diff options
| author | Giuseppe Scrivano <gscrivan@redhat.com> | 2018-08-22 17:45:44 +0200 |
|---|---|---|
| committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-08-27 13:26:28 +0000 |
| commit | 663ee91eec01706008046c1df2c307716f9288db (patch) | |
| tree | f789c4e681e51c74a29b9c71df8db73806f7f751 /pkg/spec/spec.go | |
| parent | 90e93e66b0906e59efe3025d801a0e122bd4c42e (diff) | |
| download | podman-663ee91eec01706008046c1df2c307716f9288db.tar.gz podman-663ee91eec01706008046c1df2c307716f9288db.tar.bz2 podman-663ee91eec01706008046c1df2c307716f9288db.zip | |
Fix Mount Propagation
Default mount propagation inside of containes should be private
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1305
Approved by: mheon
Diffstat (limited to 'pkg/spec/spec.go')
| -rw-r--r-- | pkg/spec/spec.go | 20 |
1 files changed, 6 insertions, 14 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 255b70045..a915c305f 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -41,7 +41,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint Destination: "/sys", Type: "sysfs", Source: "sysfs", - Options: []string{"nosuid", "noexec", "nodev", "rw"}, + Options: []string{"private", "nosuid", "noexec", "nodev", "rw"}, } g.AddMount(sysMnt) } else if !canMountSys { @@ -65,7 +65,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint Destination: "/dev/pts", Type: "devpts", Source: "devpts", - Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}, + Options: []string{"private", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}, } g.AddMount(devPts) } @@ -95,7 +95,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint Destination: "/sys/fs/cgroup", Type: "cgroup", Source: "cgroup", - Options: []string{"nosuid", "noexec", "nodev", "relatime", cgroupPerm}, + Options: []string{"private", "nosuid", "noexec", "nodev", "relatime", cgroupPerm}, } g.AddMount(cgroupMnt) } @@ -223,7 +223,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint for _, i := range config.Tmpfs { // Default options if nothing passed - options := []string{"rw", "noexec", "nosuid", "nodev", "size=65536k"} + options := []string{"rw", "private", "noexec", "nosuid", "nodev", "size=65536k"} spliti := strings.SplitN(i, ":", 2) if len(spliti) > 1 { if _, _, err := mount.ParseTmpfsOptions(spliti[1]); err != nil { @@ -303,17 +303,9 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint return nil, errors.Wrapf(err, "error getting volume mounts") } configSpec.Mounts = append(configSpec.Mounts, mounts...) - for _, mount := range configSpec.Mounts { - for _, opt := range mount.Options { - switch opt { - case "private", "rprivate", "slave", "rslave", "shared", "rshared": - if err := g.SetLinuxRootPropagation(opt); err != nil { - return nil, errors.Wrapf(err, "error setting root propagation for %q", mount.Destination) - } - } - } + if err := g.SetLinuxRootPropagation("shared"); err != nil { + return nil, errors.Wrapf(err, "failed to set propagation to rslave") } - if canAddResources { // BLOCK IO blkio, err := config.CreateBlockIO() |