github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Explicitly set rw for privileged container.

Browse Source 
Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu 2018-05-07 15:13:14 -07:00
parent 5f4035ae2f
commit a5d1332e8f
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/server/container_create.go
View File

@ -523,7 +523,7 @@ func clearReadOnly(m *runtimespec.Mount) {
opt = append(opt, o) opt = append(opt, o)
} }
} }
m.Options = opt m.Options = append(opt, "rw")
} }
// addDevices set device mapping without privilege. // addDevices set device mapping without privilege.

8
pkg/server/container_create_test.go
View File

@ -627,14 +627,14 @@ func TestPrivilegedBindMount(t *testing.T) {
} }
spec := g.Spec() spec := g.Spec()
if test.expectedSysFSRO { if test.expectedSysFSRO {
checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", []string{"ro"}, nil) checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", []string{"ro"}, []string{"rw"})
} else { } else {
checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", nil, []string{"ro"}) checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", []string{"rw"}, []string{"ro"})
} }
if test.expectedCgroupFSRO { if test.expectedCgroupFSRO {
checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", []string{"ro"}, nil) checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", []string{"ro"}, []string{"rw"})
} else { } else {
checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", nil, []string{"ro"}) checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", []string{"rw"}, []string{"ro"})
} }
} }
} }