diff options
Diffstat (limited to 'cmd/kpod')
-rw-r--r-- | cmd/kpod/spec.go | 34 | ||||
-rw-r--r-- | cmd/kpod/spec_test.go | 2 |
2 files changed, 25 insertions, 11 deletions
diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go index b2a439a9b..5d6fe8879 100644 --- a/cmd/kpod/spec.go +++ b/cmd/kpod/spec.go @@ -300,6 +300,16 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { return nil, errors.Wrapf(err, "error getting volume mounts") } configSpec.Mounts = append(configSpec.Mounts, mounts...) + for _, mount := range configSpec.Mounts { + for _, opt := range mount.Options { + switch opt { + case "private", "rprivate", "slave", "rslave", "shared", "rshared": + if err := g.SetLinuxRootPropagation(opt); err != nil { + return nil, errors.Wrapf(err, "error setting root propagation for %q", mount.Destination) + } + } + } + } // HANDLE CAPABILITIES if err := setupCapabilities(config, configSpec); err != nil { @@ -442,24 +452,25 @@ func (c *createConfig) GetVolumeMounts() ([]spec.Mount, error) { options = strings.Split(spliti[2], ",") } options = append(options, "rbind") - // var foundrw, foundro, - var foundz, foundZ bool + var foundrw, foundro, foundz, foundZ bool + var rootProp string for _, opt := range options { switch opt { - // case "rw": - // foundrw = true - // case "ro": - // foundro = true + case "rw": + foundrw = true + case "ro": + foundro = true case "z": foundz = true case "Z": foundZ = true + case "private", "rprivate", "slave", "rslave", "shared", "rshared": + rootProp = opt } } - // if !foundro && !foundrw { - // // rw option is default - // options = append(options, "rw") - // } + if !foundrw && !foundro { + options = append(options, "rw") + } if foundz { if err := label.Relabel(spliti[0], c.mountLabel, true); err != nil { return nil, errors.Wrapf(err, "relabel failed %q", spliti[0]) @@ -470,6 +481,9 @@ func (c *createConfig) GetVolumeMounts() ([]spec.Mount, error) { return nil, errors.Wrapf(err, "relabel failed %q", spliti[0]) } } + if rootProp == "" { + options = append(options, "rprivate") + } m = append(m, spec.Mount{ Destination: spliti[1], diff --git a/cmd/kpod/spec_test.go b/cmd/kpod/spec_test.go index 1eedb0e2a..799d6b235 100644 --- a/cmd/kpod/spec_test.go +++ b/cmd/kpod/spec_test.go @@ -13,7 +13,7 @@ func TestCreateConfig_GetVolumeMounts(t *testing.T) { Destination: "/foobar", Type: "bind", Source: "foobar", - Options: []string{"ro", "rbind"}, + Options: []string{"ro", "rbind", "rprivate"}, } config := createConfig{ volumes: []string{"foobar:/foobar:ro"}, |