github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

oci: partially restore comment on read-only mounts for uid/gid uses

Browse Source 
Commit cab056226f removed the tryReadonlyMounts
utility, in favor of mounts.ReadOnlyMounts() that was added in commit
daa3a7665e.

That change made part of the comment redundant, because mounts.ReadOnlyMounts
handles both overlayfs read-only mounts (by skipping the workdir mounts), and
sets the "ro" option for other mount-types, but the reason why we're using a
read-only mount is still relevant, so restoring that part of the comment.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2023-04-15 13:54:23 +02:00
parent ffc70c45c4
commit cb2c3ec8f8
No known key found for this signature in database
GPG Key ID: 76698F39D527CE8C
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
oci/spec_opts.go
View File

@ -683,6 +683,10 @@ func WithUser(userstr string) SpecOpts {
return err
}
// Use a read-only mount when trying to get user/group information
// from the container's rootfs. Since the option does read operation
// only, we append ReadOnly mount option to prevent the Linux kernel
// from syncing whole filesystem in umount syscall.
return mount.WithReadonlyTempMount(ctx, mounts, f)
default:
return fmt.Errorf("invalid USER value %s", userstr)
@ -743,6 +747,10 @@ func WithUserID(uid uint32) SpecOpts {
return err
}
// Use a read-only mount when trying to get user/group information
// from the container's rootfs. Since the option does read operation
// only, we append ReadOnly mount option to prevent the Linux kernel
// from syncing whole filesystem in umount syscall.
return mount.WithReadonlyTempMount(ctx, mounts, setUser)
}
}
@ -787,6 +795,10 @@ func WithUsername(username string) SpecOpts {
return err
}
// Use a read-only mount when trying to get user/group information
// from the container's rootfs. Since the option does read operation
// only, we append ReadOnly mount option to prevent the Linux kernel
// from syncing whole filesystem in umount syscall.
return mount.WithReadonlyTempMount(ctx, mounts, setUser)
} else if s.Windows != nil {
s.Process.User.Username = username
@ -865,6 +877,10 @@ func WithAdditionalGIDs(userstr string) SpecOpts {
return err
}
// Use a read-only mount when trying to get user/group information
// from the container's rootfs. Since the option does read operation
// only, we append ReadOnly mount option to prevent the Linux kernel
// from syncing whole filesystem in umount syscall.
return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids)
}
}
@ -926,6 +942,10 @@ func WithAppendAdditionalGroups(groups ...string) SpecOpts {
return err
}
// Use a read-only mount when trying to get user/group information
// from the container's rootfs. Since the option does read operation
// only, we append ReadOnly mount option to prevent the Linux kernel
// from syncing whole filesystem in umount syscall.
return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids)
}
}