindMount(sb.shmPath, "/dev/shm", []string{"rw"})
|
||||||
|
|
||||||
|
options := []string{"rw"}
|
||||||
|
if readOnlyRootfs {
|
||||||
|
options = []string{"ro"}
|
||||||
|
}
|
||||||
if sb.resolvPath != "" {
|
if sb.resolvPath != "" {
|
||||||
// bind mount the pod resolver file
|
// bind mount the pod resolver file
|
||||||
specgen.AddBindMount(sb.resolvPath, "/etc/resolv.conf", []string{"ro"})
|
specgen.AddBindMount(sb.resolvPath, "/etc/resolv.conf", options)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Bind mount /etc/hosts for host networking containers
|
// Bind mount /etc/hosts for host networking containers
|
||||||
if hostNetwork(containerConfig) {
|
if hostNetwork(containerConfig) {
|
||||||
specgen.AddBindMount("/etc/hosts", "/etc/hosts", []string{"ro"})
|
specgen.AddBindMount("/etc/hosts", "/etc/hosts", options)
|
||||||
}
|
}
|
||||||
|
|
||||||
if sb.hostname != "" {
|
if sb.hostname != "" {
|
||||||
|
|
Loading…
Reference in a new issue