Always use a writeable snapshot as the rootfs.

This will be made readonly by runc based on spec.Root.Readonly (which we already set correctly) but defering until then gives runc the chance to make any missing mount points as it processes the spec.Mount array. This is necessary because many container images lack mount points for things like the /etc/hosts which we want to overbind. This is not noticed with e.g. Docker because it automatically creates an additional layer containing those. This is something we may want to do here as well eventually but for now using a writeable snapshot is both necessary and sufficient. The same does not apply to the sandbox since we never modify its rootfs or want to mount anything in it etc, add a comment to clarify. Fixes #220. Signed-off-by: Ian Campbell <ijc@docker.com>
2017-09-06 22:17:27 +01:00
parent 59e75d8c5e
commit 0161764ef5
2 changed files with 9 additions and 6 deletions
--- a/pkg/server/sandbox_run.go
+++ b/pkg/server/sandbox_run.go
@@ -132,6 +132,9 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
 	}
 	opts := []containerd.NewContainerOpts{
 		containerd.WithSnapshotter(c.snapshotter),
+		// A pure ro rootfs view is OK for the sandbox since
+		// we will never need to modify it or mount anything
+		// in it.
 		containerd.WithNewSnapshotView(id, image.Image),
 		containerd.WithSpec(spec, specOpts...),
 		containerd.WithContainerLabels(labels),