Start parsing rootfsPropagation and make it effective
spec introduced a new field rootfsPropagation. Right now that field is not parsed by runc and it does not take effect. Starting parsing it and for now allow only limited propagation flags. More can be opened as new use cases show up. We are apply propagation flags on / and not rootfs. So ideally we should introduce another field in spec say rootPropagation. For now I am parsing rootfsPropagation. Once we agree on design, we can discuss if we need another field in spec or not. Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
This commit is contained in:
Vivek Goyal
parent
5dd6caf6cf
commit
f6fadd2ffe
25
spec.go
25
spec.go
|
|
@ -280,6 +280,16 @@ var namespaceMapping = map[specs.NamespaceType]configs.NamespaceType{
|
||||||
specs.UTSNamespace: configs.NEWUTS,
|
specs.UTSNamespace: configs.NEWUTS,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var mountPropagationMapping = map[string]int{
|
||||||
|
"rprivate": syscall.MS_PRIVATE | syscall.MS_REC,
|
||||||
|
"private": syscall.MS_PRIVATE,
|
||||||
|
"rslave": syscall.MS_SLAVE | syscall.MS_REC,
|
||||||
|
"slave": syscall.MS_SLAVE,
|
||||||
|
"rshared": syscall.MS_SHARED | syscall.MS_REC,
|
||||||
|
"shared": syscall.MS_SHARED,
|
||||||
|
"": syscall.MS_PRIVATE | syscall.MS_REC,
|
||||||
|
}
|
||||||
|
|
||||||
// loadSpec loads the specification from the provided path.
|
// loadSpec loads the specification from the provided path.
|
||||||
// If the path is empty then the default path will be "config.json"
|
// If the path is empty then the default path will be "config.json"
|
||||||
func loadSpec(cPath, rPath string) (spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec, err error) {
|
func loadSpec(cPath, rPath string) (spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec, err error) {
|
||||||
|
|
@ -329,12 +339,17 @@ func createLibcontainerConfig(cgroupName string, spec *specs.LinuxSpec, rspec *s
|
||||||
rootfsPath = filepath.Join(cwd, rootfsPath)
|
rootfsPath = filepath.Join(cwd, rootfsPath)
|
||||||
}
|
}
|
||||||
config := &configs.Config{
|
config := &configs.Config{
|
||||||
Rootfs: rootfsPath,
|
Rootfs: rootfsPath,
|
||||||
Capabilities: spec.Linux.Capabilities,
|
Capabilities: spec.Linux.Capabilities,
|
||||||
Readonlyfs: spec.Root.Readonly,
|
Readonlyfs: spec.Root.Readonly,
|
||||||
Hostname: spec.Hostname,
|
Hostname: spec.Hostname,
|
||||||
RootPropagation: syscall.MS_PRIVATE | syscall.MS_REC,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
exists := false
|
||||||
|
if config.RootPropagation, exists = mountPropagationMapping[rspec.Linux.RootfsPropagation]; !exists {
|
||||||
|
return nil, fmt.Errorf("rootfsPropagation=%v is not supported", rspec.Linux.RootfsPropagation)
|
||||||
|
}
|
||||||
|
|
||||||
for _, ns := range rspec.Linux.Namespaces {
|
for _, ns := range rspec.Linux.Namespaces {
|
||||||
t, exists := namespaceMapping[ns.Type]
|
t, exists := namespaceMapping[ns.Type]
|
||||||
if !exists {
|
if !exists {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue