github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-21 18:11:35 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1290 from riyazdf/ro-system-containers

Browse Source 
Add read-only option to containers, apply to all except nginx
This commit is contained in:
Riyaz Faizullabhoy 2017-03-13 16:23:44 +00:00 committed by GitHub
commit d6e9a1c2b7
3 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config.go
View File

@ -41,6 +41,7 @@ type MobyImage struct {
NetworkMode string `yaml:"network_mode"` NetworkMode string `yaml:"network_mode"`
Pid string Pid string
Ipc string Ipc string
ReadOnly bool `yaml:"read_only"`
} }
const riddler = "mobylinux/riddler:7d4545d8b8ac2700971a83f12a3446a76db28c14@sha256:11b7310df6482fc38aa52b419c2ef1065d7b9207c633d47554e13aa99f6c0b72" const riddler = "mobylinux/riddler:7d4545d8b8ac2700971a83f12a3446a76db28c14@sha256:11b7310df6482fc38aa52b419c2ef1065d7b9207c633d47554e13aa99f6c0b72"
@ -88,6 +89,9 @@ func ConfigToRun(order int, path string, image *MobyImage) []string {
for _, bind := range image.Binds { for _, bind := range image.Binds {
args = append(args, "-v", bind) args = append(args, "-v", bind)
} }
if image.ReadOnly {
args = append(args, "--read-only")
}
// image // image
args = append(args, image.Image) args = append(args, image.Image)
// command // command

3
moby.yaml
View File

@ -10,10 +10,12 @@ system:
ipc: host ipc: host
capabilities: capabilities:
- CAP_SYS_ADMIN - CAP_SYS_ADMIN
read_only: true
- name: binfmt - name: binfmt
image: "mobylinux/binfmt:bdb754f25a5d851b4f5f8d185a43dfcbb3c22d01" image: "mobylinux/binfmt:bdb754f25a5d851b4f5f8d185a43dfcbb3c22d01"
binds: binds:
- /proc/sys/fs/binfmt_misc:/binfmt_misc - /proc/sys/fs/binfmt_misc:/binfmt_misc
read_only: true
command: [/usr/bin/binfmt, -dir, /etc/binfmt.d/, -mount, /binfmt_misc] command: [/usr/bin/binfmt, -dir, /etc/binfmt.d/, -mount, /binfmt_misc]
daemon: daemon:
- name: rngd - name: rngd
@ -21,6 +23,7 @@ daemon:
capabilities: capabilities:
- CAP_SYS_ADMIN - CAP_SYS_ADMIN
oom_score_adj: -800 oom_score_adj: -800
read_only: true
command: [/bin/tini, /usr/sbin/rngd, -f] command: [/bin/tini, /usr/sbin/rngd, -f]
- name: nginx - name: nginx
image: "nginx:alpine" image: "nginx:alpine"

1
test.yaml
View File

@ -7,6 +7,7 @@ system:
image: "mobylinux/binfmt:bdb754f25a5d851b4f5f8d185a43dfcbb3c22d01" image: "mobylinux/binfmt:bdb754f25a5d851b4f5f8d185a43dfcbb3c22d01"
binds: binds:
- /proc/sys/fs/binfmt_misc:/binfmt_misc - /proc/sys/fs/binfmt_misc:/binfmt_misc
read_only: true
command: [/usr/bin/binfmt, -dir, /etc/binfmt.d/, -mount, /binfmt_misc] command: [/usr/bin/binfmt, -dir, /etc/binfmt.d/, -mount, /binfmt_misc]
- name: check - name: check
image: "mobylinux/check:699ca8e3792dda19a6fd981f58b47c3be0e5d6ec" image: "mobylinux/check:699ca8e3792dda19a6fd981f58b47c3be0e5d6ec"