From d2e1d559b7eeea6709209eea124e8ce08561259d Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Wed, 14 Jun 2017 15:23:49 +0200 Subject: [PATCH 1/2] container_create: just mkdir on image's volumes tmpfs'es can override whatever there's on the container rootfs. We just mkdir the volume as we're confident kube manages volumes in container. We don't need any tmpfs nor any complex volume handling for now. Signed-off-by: Antonio Murdaca --- server/container_create.go | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/server/container_create.go b/server/container_create.go index f07d1765..5c5502fa 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -588,11 +588,16 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, } // TODO: volume handling in CRI-O - // right now, we do just mount tmpfs in order to have images like - // gcr.io/k8s-testimages/redis:e2e to work with CRI-O + // right now, we do just an mkdir in the container rootfs because we + // know kube manages volumes its own way and we don't need to behave + // like docker. + // For instance gcr.io/k8s-testimages/redis:e2e now work with CRI-O for dest := range containerImageConfig.Config.Volumes { - destOptions := []string{"mode=1777", "size=" + strconv.Itoa(64*1024*1024)} - specgen.AddTmpfsMount(dest, destOptions) + fp, err := symlink.FollowSymlinkInScope(filepath.Join(mountPoint, dest), mountPoint) + if err != nil { + return nil, err + } + os.MkdirAll(fp, 0644) } processArgs, err := buildOCIProcessArgs(containerConfig, containerImageConfig) From 0dfec710f2a55c1183021fadaf3a48a2831b5330 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Wed, 14 Jun 2017 15:28:13 +0200 Subject: [PATCH 2/2] container_create: net files must be ro when rootfs is ro we were blindly applying RO mount options but net addons like calico modify those files. This patch sets RO only when container's rootfs is RO, same behavior as docker. Signed-off-by: Antonio Murdaca --- server/container_create.go | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/server/container_create.go b/server/container_create.go index 5c5502fa..f2946d92 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -351,12 +351,14 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, specgen.SetProcessApparmorProfile(appArmorProfileName) } } + var readOnlyRootfs bool if containerConfig.GetLinux().GetSecurityContext() != nil { if containerConfig.GetLinux().GetSecurityContext().Privileged { specgen.SetupPrivileged(true) } if containerConfig.GetLinux().GetSecurityContext().ReadonlyRootfs { + readOnlyRootfs = true specgen.SetRootReadonly(true) } } @@ -511,14 +513,18 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, // bind mount the pod shm specgen.AddBindMount(sb.shmPath, "/dev/shm", []string{"rw"}) + options := []string{"rw"} + if readOnlyRootfs { + options = []string{"ro"} + } if sb.resolvPath != "" { // bind mount the pod resolver file - specgen.AddBindMount(sb.resolvPath, "/etc/resolv.conf", []string{"ro"}) + specgen.AddBindMount(sb.resolvPath, "/etc/resolv.conf", options) } // Bind mount /etc/hosts for host networking containers if hostNetwork(containerConfig) { - specgen.AddBindMount("/etc/hosts", "/etc/hosts", []string{"ro"}) + specgen.AddBindMount("/etc/hosts", "/etc/hosts", options) } if sb.hostname != "" {