diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2019-04-26 10:51:59 -0400 |
|---|---|---|
| committer | Daniel J Walsh <dwalsh@redhat.com> | 2019-04-26 12:29:10 -0400 |
| commit | 3a4be4b66ca22d87446c37218b300b8f31a84b92 (patch) | |
| tree | dcd3430bb191a145aa386679fb7f9fcf366411ac /pkg/spec/spec.go | |
| parent | 135c8bef223d32f553659cbdfd5eb99f948a6c84 (diff) | |
| download | podman-3a4be4b66ca22d87446c37218b300b8f31a84b92.tar.gz podman-3a4be4b66ca22d87446c37218b300b8f31a84b92.tar.bz2 podman-3a4be4b66ca22d87446c37218b300b8f31a84b92.zip | |
Add --read-only-tmpfs options
The --read-only-tmpfs option caused podman to mount tmpfs on /run, /tmp, /var/tmp
if the container is running int read-only mode.
The default is true, so you would need to execute a command like
--read-only --read-only-tmpfs=false to turn off this behaviour.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'pkg/spec/spec.go')
| -rw-r--r-- | pkg/spec/spec.go | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 0371b6d4d..4cbed0ea4 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -341,6 +341,31 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint } } + if config.ReadOnlyRootfs && config.ReadOnlyTmpfs { + options := []string{"rw", "rprivate", "nosuid", "nodev", "tmpcopyup"} + for _, i := range []string{"/tmp", "/var/tmp"} { + if libpod.MountExists(g.Config.Mounts, i) { + continue + } + // Default options if nothing passed + tmpfsMnt := spec.Mount{ + Destination: i, + Type: "tmpfs", + Source: "tmpfs", + Options: options, + } + g.AddMount(tmpfsMnt) + } + if !libpod.MountExists(g.Config.Mounts, "/run") { + tmpfsMnt := spec.Mount{ + Destination: "/run", + Type: "tmpfs", + Source: "tmpfs", + Options: append(options, "noexec", "size=65536k"), + } + g.AddMount(tmpfsMnt) + } + } for name, val := range config.Env { g.AddProcessEnv(name, val) } |