Merge pull request #221 from ijc/writeable-rootfs-snapshot

Always use a writeable snapshot as the rootfs.

pkg/server/container_create.go

@@ -112,12 +112,12 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
 	opts := []containerd.NewContainerOpts{
 		containerd.WithSnapshotter(c.snapshotter),
 	}
-	// Prepare container rootfs.
+	// Prepare container rootfs. This is always writeable even if
-	if config.GetLinux().GetSecurityContext().GetReadonlyRootfs() {
+	// the container wants a readonly rootfs since we want to give
-		opts = append(opts, containerd.WithNewSnapshotView(id, image.Image))
+	// the runtime (runc) a chance to modify (e.g. to create mount
-	} else {
+	// points corresponding to spec.Mounts) before making the
-		opts = append(opts, containerd.WithNewSnapshot(id, image.Image))
+	// rootfs readonly (requested by spec.Root.Readonly).
-	}
+	opts = append(opts, containerd.WithNewSnapshot(id, image.Image))
 	meta.ImageRef = image.ID
 
 	// Create container root directory.

pkg/server/sandbox_run.go

@@ -132,6 +132,9 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
 	}
 	opts := []containerd.NewContainerOpts{
 		containerd.WithSnapshotter(c.snapshotter),
+		// A pure ro rootfs view is OK for the sandbox since
+		// we will never need to modify it or mount anything
+		// in it.
 		containerd.WithNewSnapshotView(id, image.Image),
 		containerd.WithSpec(spec, specOpts...),
 		containerd.WithContainerLabels(labels),