From d7181a73e42f61182ba393e89f053de2efb0778c Mon Sep 17 00:00:00 2001 From: Qiang Huang Date: Wed, 15 Jul 2015 09:31:39 +0800 Subject: [PATCH] Add cgroup mount in the recommended config And allow cgroup mount take flags from user configs. As we show ro in the recommendation, so hard-coded read-only flag should be removed. Signed-off-by: Qiang Huang --- README.md | 6 ++++++ libcontainer/rootfs_linux.go | 2 +- spec.go | 6 ++++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0ccf2845..6ff9e450 100644 --- a/README.md +++ b/README.md @@ -111,6 +111,12 @@ user named `daemon` defined within that file-system. "source": "sysfs", "destination": "/sys", "options": "nosuid,noexec,nodev" + }, + { + "type": "cgroup", + "source": "cgroup", + "destination": "/sys/fs/cgroup", + "options": "nosuid,noexec,nodev,relatime,ro" } ], "linux": { diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go index 33b9122f..6a42ba77 100644 --- a/libcontainer/rootfs_linux.go +++ b/libcontainer/rootfs_linux.go @@ -184,7 +184,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error { Device: "bind", Source: filepath.Join(mm.Mountpoint, dir), Destination: filepath.Join(m.Destination, strings.Join(mm.Subsystems, ",")), - Flags: syscall.MS_BIND | syscall.MS_REC | syscall.MS_RDONLY, + Flags: syscall.MS_BIND | syscall.MS_REC | m.Flags, }) } tmpfs := &configs.Mount{ diff --git a/spec.go b/spec.go index 2bdf8ac7..180db2a0 100644 --- a/spec.go +++ b/spec.go @@ -83,6 +83,12 @@ var specCommand = cli.Command{ Destination: "/sys", Options: "nosuid,noexec,nodev", }, + { + Type: "cgroup", + Source: "cgroup", + Destination: "/sys/fs/cgroup", + Options: "nosuid,noexec,nodev,relatime,ro", + }, }, }, Linux: specs.Linux{