github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #894 from Random-Liu/support-masked-readonly-paths

Browse Source 
Support masked readonly paths
This commit is contained in:
Lantao Liu
2018-09-05 10:32:40 -07:00
committed by GitHub
parent 1e471b1a44 3e4cec8739
commit 67c0b3e5e2
76 changed files with 4249 additions and 3727 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
pkg/server/container_create.go
View File

@@ -357,6 +357,24 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
return nil, errors.Wrapf(err, "failed to set OCI bind mounts %+v", mounts)
}
// Apply masked paths if specified.
// When `MaskedPaths` is not specified, keep runtime default for backward compatibility;
// When `MaskedPaths` is specified, but length is zero, clear masked path list.
if securityContext.GetMaskedPaths() != nil {
g.Config.Linux.MaskedPaths = nil
for _, path := range securityContext.GetMaskedPaths() {
g.AddLinuxMaskedPaths(path)
}
}
// Apply readonly paths if specified.
if securityContext.GetReadonlyPaths() != nil {
g.Config.Linux.ReadonlyPaths = nil
for _, path := range securityContext.GetReadonlyPaths() {
g.AddLinuxReadonlyPaths(path)
}
}
if securityContext.GetPrivileged() {
if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() {
return nil, errors.New("no privileged container allowed in sandbox")