mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-09-01 08:56:32 +00:00
Merge pull request #1062 from bergwolf/ro-volume
runtime: readonly volume should be bind mounted readonly on the host
This commit is contained in:
Bin Liu
GitHub
@@ -435,7 +435,7 @@ func (c *Container) setContainerState(state types.StateString) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Container) shareFiles(m Mount, idx int, hostSharedDir, guestSharedDir string) (string, bool, error) {
|
func (c *Container) shareFiles(m Mount, idx int, hostSharedDir, hostMountDir, guestSharedDir string) (string, bool, error) {
|
||||||
randBytes, err := utils.GenerateRandomBytes(8)
|
randBytes, err := utils.GenerateRandomBytes(8)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", false, err
|
return "", false, err
|
||||||
@@ -469,12 +469,19 @@ func (c *Container) shareFiles(m Mount, idx int, hostSharedDir, guestSharedDir s
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// These mounts are created in the shared dir
|
// These mounts are created in the shared dir
|
||||||
mountDest := filepath.Join(hostSharedDir, filename)
|
mountDest := filepath.Join(hostMountDir, filename)
|
||||||
if err := bindMount(c.ctx, m.Source, mountDest, false, "private"); err != nil {
|
if err := bindMount(c.ctx, m.Source, mountDest, m.ReadOnly, "private"); err != nil {
|
||||||
return "", false, err
|
return "", false, err
|
||||||
}
|
}
|
||||||
// Save HostPath mount value into the mount list of the container.
|
// Save HostPath mount value into the mount list of the container.
|
||||||
c.mounts[idx].HostPath = mountDest
|
c.mounts[idx].HostPath = mountDest
|
||||||
|
// bindmount remount event is not propagated to mount subtrees, so we have to remount the shared dir mountpoint directly.
|
||||||
|
if m.ReadOnly {
|
||||||
|
mountDest = filepath.Join(hostSharedDir, filename)
|
||||||
|
if err := remountRo(c.ctx, mountDest); err != nil {
|
||||||
|
return "", false, err
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return guestDest, false, nil
|
return guestDest, false, nil
|
||||||
@@ -485,7 +492,7 @@ func (c *Container) shareFiles(m Mount, idx int, hostSharedDir, guestSharedDir s
|
|||||||
// It also updates the container mount list with the HostPath info, and store
|
// It also updates the container mount list with the HostPath info, and store
|
||||||
// container mounts to the storage. This way, we will have the HostPath info
|
// container mounts to the storage. This way, we will have the HostPath info
|
||||||
// available when we will need to unmount those mounts.
|
// available when we will need to unmount those mounts.
|
||||||
func (c *Container) mountSharedDirMounts(hostSharedDir, guestSharedDir string) (sharedDirMounts map[string]Mount, ignoredMounts map[string]Mount, err error) {
|
func (c *Container) mountSharedDirMounts(hostSharedDir, hostMountDir, guestSharedDir string) (sharedDirMounts map[string]Mount, ignoredMounts map[string]Mount, err error) {
|
||||||
sharedDirMounts = make(map[string]Mount)
|
sharedDirMounts = make(map[string]Mount)
|
||||||
ignoredMounts = make(map[string]Mount)
|
ignoredMounts = make(map[string]Mount)
|
||||||
var devicesToDetach []string
|
var devicesToDetach []string
|
||||||
@@ -535,7 +542,7 @@ func (c *Container) mountSharedDirMounts(hostSharedDir, guestSharedDir string) (
|
|||||||
|
|
||||||
var ignore bool
|
var ignore bool
|
||||||
var guestDest string
|
var guestDest string
|
||||||
guestDest, ignore, err = c.shareFiles(m, idx, hostSharedDir, guestSharedDir)
|
guestDest, ignore, err = c.shareFiles(m, idx, hostSharedDir, hostMountDir, guestSharedDir)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
@@ -546,22 +553,12 @@ func (c *Container) mountSharedDirMounts(hostSharedDir, guestSharedDir string) (
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if mount is readonly, let the agent handle the readonly mount
|
|
||||||
// within the VM.
|
|
||||||
readonly := false
|
|
||||||
for _, flag := range m.Options {
|
|
||||||
if flag == "ro" {
|
|
||||||
readonly = true
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
sharedDirMount := Mount{
|
sharedDirMount := Mount{
|
||||||
Source: guestDest,
|
Source: guestDest,
|
||||||
Destination: m.Destination,
|
Destination: m.Destination,
|
||||||
Type: m.Type,
|
Type: m.Type,
|
||||||
Options: m.Options,
|
Options: m.Options,
|
||||||
ReadOnly: readonly,
|
ReadOnly: m.ReadOnly,
|
||||||
}
|
}
|
||||||
|
|
||||||
sharedDirMounts[sharedDirMount.Destination] = sharedDirMount
|
sharedDirMounts[sharedDirMount.Destination] = sharedDirMount
|
||||||
|
|||||||
@@ -1256,7 +1256,7 @@ func (k *kataAgent) createContainer(sandbox *Sandbox, c *Container) (p *Process,
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Handle container mounts
|
// Handle container mounts
|
||||||
newMounts, ignoredMounts, err := c.mountSharedDirMounts(getMountPath(sandbox.id), kataGuestSharedDir())
|
newMounts, ignoredMounts, err := c.mountSharedDirMounts(getSharePath(sandbox.id), getMountPath(sandbox.id), kataGuestSharedDir())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -277,6 +277,11 @@ func remount(ctx context.Context, mountflags uintptr, src string) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// remount a mount point as readonly
|
||||||
|
func remountRo(ctx context.Context, src string) error {
|
||||||
|
return remount(ctx, syscall.MS_BIND|syscall.MS_RDONLY, src)
|
||||||
|
}
|
||||||
|
|
||||||
// bindMountContainerRootfs bind mounts a container rootfs into a 9pfs shared
|
// bindMountContainerRootfs bind mounts a container rootfs into a 9pfs shared
|
||||||
// directory between the guest and the host.
|
// directory between the guest and the host.
|
||||||
func bindMountContainerRootfs(ctx context.Context, shareDir, cid, cRootFs string, readonly bool) error {
|
func bindMountContainerRootfs(ctx context.Context, shareDir, cid, cRootFs string, readonly bool) error {
|
||||||
|
|||||||
@@ -160,11 +160,19 @@ func cmdEnvs(spec specs.Spec, envs []types.EnvVar) []types.EnvVar {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func newMount(m specs.Mount) vc.Mount {
|
func newMount(m specs.Mount) vc.Mount {
|
||||||
|
readonly := false
|
||||||
|
for _, flag := range m.Options {
|
||||||
|
if flag == "ro" {
|
||||||
|
readonly = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
return vc.Mount{
|
return vc.Mount{
|
||||||
Source: m.Source,
|
Source: m.Source,
|
||||||
Destination: m.Destination,
|
Destination: m.Destination,
|
||||||
Type: m.Type,
|
Type: m.Type,
|
||||||
Options: m.Options,
|
Options: m.Options,
|
||||||
|
ReadOnly: readonly,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1175,7 +1175,7 @@ func TestPreAddDevice(t *testing.T) {
|
|||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
mounts, ignoreMounts, err := container.mountSharedDirMounts("", "")
|
mounts, ignoreMounts, err := container.mountSharedDirMounts("", "", "")
|
||||||
assert.Nil(t, err)
|
assert.Nil(t, err)
|
||||||
assert.Equal(t, len(mounts), 0,
|
assert.Equal(t, len(mounts), 0,
|
||||||
"mounts should contain nothing because it only contains a block device")
|
"mounts should contain nothing because it only contains a block device")
|
||||||
|
|||||||
@@ -179,7 +179,7 @@ externals:
|
|||||||
description: |
|
description: |
|
||||||
OCI-based Kubernetes Container Runtime Interface implementation
|
OCI-based Kubernetes Container Runtime Interface implementation
|
||||||
url: "https://github.com/cri-o/cri-o"
|
url: "https://github.com/cri-o/cri-o"
|
||||||
version: "v1.18.4"
|
version: "v1.18.3"
|
||||||
meta:
|
meta:
|
||||||
openshift: "6273bea4c9ed788aeb3d051ebf2d030060c05b6c"
|
openshift: "6273bea4c9ed788aeb3d051ebf2d030060c05b6c"
|
||||||
crictl: 1.0.0-beta.2
|
crictl: 1.0.0-beta.2
|
||||||
|
|||||||
Reference in New Issue
Block a user