aboutsummaryrefslogtreecommitdiff
path: root/pkg/spec/storage.go
diff options
context:
space:
mode:
authorMatthew Heon <matthew.heon@pm.me>2019-04-29 16:01:05 -0400
committerMatthew Heon <matthew.heon@pm.me>2019-05-01 10:19:05 -0400
commit606cee93bfabe2b8177dad53168e51cd1aeeb9ee (patch)
tree7e2d2d5f5bc93cd91c3c915834920c5e6a806fae /pkg/spec/storage.go
parentc86647d2037f5bb042f8703845098e35c620df48 (diff)
downloadpodman-606cee93bfabe2b8177dad53168e51cd1aeeb9ee.tar.gz
podman-606cee93bfabe2b8177dad53168e51cd1aeeb9ee.tar.bz2
podman-606cee93bfabe2b8177dad53168e51cd1aeeb9ee.zip
Move handling of ReadOnlyTmpfs into new mounts code
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Diffstat (limited to 'pkg/spec/storage.go')
-rw-r--r--pkg/spec/storage.go43
1 files changed, 36 insertions, 7 deletions
diff --git a/pkg/spec/storage.go b/pkg/spec/storage.go
index 3993c2940..55148b606 100644
--- a/pkg/spec/storage.go
+++ b/pkg/spec/storage.go
@@ -35,8 +35,7 @@ var (
// Handles --volumes-from, --volumes, --tmpfs, --init, and --init-path flags.
// TODO: Named volume options - should we default to rprivate? It bakes into a
// bind mount under the hood...
-// TODO: Tmpfs options - we should probably check user-given ones, provide sane
-// defaults even if the user provides a few...
+// TODO: handle options parsing/processing via containers/storage/pkg/mount
func (config *CreateConfig) parseVolumes(runtime *libpod.Runtime) ([]spec.Mount, []*libpod.ContainerNamedVolume, error) {
// Add image volumes.
baseMounts, baseVolumes, err := config.getImageVolumes()
@@ -136,6 +135,34 @@ func (config *CreateConfig) parseVolumes(runtime *libpod.Runtime) ([]spec.Mount,
unifiedMounts[initMount.Destination] = initMount
}
+ // If requested, add tmpfs filesystems for read-only containers.
+ // Need to keep track of which we created, so we don't modify options
+ // for them later...
+ readonlyTmpfs := map[string]bool{
+ "/tmp": false,
+ "/var/tmp": false,
+ "/run": false,
+ }
+ if config.ReadOnlyRootfs && config.ReadOnlyTmpfs {
+ options := []string{"rw", "rprivate", "nosuid", "nodev", "tmpcopyup", "size=65536k"}
+ for dest := range readonlyTmpfs {
+ if _, ok := unifiedMounts[dest]; ok {
+ continue
+ }
+ localOpts := options
+ if dest == "/run" {
+ localOpts = append(localOpts, "noexec")
+ }
+ unifiedMounts[dest] = spec.Mount{
+ Destination: dest,
+ Type: "tmpfs",
+ Source: "tmpfs",
+ Options: localOpts,
+ }
+ readonlyTmpfs[dest] = true
+ }
+ }
+
// Supercede volumes-from/image volumes with unified volumes from above.
// This is an unconditional replacement.
for dest, mount := range unifiedMounts {
@@ -146,13 +173,13 @@ func (config *CreateConfig) parseVolumes(runtime *libpod.Runtime) ([]spec.Mount,
}
// Check for conflicts between named volumes and mounts
- for dest := range unifiedMounts {
- if _, ok := unifiedVolumes[dest]; ok {
+ for dest := range baseMounts {
+ if _, ok := baseVolumes[dest]; ok {
return nil, nil, errors.Wrapf(errDuplicateDest, "conflict at mount destination %v", dest)
}
}
- for dest := range unifiedVolumes {
- if _, ok := unifiedMounts[dest]; ok {
+ for dest := range baseVolumes {
+ if _, ok := baseMounts[dest]; ok {
return nil, nil, errors.Wrapf(errDuplicateDest, "conflict at mount destination %v", dest)
}
}
@@ -161,7 +188,9 @@ func (config *CreateConfig) parseVolumes(runtime *libpod.Runtime) ([]spec.Mount,
finalMounts := make([]spec.Mount, 0, len(baseMounts))
for _, mount := range baseMounts {
// All user-added tmpfs mounts need their options processed.
- if mount.Type == TypeTmpfs {
+ // Exception: mounts added by the ReadOnlyTmpfs option, which
+ // contain several exceptions to normal options rules.
+ if mount.Type == TypeTmpfs && !readonlyTmpfs[mount.Destination] {
opts, err := util.ProcessTmpfsOptions(mount.Options)
if err != nil {
return nil, nil, err