- filter the 'ro' mount flag
- mount read-write to allow setting permissions
- then remount read-only if 'ro' flag was given
fixes#602
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
Co-Authored-By: Sascha Grunert <sgrunert@suse.com>
Instead of passing the driver-specific directory and assorted fields
from a Config struct to lower-level drivers when we initialize them,
pass them the directory and the Config struct.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
These interfaces can be used to setup a graphdriver mountpoint
of the source directory for use within a container.
The RemoveTemp interface umounts the mountpoint and then removes
all of the modified data in the graphdriver for this source directory.
The primary use case of these interfaces is for container engines that
want to mount a directory from the host system into the container. The
source dirctory then can be modified without actually changing the
directory on the host.
Containers will use these interfaces for sharing packaing cache directories
like /var/cache/dnf, to help speed up container builds.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add a CreateFromTemplate() method to graph drivers, and use it instead
of a driver-oblivious diff/put method when we want to create a copy of
an image's top layer that has the same parent and which differs from the
original only in its ID maps.
This lets drivers that can quickly make an independent layer based on
another layer do something smarter than we were doing with the
driver-oblivious method. For some drivers, a native method is
dramatically faster.
Note that the driver needs to be able to do this while still exposing
just one notional layer (i.e., one link in the chain of layers for a
given container) to the higher levels of the APIs, so if the new layer
is actually a child of the template layer, that needs to remain a detail
that's private to the driver.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This was originally put in to prevent potential leaks of mount points to
different mount namespaces. Lets remove it and fix the issue with
zfs, and see if we experience leaked mounts. oci-umount should also
clean up any leaks, if installed.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
There is a bug report reporting issues on zfs driver on reboot.
Wanted to make sure we have close to the same code as the Moby Project.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We want to allow tools like podman/buildah to override default storage
container mount options on a container by container basis.
For example if the default mount options for containers/storage include
nodev or nosuid, we want to allow podman to turn these off if the user
specifies --privileged.
We also might want to turn off certain user namespace flags that will cause
buildah and podman build to work slower when creating container images.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This patch adds a MountOpts field to the drivers so we can simplify
the interface to Get and allow additional options to be passed in the future.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
I believe we should be running container images mounted with nodev by default.
This would eliminate the disk of a device sneaking into the container without
being on the approved list. This would give us the same or potentially additional
security over the device cgroup.
It would be nice if this could be passed in on an image by image basis. So users
could also specify if they want nosuid images.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Expose reading and writing ID mapping in the archive and chrootarchive
packages, and in the driver interface. Generally this means that
when computing or applying diffs, we need to have ID mappings passed in
that are specific to the layers we're using.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add support to the Store objects for per-container UID/GID mapping.
* UID and GID maps can be specified when creating layers and containers.
* If mapping options are specified when creating a container, those
options are used for creating the layer which we create for the
container and recorded with the container for convenience.
* A layer defaults to using the ID mapping configured for its parent, or
to the default which was used to initialize the Store object if it has
no parent.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Also updates github.com/Microsoft/hcsshim
and github.com/docker/go-connections so they work
with the newer version of logrus.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Wrap graphdriver.{ErrNotSupported,ErrPrerequisites,ErrIncompatibleFS}
errors in contexts using github.com/pkg/errors, and dig them out for
comparison using errors.Cause().
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
We want to support additional read/only image stores available on
file systems. Usually these images stores would be on network shares.
Currently the only driver that will support additional images is the
overlay file system.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
We have moved runc/libcontainers selinux support out of libcontainer
into opencontainers/selinux. Switching containers/storage to use
new interfaces.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The overlay, overlay2, and zfs drivers masked unmount errors in their
Put() methods. Bring them in line with the others and actually return
the error code.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Rename the library module and CLI wrapper.
Rename daemon/graphdriver to drivers.
Catch up vendoring to match modules we've pruned.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Kir Kolyshkin