Allow mounting cgroups as read-only when user namespace is configured

We use bind mount to achieve this as other file system remounts are disallowed in a user namespace. Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-04-19 09:56:23 -07:00 · 2016-04-19 09:56:23 -07:00 · a6104c3bbe
parent 8b0f6a7e14
commit a6104c3bbe
1 changed files with 3 additions and 1 deletions
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@ -266,8 +266,10 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
 		if m.Flags&syscall.MS_RDONLY != 0 {
 			// remount cgroup root as readonly
 			mcgrouproot := &configs.Mount{
+				Source:      m.Destination,
+				Device:      "bind",
 				Destination: m.Destination,
-				Flags:       defaultMountFlags | syscall.MS_RDONLY,
+				Flags:       defaultMountFlags | syscall.MS_RDONLY | syscall.MS_BIND,
 			}
 			if err := remount(mcgrouproot, rootfs); err != nil {
 				return err