From ea0457a4fe60ec6407e29071126399272442472c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sat, 3 Dec 2022 08:37:45 -0500 Subject: [PATCH] Add ReadOnly flag to run containers in readonly mode This is needed for Automotive. Signed-off-by: Daniel J Walsh --- docs/containers.conf.5.md | 4 ++++ pkg/config/config.go | 3 +++ pkg/config/config_test.go | 2 ++ pkg/config/containers.conf | 4 ++++ pkg/config/testdata/containers_override.conf | 1 + 5 files changed, 14 insertions(+) diff --git a/docs/containers.conf.5.md b/docs/containers.conf.5.md index 76feec648..5d1772b00 100644 --- a/docs/containers.conf.5.md +++ b/docs/containers.conf.5.md @@ -241,6 +241,10 @@ is imposed. Copy the content from the underlying image into the newly created volume when the container is created instead of when it is started. If `false`, the container engine will not copy the content until the container is started. Setting it to `true` may have negative performance implications. +**read_only**=true|false + +Run all containers with root file system mounted read-only. Set to false by default. + **seccomp_profile**="/usr/share/containers/seccomp.json" Path to the seccomp.json profile which is used as the default seccomp profile diff --git a/pkg/config/config.go b/pkg/config/config.go index 97ab61892..5e965402c 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -194,6 +194,9 @@ type ContainersConfig struct { // performance implications. PrepareVolumeOnCreate bool `toml:"prepare_volume_on_create,omitempty"` + // ReadOnly causes engine to run all containers with root file system mounted read-only + ReadOnly bool `toml:"read_only,omitempty"` + // SeccompProfile is the seccomp.json profile path which is used as the // default for the runtime. SeccompProfile string `toml:"seccomp_profile,omitempty"` diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 29ee501bf..fcdaa1583 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -29,6 +29,7 @@ var _ = Describe("Config", func() { gomega.Expect(defaultConfig.Containers.ApparmorProfile).To(gomega.Equal(apparmor.Profile)) gomega.Expect(defaultConfig.Containers.BaseHostsFile).To(gomega.Equal("")) gomega.Expect(defaultConfig.Containers.PidsLimit).To(gomega.BeEquivalentTo(2048)) + gomega.Expect(defaultConfig.Containers.ReadOnly).To(gomega.BeFalse()) gomega.Expect(defaultConfig.Engine.ServiceTimeout).To(gomega.BeEquivalentTo(5)) gomega.Expect(defaultConfig.NetNS()).To(gomega.BeEquivalentTo("private")) gomega.Expect(defaultConfig.IPCNS()).To(gomega.BeEquivalentTo("shareable")) @@ -443,6 +444,7 @@ image_copy_tmp_dir="storage"` gomega.Expect(config.Containers.LogDriver).To(gomega.Equal("journald")) gomega.Expect(config.Containers.LogTag).To(gomega.Equal("{{.Name}}|{{.ID}}")) gomega.Expect(config.Containers.LogSizeMax).To(gomega.Equal(int64(100000))) + gomega.Expect(config.Containers.ReadOnly).To(gomega.BeTrue()) gomega.Expect(config.Engine.ImageParallelCopies).To(gomega.Equal(uint(10))) gomega.Expect(config.Engine.PlatformToOCIRuntime).To(gomega.Equal(PlatformToOCIRuntimeMap)) gomega.Expect(config.Engine.ImageDefaultFormat).To(gomega.Equal("v2s2")) diff --git a/pkg/config/containers.conf b/pkg/config/containers.conf index 7e3313738..0581bba90 100644 --- a/pkg/config/containers.conf +++ b/pkg/config/containers.conf @@ -216,6 +216,10 @@ default_sysctls = [ # #prepare_volume_on_create = false +# Run all containers with root file system mounted read-only +# +# read_only: false + # Path to the seccomp.json profile which is used as the default seccomp profile # for the runtime. # diff --git a/pkg/config/testdata/containers_override.conf b/pkg/config/testdata/containers_override.conf index a15d147bb..ceccd5c69 100644 --- a/pkg/config/testdata/containers_override.conf +++ b/pkg/config/testdata/containers_override.conf @@ -4,6 +4,7 @@ apparmor_profile = "overridden-default" log_driver = "journald" log_tag="{{.Name}}|{{.ID}}" log_size_max = 100000 +read_only=true [engine] image_parallel_copies=10