github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

readonly: pass RW rootfs to runtime, and let the runtime remount it as RO

Browse Source 
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
This commit is contained in:
Akihiro Suda 2017-09-28 07:46:26 +00:00
parent 70b353dff2
commit 27023c7fa2
2 changed files with 23 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
cmd/ctr/run_unix.go
View File

@ -84,7 +84,7 @@ func newContainer(ctx gocontext.Context, client *containerd.Client, context *cli
) )
cOpts = append(cOpts, containerd.WithContainerLabels(labelArgs(context.StringSlice("label")))) cOpts = append(cOpts, containerd.WithContainerLabels(labelArgs(context.StringSlice("label"))))
if context.Bool("rootfs") { if context.Bool("rootfs") {
opts = append(opts, containerd.WithRootFSPath(ref, context.Bool("readonly"))) opts = append(opts, containerd.WithRootFSPath(ref))
} else { } else {
image, err := client.GetImage(ctx, ref) image, err := client.GetImage(ctx, ref)
if err != nil { if err != nil {
@ -93,11 +93,13 @@ func newContainer(ctx gocontext.Context, client *containerd.Client, context *cli
opts = append(opts, containerd.WithImageConfig(image)) opts = append(opts, containerd.WithImageConfig(image))
cOpts = append(cOpts, containerd.WithImage(image)) cOpts = append(cOpts, containerd.WithImage(image))
cOpts = append(cOpts, containerd.WithSnapshotter(context.String("snapshotter"))) cOpts = append(cOpts, containerd.WithSnapshotter(context.String("snapshotter")))
if context.Bool("readonly") { // Even when "readonly" is set, we don't use KindView snapshot here. (#1495)
cOpts = append(cOpts, containerd.WithNewSnapshotView(id, image)) // We pass writable snapshot to the OCI runtime, and the runtime remounts it as read-only,
} else { // after creating some mount points on demand.
cOpts = append(cOpts, containerd.WithNewSnapshot(id, image)) cOpts = append(cOpts, containerd.WithNewSnapshot(id, image))
} }
if context.Bool("readonly") {
opts = append(opts, containerd.WithRootFSReadonly())
} }
cOpts = append(cOpts, containerd.WithRuntime(context.String("runtime"), nil)) cOpts = append(cOpts, containerd.WithRuntime(context.String("runtime"), nil))

19
spec_opts_unix.go
View File

@ -138,17 +138,28 @@ func WithImageConfig(i Image) SpecOpts {
} }
// WithRootFSPath specifies unmanaged rootfs path. // WithRootFSPath specifies unmanaged rootfs path.
func WithRootFSPath(path string, readonly bool) SpecOpts { func WithRootFSPath(path string) SpecOpts {
return func(_ context.Context, _ *Client, _ *containers.Container, s *specs.Spec) error { return func(_ context.Context, _ *Client, _ *containers.Container, s *specs.Spec) error {
s.Root = &specs.Root{ if s.Root == nil {
Path: path, s.Root = &specs.Root{}
Readonly: readonly,
} }
s.Root.Path = path
// Entrypoint is not set here (it's up to caller) // Entrypoint is not set here (it's up to caller)
return nil return nil
} }
} }
// WithRootFSReadonly sets specs.Root.Readonly to true
func WithRootFSReadonly() SpecOpts {
return func(_ context.Context, _ *Client, _ *containers.Container, s *specs.Spec) error {
if s.Root == nil {
s.Root = &specs.Root{}
}
s.Root.Readonly = true
return nil
}
}
// WithResources sets the provided resources on the spec for task updates // WithResources sets the provided resources on the spec for task updates
func WithResources(resources *specs.LinuxResources) UpdateTaskOpts { func WithResources(resources *specs.LinuxResources) UpdateTaskOpts {
return func(ctx context.Context, client *Client, r *UpdateTaskInfo) error { return func(ctx context.Context, client *Client, r *UpdateTaskInfo) error {