github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #8397 from thaJeztah/restore_readonly_comments

Browse Source 
oci: partially restore comment on read-only mounts for uid/gid uses
This commit is contained in:
Derek McGowan
2023-04-17 13:08:28 -07:00
committed by GitHub
parent 9920673391 cb2c3ec8f8
commit 8700566073
1 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
oci/spec_opts.go
View File

@@ -683,6 +683,10 @@ func WithUser(userstr string) SpecOpts {
return err return err
} }
// Use a read-only mount when trying to get user/group information
// from the container's rootfs. Since the option does read operation
// only, we append ReadOnly mount option to prevent the Linux kernel
// from syncing whole filesystem in umount syscall.
return mount.WithReadonlyTempMount(ctx, mounts, f) return mount.WithReadonlyTempMount(ctx, mounts, f)
default: default:
return fmt.Errorf("invalid USER value %s", userstr) return fmt.Errorf("invalid USER value %s", userstr)
@@ -743,6 +747,10 @@ func WithUserID(uid uint32) SpecOpts {
return err return err
} }
// Use a read-only mount when trying to get user/group information
// from the container's rootfs. Since the option does read operation
// only, we append ReadOnly mount option to prevent the Linux kernel
// from syncing whole filesystem in umount syscall.
return mount.WithReadonlyTempMount(ctx, mounts, setUser) return mount.WithReadonlyTempMount(ctx, mounts, setUser)
} }
} }
@@ -787,6 +795,10 @@ func WithUsername(username string) SpecOpts {
return err return err
} }
// Use a read-only mount when trying to get user/group information
// from the container's rootfs. Since the option does read operation
// only, we append ReadOnly mount option to prevent the Linux kernel
// from syncing whole filesystem in umount syscall.
return mount.WithReadonlyTempMount(ctx, mounts, setUser) return mount.WithReadonlyTempMount(ctx, mounts, setUser)
} else if s.Windows != nil { } else if s.Windows != nil {
s.Process.User.Username = username s.Process.User.Username = username
@@ -865,6 +877,10 @@ func WithAdditionalGIDs(userstr string) SpecOpts {
return err return err
} }
// Use a read-only mount when trying to get user/group information
// from the container's rootfs. Since the option does read operation
// only, we append ReadOnly mount option to prevent the Linux kernel
// from syncing whole filesystem in umount syscall.
return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids) return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids)
} }
} }
@@ -926,6 +942,10 @@ func WithAppendAdditionalGroups(groups ...string) SpecOpts {
return err return err
} }
// Use a read-only mount when trying to get user/group information
// from the container's rootfs. Since the option does read operation
// only, we append ReadOnly mount option to prevent the Linux kernel
// from syncing whole filesystem in umount syscall.
return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids) return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids)
} }
} }