Add ReadOnly flag to run containers in readonly mode

This is needed for Automotive. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2022-12-03 08:37:45 -05:00 · 2022-12-03 08:37:45 -05:00 · e2fb8c5133
parent 23636dda9a
commit e2fb8c5133
5 changed files with 14 additions and 0 deletions
--- a/common/docs/containers.conf.5.md
+++ b/common/docs/containers.conf.5.md
@ -241,6 +241,10 @@ is imposed.

 Copy the content from the underlying image into the newly created volume when the container is created instead of when it is started. If `false`, the container engine will not copy the content until the container is started. Setting it to `true` may have negative performance implications.

+**read_only**=true|false
+
+Run all containers with root file system mounted read-only. Set to false by default.
+
 **seccomp_profile**="/usr/share/containers/seccomp.json"

 Path to the seccomp.json profile which is used as the default seccomp profile
--- a/common/pkg/config/config.go
+++ b/common/pkg/config/config.go
@ -194,6 +194,9 @@ type ContainersConfig struct {
 	// performance implications.
 	PrepareVolumeOnCreate bool `toml:"prepare_volume_on_create,omitempty"`

+	// ReadOnly causes engine to run all containers with root file system mounted read-only
+	ReadOnly bool `toml:"read_only,omitempty"`
+
 	// SeccompProfile is the seccomp.json profile path which is used as the
 	// default for the runtime.
 	SeccompProfile string `toml:"seccomp_profile,omitempty"`
--- a/common/pkg/config/config_test.go
+++ b/common/pkg/config/config_test.go
@ -29,6 +29,7 @@ var _ = Describe("Config", func() {
 			gomega.Expect(defaultConfig.Containers.ApparmorProfile).To(gomega.Equal(apparmor.Profile))
 			gomega.Expect(defaultConfig.Containers.BaseHostsFile).To(gomega.Equal(""))
 			gomega.Expect(defaultConfig.Containers.PidsLimit).To(gomega.BeEquivalentTo(2048))
+			gomega.Expect(defaultConfig.Containers.ReadOnly).To(gomega.BeFalse())
 			gomega.Expect(defaultConfig.Engine.ServiceTimeout).To(gomega.BeEquivalentTo(5))
 			gomega.Expect(defaultConfig.NetNS()).To(gomega.BeEquivalentTo("private"))
 			gomega.Expect(defaultConfig.IPCNS()).To(gomega.BeEquivalentTo("shareable"))
@ -443,6 +444,7 @@ image_copy_tmp_dir="storage"`
 			gomega.Expect(config.Containers.LogDriver).To(gomega.Equal("journald"))
 			gomega.Expect(config.Containers.LogTag).To(gomega.Equal("{{.Name}}|{{.ID}}"))
 			gomega.Expect(config.Containers.LogSizeMax).To(gomega.Equal(int64(100000)))
+			gomega.Expect(config.Containers.ReadOnly).To(gomega.BeTrue())
 			gomega.Expect(config.Engine.ImageParallelCopies).To(gomega.Equal(uint(10)))
 			gomega.Expect(config.Engine.PlatformToOCIRuntime).To(gomega.Equal(PlatformToOCIRuntimeMap))
 			gomega.Expect(config.Engine.ImageDefaultFormat).To(gomega.Equal("v2s2"))
--- a/common/pkg/config/containers.conf
+++ b/common/pkg/config/containers.conf
@ -216,6 +216,10 @@ default_sysctls = [
 #
 #prepare_volume_on_create = false

+# Run all containers with root file system mounted read-only
+#
+# read_only = false
+
 # Path to the seccomp.json profile which is used as the default seccomp profile
 # for the runtime.
 #
--- a/common/pkg/config/testdata/containers_override.conf
+++ b/common/pkg/config/testdata/containers_override.conf
@ -4,6 +4,7 @@ apparmor_profile = "overridden-default"
 log_driver = "journald"
 log_tag="{{.Name}}|{{.ID}}"
 log_size_max = 100000
+read_only=true

 [engine]
 image_parallel_copies=10