diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2019-04-29 02:38:14 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-04-29 02:38:14 -0700 |
| commit | e0312334cca5d8f5adf9844100f15317a86068d4 (patch) | |
| tree | 2ae5e969ada5731b8379f94e21a447d0170486d2 /pkg | |
| parent | fe3acddcbe02cfa258170707791bd096dc909022 (diff) | |
| parent | 3a4be4b66ca22d87446c37218b300b8f31a84b92 (diff) | |
| download | podman-e0312334cca5d8f5adf9844100f15317a86068d4.tar.gz podman-e0312334cca5d8f5adf9844100f15317a86068d4.tar.bz2 podman-e0312334cca5d8f5adf9844100f15317a86068d4.zip | |
Merge pull request #3025 from rhatdan/read-only
Add --read-only-tmpfs options
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/inspect/inspect.go | 3 | ||||
| -rw-r--r-- | pkg/spec/createconfig.go | 1 | ||||
| -rw-r--r-- | pkg/spec/spec.go | 25 |
3 files changed, 28 insertions, 1 deletions
diff --git a/pkg/inspect/inspect.go b/pkg/inspect/inspect.go index 270e431ad..6978370ef 100644 --- a/pkg/inspect/inspect.go +++ b/pkg/inspect/inspect.go @@ -38,7 +38,8 @@ type HostConfig struct { PidMode string `json:"PidMode"` Privileged bool `json:"Privileged"` PublishAllPorts bool `json:"PublishAllPorts"` //TODO - ReadonlyRootfs bool `json:"ReadonlyRootfs"` + ReadOnlyRootfs bool `json:"ReadonlyRootfs"` + ReadOnlyTmpfs bool `json:"ReadonlyTmpfs"` SecurityOpt []string `json:"SecurityOpt"` UTSMode string `json:"UTSMode"` UsernsMode string `json:"UsernsMode"` diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index e71d9d3db..064dedd45 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -113,6 +113,7 @@ type CreateConfig struct { PublishAll bool //publish-all Quiet bool //quiet ReadOnlyRootfs bool //read-only + ReadOnlyTmpfs bool //read-only-tmpfs Resources CreateResourceConfig Rm bool //rm StopSignal syscall.Signal // stop-signal diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 0371b6d4d..4cbed0ea4 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -341,6 +341,31 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint } } + if config.ReadOnlyRootfs && config.ReadOnlyTmpfs { + options := []string{"rw", "rprivate", "nosuid", "nodev", "tmpcopyup"} + for _, i := range []string{"/tmp", "/var/tmp"} { + if libpod.MountExists(g.Config.Mounts, i) { + continue + } + // Default options if nothing passed + tmpfsMnt := spec.Mount{ + Destination: i, + Type: "tmpfs", + Source: "tmpfs", + Options: options, + } + g.AddMount(tmpfsMnt) + } + if !libpod.MountExists(g.Config.Mounts, "/run") { + tmpfsMnt := spec.Mount{ + Destination: "/run", + Type: "tmpfs", + Source: "tmpfs", + Options: append(options, "noexec", "size=65536k"), + } + g.AddMount(tmpfsMnt) + } + } for name, val := range config.Env { g.AddProcessEnv(name, val) } |