Add ReadOnly flag to run containers in readonly mode

This is needed for Automotive. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
rhatdan · Dec 3, 2022 · ea0457a · ea0457a
1 parent 24d7820
commit ea0457a
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 0 deletions.
diff --git a/docs/containers.conf.5.md b/docs/containers.conf.5.md
@@ -241,6 +241,10 @@ is imposed.
 
 Copy the content from the underlying image into the newly created volume when the container is created instead of when it is started. If `false`, the container engine will not copy the content until the container is started. Setting it to `true` may have negative performance implications.
 
+**read_only**=true|false
+
+Run all containers with root file system mounted read-only. Set to false by default.
+
 **seccomp_profile**="/usr/share/containers/seccomp.json"
 
 Path to the seccomp.json profile which is used as the default seccomp profile

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -194,6 +194,9 @@ type ContainersConfig struct {
 	// performance implications.
 	PrepareVolumeOnCreate bool `toml:"prepare_volume_on_create,omitempty"`
 
+	// ReadOnly causes engine to run all containers with root file system mounted read-only
+	ReadOnly bool `toml:"read_only,omitempty"`
+
 	// SeccompProfile is the seccomp.json profile path which is used as the
 	// default for the runtime.
 	SeccompProfile string `toml:"seccomp_profile,omitempty"`

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -29,6 +29,7 @@ var _ = Describe("Config", func() {
 			gomega.Expect(defaultConfig.Containers.ApparmorProfile).To(gomega.Equal(apparmor.Profile))
 			gomega.Expect(defaultConfig.Containers.BaseHostsFile).To(gomega.Equal(""))
 			gomega.Expect(defaultConfig.Containers.PidsLimit).To(gomega.BeEquivalentTo(2048))
+			gomega.Expect(defaultConfig.Containers.ReadOnly).To(gomega.BeFalse())
 			gomega.Expect(defaultConfig.Engine.ServiceTimeout).To(gomega.BeEquivalentTo(5))
 			gomega.Expect(defaultConfig.NetNS()).To(gomega.BeEquivalentTo("private"))
 			gomega.Expect(defaultConfig.IPCNS()).To(gomega.BeEquivalentTo("shareable"))
@@ -443,6 +444,7 @@ image_copy_tmp_dir="storage"`
 			gomega.Expect(config.Containers.LogDriver).To(gomega.Equal("journald"))
 			gomega.Expect(config.Containers.LogTag).To(gomega.Equal("{{.Name}}|{{.ID}}"))
 			gomega.Expect(config.Containers.LogSizeMax).To(gomega.Equal(int64(100000)))
+			gomega.Expect(config.Containers.ReadOnly).To(gomega.BeTrue())
 			gomega.Expect(config.Engine.ImageParallelCopies).To(gomega.Equal(uint(10)))
 			gomega.Expect(config.Engine.PlatformToOCIRuntime).To(gomega.Equal(PlatformToOCIRuntimeMap))
 			gomega.Expect(config.Engine.ImageDefaultFormat).To(gomega.Equal("v2s2"))

diff --git a/pkg/config/containers.conf b/pkg/config/containers.conf
@@ -216,6 +216,10 @@ default_sysctls = [
 #
 #prepare_volume_on_create = false
 
+# Run all containers with root file system mounted read-only
+#
+# read_only: false
+
 # Path to the seccomp.json profile which is used as the default seccomp profile
 # for the runtime.
 #

diff --git a/pkg/config/testdata/containers_override.conf b/pkg/config/testdata/containers_override.conf
@@ -4,6 +4,7 @@ apparmor_profile = "overridden-default"
 log_driver = "journald"
 log_tag="{{.Name}}|{{.ID}}"
 log_size_max = 100000
+read_only=true
 
 [engine]
 image_parallel_copies=10