From cb7ccb491de633e0034ba681198e745a9584af29 Mon Sep 17 00:00:00 2001 From: Riyaz Faizullabhoy Date: Mon, 13 Mar 2017 11:18:26 +0000 Subject: [PATCH] Add read-only option to containers, apply to all except nginx Signed-off-by: Riyaz Faizullabhoy --- config.go | 4 ++++ moby.yaml | 3 +++ test.yaml | 1 + 3 files changed, 8 insertions(+) diff --git a/config.go b/config.go index d086d2d58..91e6298ad 100644 --- a/config.go +++ b/config.go @@ -41,6 +41,7 @@ type MobyImage struct { NetworkMode string `yaml:"network_mode"` Pid string Ipc string + ReadOnly bool `yaml:"read_only"` } const riddler = "mobylinux/riddler:7d4545d8b8ac2700971a83f12a3446a76db28c14@sha256:11b7310df6482fc38aa52b419c2ef1065d7b9207c633d47554e13aa99f6c0b72" @@ -88,6 +89,9 @@ func ConfigToRun(order int, path string, image *MobyImage) []string { for _, bind := range image.Binds { args = append(args, "-v", bind) } + if image.ReadOnly { + args = append(args, "--read-only") + } // image args = append(args, image.Image) // command diff --git a/moby.yaml b/moby.yaml index f2be58460..caf2c5e86 100644 --- a/moby.yaml +++ b/moby.yaml @@ -10,10 +10,12 @@ system: ipc: host capabilities: - CAP_SYS_ADMIN + read_only: true - name: binfmt image: "mobylinux/binfmt:bdb754f25a5d851b4f5f8d185a43dfcbb3c22d01" binds: - /proc/sys/fs/binfmt_misc:/binfmt_misc + read_only: true command: [/usr/bin/binfmt, -dir, /etc/binfmt.d/, -mount, /binfmt_misc] daemon: - name: rngd @@ -21,6 +23,7 @@ daemon: capabilities: - CAP_SYS_ADMIN oom_score_adj: -800 + read_only: true command: [/bin/tini, /usr/sbin/rngd, -f] - name: nginx image: "nginx:alpine" diff --git a/test.yaml b/test.yaml index 0f3875caa..437acfa01 100644 --- a/test.yaml +++ b/test.yaml @@ -7,6 +7,7 @@ system: image: "mobylinux/binfmt:bdb754f25a5d851b4f5f8d185a43dfcbb3c22d01" binds: - /proc/sys/fs/binfmt_misc:/binfmt_misc + read_only: true command: [/usr/bin/binfmt, -dir, /etc/binfmt.d/, -mount, /binfmt_misc] - name: check image: "mobylinux/check:699ca8e3792dda19a6fd981f58b47c3be0e5d6ec"