diff options
| author | baude <bbaude@redhat.com> | 2018-01-31 14:21:47 -0600 |
|---|---|---|
| committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-02-06 01:17:54 +0000 |
| commit | bf00c976dd7509b7d84d1fa5254f1ac26fc494e5 (patch) | |
| tree | 168e559fbfcdbc0e0f07cd5cbce03f982677ef58 /cmd/podman/spec.go | |
| parent | 3609b82fe6f5fe268cdbe9f8aba43140c4e81f90 (diff) | |
| download | podman-bf00c976dd7509b7d84d1fa5254f1ac26fc494e5.tar.gz podman-bf00c976dd7509b7d84d1fa5254f1ac26fc494e5.tar.bz2 podman-bf00c976dd7509b7d84d1fa5254f1ac26fc494e5.zip | |
sysfs should be mounted rw for privileged
sysfs should be mounted rw for a privileged container.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #279
Approved by: rhatdan
Diffstat (limited to 'cmd/podman/spec.go')
| -rw-r--r-- | cmd/podman/spec.go | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go index d21d8b6da..56e8c8d05 100644 --- a/cmd/podman/spec.go +++ b/cmd/podman/spec.go @@ -156,12 +156,24 @@ func addDevice(g *generate.Generator, device string) error { // Parses information needed to create a container into an OCI runtime spec func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { + cgroupPerm := "ro" g := generate.New() + if config.Privileged { + cgroupPerm = "rw" + g.RemoveMount("/sys") + sysMnt := spec.Mount{ + Destination: "/sys", + Type: "sysfs", + Source: "sysfs", + Options: []string{"nosuid", "noexec", "nodev", "rw"}, + } + g.AddMount(sysMnt) + } cgroupMnt := spec.Mount{ Destination: "/sys/fs/cgroup", Type: "cgroup", Source: "cgroup", - Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"}, + Options: []string{"nosuid", "noexec", "nodev", "relatime", cgroupPerm}, } g.AddMount(cgroupMnt) g.SetProcessCwd(config.WorkDir) |