From cab056226fd8cece14d334ebb4f9084d0e3a7f47 Mon Sep 17 00:00:00 2001 From: Djordje Lukic Date: Wed, 5 Apr 2023 12:09:36 +0200 Subject: [PATCH] oci: Use WithReadonlyTempMount when adding users/groups Signed-off-by: Djordje Lukic --- oci/spec_opts.go | 33 +++++---------------------------- 1 file changed, 5 insertions(+), 28 deletions(-) diff --git a/oci/spec_opts.go b/oci/spec_opts.go index bfa3e1296..864b792c5 100644 --- a/oci/spec_opts.go +++ b/oci/spec_opts.go @@ -683,8 +683,7 @@ func WithUser(userstr string) SpecOpts { return err } - mounts = tryReadonlyMounts(mounts) - return mount.WithTempMount(ctx, mounts, f) + return mount.WithReadonlyTempMount(ctx, mounts, f) default: return fmt.Errorf("invalid USER value %s", userstr) } @@ -744,8 +743,7 @@ func WithUserID(uid uint32) SpecOpts { return err } - mounts = tryReadonlyMounts(mounts) - return mount.WithTempMount(ctx, mounts, setUser) + return mount.WithReadonlyTempMount(ctx, mounts, setUser) } } @@ -789,8 +787,7 @@ func WithUsername(username string) SpecOpts { return err } - mounts = tryReadonlyMounts(mounts) - return mount.WithTempMount(ctx, mounts, setUser) + return mount.WithReadonlyTempMount(ctx, mounts, setUser) } else if s.Windows != nil { s.Process.User.Username = username } else { @@ -868,8 +865,7 @@ func WithAdditionalGIDs(userstr string) SpecOpts { return err } - mounts = tryReadonlyMounts(mounts) - return mount.WithTempMount(ctx, mounts, setAdditionalGids) + return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids) } } @@ -930,8 +926,7 @@ func WithAppendAdditionalGroups(groups ...string) SpecOpts { return err } - mounts = tryReadonlyMounts(mounts) - return mount.WithTempMount(ctx, mounts, setAdditionalGids) + return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids) } } @@ -1426,24 +1421,6 @@ func WithDevShmSize(kb int64) SpecOpts { } } -// tryReadonlyMounts is used by the options which are trying to get user/group -// information from container's rootfs. Since the option does read operation -// only, this helper will append ReadOnly mount option to prevent linux kernel -// from syncing whole filesystem in umount syscall. -// -// TODO(fuweid): -// -// Currently, it only works for overlayfs. I think we can apply it to other -// kinds of filesystem. Maybe we can return `ro` option by `snapshotter.Mount` -// API, when the caller passes that experimental annotation -// `containerd.io/snapshot/readonly.mount` something like that. -func tryReadonlyMounts(mounts []mount.Mount) []mount.Mount { - if len(mounts) == 1 && mounts[0].Type == "overlay" { - mounts[0].Options = append(mounts[0].Options, "ro") - } - return mounts -} - // WithWindowsDevice adds a device exposed to a Windows (WCOW or LCOW) Container func WithWindowsDevice(idType, id string) SpecOpts { return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {