Use rbind and rprivate in bind mount.

Signed-off-by: Lantao Liu <lantaol@google.com>
2017-08-30 01:39:53 +00:00
parent 55ee423224
commit 3f4978b77b
3 changed files with 11 additions and 9 deletions
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@@ -438,9 +438,11 @@ func addOCIBindMounts(g *generate.Generator, mounts []*runtime.Mount) {
 	for _, mount := range mounts {
 		dst := mount.GetContainerPath()
 		src := mount.GetHostPath()
-		options := []string{"rw"}
+		options := []string{"rbind", "rprivate"}
 		if mount.GetReadonly() {
-			options = []string{"ro"}
+			options = append(options, "ro")
+		} else {
+			options = append(options, "rw")
 		}
 		// TODO(random-liu): [P1] Apply selinux label
 		g.AddBindMount(src, dst, options)
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@@ -121,8 +121,8 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 		checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", []string{"ro"}, nil)

 		t.Logf("Check bind mount")
-		checkMount(t, spec.Mounts, "host-path-1", "container-path-1", "bind", []string{"rw"}, nil)
-		checkMount(t, spec.Mounts, "host-path-2", "container-path-2", "bind", []string{"ro"}, nil)
+		checkMount(t, spec.Mounts, "host-path-1", "container-path-1", "bind", []string{"rbind", "rprivate", "rw"}, nil)
+		checkMount(t, spec.Mounts, "host-path-2", "container-path-2", "bind", []string{"rbind", "rprivate", "ro"}, nil)

 		t.Logf("Check resource limits")
 		assert.EqualValues(t, *spec.Linux.Resources.CPU.Period, 100)