summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cmd/kpod/spec.go34
-rw-r--r--cmd/kpod/spec_test.go2
-rw-r--r--test/kpod_run.bats13
3 files changed, 30 insertions, 19 deletions
diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go
index b2a439a9b..5d6fe8879 100644
--- a/cmd/kpod/spec.go
+++ b/cmd/kpod/spec.go
@@ -300,6 +300,16 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
return nil, errors.Wrapf(err, "error getting volume mounts")
}
configSpec.Mounts = append(configSpec.Mounts, mounts...)
+ for _, mount := range configSpec.Mounts {
+ for _, opt := range mount.Options {
+ switch opt {
+ case "private", "rprivate", "slave", "rslave", "shared", "rshared":
+ if err := g.SetLinuxRootPropagation(opt); err != nil {
+ return nil, errors.Wrapf(err, "error setting root propagation for %q", mount.Destination)
+ }
+ }
+ }
+ }
// HANDLE CAPABILITIES
if err := setupCapabilities(config, configSpec); err != nil {
@@ -442,24 +452,25 @@ func (c *createConfig) GetVolumeMounts() ([]spec.Mount, error) {
options = strings.Split(spliti[2], ",")
}
options = append(options, "rbind")
- // var foundrw, foundro,
- var foundz, foundZ bool
+ var foundrw, foundro, foundz, foundZ bool
+ var rootProp string
for _, opt := range options {
switch opt {
- // case "rw":
- // foundrw = true
- // case "ro":
- // foundro = true
+ case "rw":
+ foundrw = true
+ case "ro":
+ foundro = true
case "z":
foundz = true
case "Z":
foundZ = true
+ case "private", "rprivate", "slave", "rslave", "shared", "rshared":
+ rootProp = opt
}
}
- // if !foundro && !foundrw {
- // // rw option is default
- // options = append(options, "rw")
- // }
+ if !foundrw && !foundro {
+ options = append(options, "rw")
+ }
if foundz {
if err := label.Relabel(spliti[0], c.mountLabel, true); err != nil {
return nil, errors.Wrapf(err, "relabel failed %q", spliti[0])
@@ -470,6 +481,9 @@ func (c *createConfig) GetVolumeMounts() ([]spec.Mount, error) {
return nil, errors.Wrapf(err, "relabel failed %q", spliti[0])
}
}
+ if rootProp == "" {
+ options = append(options, "rprivate")
+ }
m = append(m, spec.Mount{
Destination: spliti[1],
diff --git a/cmd/kpod/spec_test.go b/cmd/kpod/spec_test.go
index 1eedb0e2a..799d6b235 100644
--- a/cmd/kpod/spec_test.go
+++ b/cmd/kpod/spec_test.go
@@ -13,7 +13,7 @@ func TestCreateConfig_GetVolumeMounts(t *testing.T) {
Destination: "/foobar",
Type: "bind",
Source: "foobar",
- Options: []string{"ro", "rbind"},
+ Options: []string{"ro", "rbind", "rprivate"},
}
config := createConfig{
volumes: []string{"foobar:/foobar:ro"},
diff --git a/test/kpod_run.bats b/test/kpod_run.bats
index 09a66b874..ccbeaac6c 100644
--- a/test/kpod_run.bats
+++ b/test/kpod_run.bats
@@ -125,16 +125,13 @@ IMAGE="docker.io/library/fedora:latest"
}
@test "kpod run with volume flag" {
- run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run -v ${MOUNT_PATH}:/run/test ${FEDORA_MINIMAL} cat /proc/self/mountinfo | grep '${MOUNT_PATH} /run/test rw,relatime'"
+ run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run -v ${MOUNT_PATH}:/run/test ${BB} cat /proc/self/mountinfo | grep '${MOUNT_PATH} /run/test rw,relatime'"
echo $output
[ "$status" -eq 0 ]
- run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run -v ${MOUNT_PATH}:/run/test:ro ${FEDORA_MINIMAL} cat /proc/self/mountinfo | grep '${MOUNT_PATH} /run/test ro,relatime'"
+ run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run -v ${MOUNT_PATH}:/run/test:ro ${BB} cat /proc/self/mountinfo | grep '${MOUNT_PATH} /run/test ro,relatime'"
+ echo $output
+ [ "$status" -eq 0 ]
+ run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run -v ${MOUNT_PATH}:/run/test:shared ${BB} cat /proc/self/mountinfo | grep '${MOUNT_PATH} /run/test rw,relatime shared:'"
echo $output
[ "$status" -eq 0 ]
- #run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run -v ${MOUNT_PATH}:/run/test:shared ${FEDORA_MINIMAL} cat /proc/self/mountinfo | grep '${MOUNT_PATH} /run/test rw,relatime shared:'"
- #echo $output
- #[ "$status" -eq 0 ]
- #run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run -v ${MOUNT_PATH}:/run/test:rslave ${FEDORA_MINIMAL} cat /proc/self/mountinfo | grep '${MOUNT_PATH} /run/test rw,relatime master:'"
- #echo $output
- #[ "$status" -eq 0 ]
}