From ec90efbe99b97ad194fa1586cb0f1ff82bdd4915 Mon Sep 17 00:00:00 2001
From: Qiutong Song <songqt01@gmail.com>
Date: Fri, 25 Feb 2022 17:53:30 -0800
Subject: [PATCH] Make the temp mount as ready only in container WithVolumes

Signed-off-by: Qiutong Song <songqt01@gmail.com>
---
 pkg/cri/opts/container.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/cri/opts/container.go b/pkg/cri/opts/container.go
index b3e358b2e..393e6a08b 100644
--- a/pkg/cri/opts/container.go
+++ b/pkg/cri/opts/container.go
@@ -69,6 +69,12 @@ func WithVolumes(volumeMounts map[string]string) containerd.NewContainerOpts {
 		if err != nil {
 			return err
 		}
+		// Since only read is needed, append ReadOnly mount option to prevent linux kernel
+		// from syncing whole filesystem in umount syscall.
+		if len(mounts) == 1 && mounts[0].Type == "overlay" {
+			mounts[0].Options = append(mounts[0].Options, "ro")
+		}
+
 		root, err := os.MkdirTemp("", "ctd-volume")
 		if err != nil {
 			return err