oci: Use WithReadonlyTempMount when adding users/groups
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
This commit is contained in:
		| @@ -683,8 +683,7 @@ func WithUser(userstr string) SpecOpts { | ||||
| 				return err | ||||
| 			} | ||||
|  | ||||
| 			mounts = tryReadonlyMounts(mounts) | ||||
| 			return mount.WithTempMount(ctx, mounts, f) | ||||
| 			return mount.WithReadonlyTempMount(ctx, mounts, f) | ||||
| 		default: | ||||
| 			return fmt.Errorf("invalid USER value %s", userstr) | ||||
| 		} | ||||
| @@ -744,8 +743,7 @@ func WithUserID(uid uint32) SpecOpts { | ||||
| 			return err | ||||
| 		} | ||||
|  | ||||
| 		mounts = tryReadonlyMounts(mounts) | ||||
| 		return mount.WithTempMount(ctx, mounts, setUser) | ||||
| 		return mount.WithReadonlyTempMount(ctx, mounts, setUser) | ||||
| 	} | ||||
| } | ||||
|  | ||||
| @@ -789,8 +787,7 @@ func WithUsername(username string) SpecOpts { | ||||
| 				return err | ||||
| 			} | ||||
|  | ||||
| 			mounts = tryReadonlyMounts(mounts) | ||||
| 			return mount.WithTempMount(ctx, mounts, setUser) | ||||
| 			return mount.WithReadonlyTempMount(ctx, mounts, setUser) | ||||
| 		} else if s.Windows != nil { | ||||
| 			s.Process.User.Username = username | ||||
| 		} else { | ||||
| @@ -868,8 +865,7 @@ func WithAdditionalGIDs(userstr string) SpecOpts { | ||||
| 			return err | ||||
| 		} | ||||
|  | ||||
| 		mounts = tryReadonlyMounts(mounts) | ||||
| 		return mount.WithTempMount(ctx, mounts, setAdditionalGids) | ||||
| 		return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids) | ||||
| 	} | ||||
| } | ||||
|  | ||||
| @@ -930,8 +926,7 @@ func WithAppendAdditionalGroups(groups ...string) SpecOpts { | ||||
| 			return err | ||||
| 		} | ||||
|  | ||||
| 		mounts = tryReadonlyMounts(mounts) | ||||
| 		return mount.WithTempMount(ctx, mounts, setAdditionalGids) | ||||
| 		return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids) | ||||
| 	} | ||||
| } | ||||
|  | ||||
| @@ -1426,24 +1421,6 @@ func WithDevShmSize(kb int64) SpecOpts { | ||||
| 	} | ||||
| } | ||||
|  | ||||
| // tryReadonlyMounts is used by the options which are trying to get user/group | ||||
| // information from container's rootfs. Since the option does read operation | ||||
| // only, this helper will append ReadOnly mount option to prevent linux kernel | ||||
| // from syncing whole filesystem in umount syscall. | ||||
| // | ||||
| // TODO(fuweid): | ||||
| // | ||||
| // Currently, it only works for overlayfs. I think we can apply it to other | ||||
| // kinds of filesystem. Maybe we can return `ro` option by `snapshotter.Mount` | ||||
| // API, when the caller passes that experimental annotation | ||||
| // `containerd.io/snapshot/readonly.mount` something like that. | ||||
| func tryReadonlyMounts(mounts []mount.Mount) []mount.Mount { | ||||
| 	if len(mounts) == 1 && mounts[0].Type == "overlay" { | ||||
| 		mounts[0].Options = append(mounts[0].Options, "ro") | ||||
| 	} | ||||
| 	return mounts | ||||
| } | ||||
|  | ||||
| // WithWindowsDevice adds a device exposed to a Windows (WCOW or LCOW) Container | ||||
| func WithWindowsDevice(idType, id string) SpecOpts { | ||||
| 	return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error { | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Djordje Lukic
					Djordje Lukic