Merge pull request #221 from ijc/writeable-rootfs-snapshot

Always use a writeable snapshot as the rootfs.
2017-09-06 15:10:28 -07:00 · 2017-09-06 15:10:28 -07:00 · 34319e025f
commit 34319e025f
parent e06c2c59e0 0161764ef5
2 changed files with 9 additions and 6 deletions
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@ -112,12 +112,12 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
 	opts := []containerd.NewContainerOpts{
 		containerd.WithSnapshotter(c.snapshotter),
 	}
-	// Prepare container rootfs.
-	if config.GetLinux().GetSecurityContext().GetReadonlyRootfs() {
-		opts = append(opts, containerd.WithNewSnapshotView(id, image.Image))
-	} else {
+	// Prepare container rootfs. This is always writeable even if
+	// the container wants a readonly rootfs since we want to give
+	// the runtime (runc) a chance to modify (e.g. to create mount
+	// points corresponding to spec.Mounts) before making the
+	// rootfs readonly (requested by spec.Root.Readonly).
 	opts = append(opts, containerd.WithNewSnapshot(id, image.Image))
-	}
 	meta.ImageRef = image.ID

 	// Create container root directory.
--- a/pkg/server/sandbox_run.go
+++ b/pkg/server/sandbox_run.go
@ -132,6 +132,9 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
 	}
 	opts := []containerd.NewContainerOpts{
 		containerd.WithSnapshotter(c.snapshotter),
+		// A pure ro rootfs view is OK for the sandbox since
+		// we will never need to modify it or mount anything
+		// in it.
 		containerd.WithNewSnapshotView(id, image.Image),
 		containerd.WithSpec(spec, specOpts...),
 		containerd.WithContainerLabels(labels),