github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #8351 from rumpl/oci-readonly-mounts

Browse Source 
oci: Use WithReadonlyTempMount when adding users/groups
This commit is contained in:
Derek McGowan 2023-04-05 13:18:18 -07:00 committed by GitHub
commit 2503bef581
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
oci/spec_opts.go
View File

@ -683,8 +683,7 @@ func WithUser(userstr string) SpecOpts {
return err return err
} }
mounts = tryReadonlyMounts(mounts) return mount.WithReadonlyTempMount(ctx, mounts, f)
return mount.WithTempMount(ctx, mounts, f)
default: default:
return fmt.Errorf("invalid USER value %s", userstr) return fmt.Errorf("invalid USER value %s", userstr)
} }
@ -744,8 +743,7 @@ func WithUserID(uid uint32) SpecOpts {
return err return err
} }
mounts = tryReadonlyMounts(mounts) return mount.WithReadonlyTempMount(ctx, mounts, setUser)
return mount.WithTempMount(ctx, mounts, setUser)
} }
} }
@ -789,8 +787,7 @@ func WithUsername(username string) SpecOpts {
return err return err
} }
mounts = tryReadonlyMounts(mounts) return mount.WithReadonlyTempMount(ctx, mounts, setUser)
return mount.WithTempMount(ctx, mounts, setUser)
} else if s.Windows != nil { } else if s.Windows != nil {
s.Process.User.Username = username s.Process.User.Username = username
} else { } else {
@ -868,8 +865,7 @@ func WithAdditionalGIDs(userstr string) SpecOpts {
return err return err
} }
mounts = tryReadonlyMounts(mounts) return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids)
return mount.WithTempMount(ctx, mounts, setAdditionalGids)
} }
} }
@ -930,8 +926,7 @@ func WithAppendAdditionalGroups(groups ...string) SpecOpts {
return err return err
} }
mounts = tryReadonlyMounts(mounts) return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids)
return mount.WithTempMount(ctx, mounts, setAdditionalGids)
} }
} }
@ -1426,24 +1421,6 @@ func WithDevShmSize(kb int64) SpecOpts {
} }
} }
// tryReadonlyMounts is used by the options which are trying to get user/group
// information from container's rootfs. Since the option does read operation
// only, this helper will append ReadOnly mount option to prevent linux kernel
// from syncing whole filesystem in umount syscall.
//
// TODO(fuweid):
//
// Currently, it only works for overlayfs. I think we can apply it to other
// kinds of filesystem. Maybe we can return `ro` option by `snapshotter.Mount`
// API, when the caller passes that experimental annotation
// `containerd.io/snapshot/readonly.mount` something like that.
func tryReadonlyMounts(mounts []mount.Mount) []mount.Mount {
if len(mounts) == 1 && mounts[0].Type == "overlay" {
mounts[0].Options = append(mounts[0].Options, "ro")
}
return mounts
}
// WithWindowsDevice adds a device exposed to a Windows (WCOW or LCOW) Container // WithWindowsDevice adds a device exposed to a Windows (WCOW or LCOW) Container
func WithWindowsDevice(idType, id string) SpecOpts { func WithWindowsDevice(idType, id string) SpecOpts {
return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error { return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {