summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorFabricio Voznika <fvoznika@google.com>2020-06-01 11:43:05 -0700
committergVisor bot <gvisor-bot@google.com>2020-06-01 11:44:32 -0700
commit16100d18cbe27f01e1f0c147f91a694518ddc160 (patch)
treef2937d15d2a5cc2d99221ba137ee601f9a53b83b
parent474d9b260930dc220660df3eab8dc55405c34215 (diff)
Make gofer mount readonly when overlay is enabled
No writes are expected to the underlying filesystem when using --overlay. PiperOrigin-RevId: 314171457
-rw-r--r--runsc/cmd/gofer.go4
1 files changed, 2 insertions, 2 deletions
diff --git a/runsc/cmd/gofer.go b/runsc/cmd/gofer.go
index 28f0d54b9..10448a759 100644
--- a/runsc/cmd/gofer.go
+++ b/runsc/cmd/gofer.go
@@ -168,7 +168,7 @@ func (g *Gofer) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
// Start with root mount, then add any other additional mount as needed.
ats := make([]p9.Attacher, 0, len(spec.Mounts)+1)
ap, err := fsgofer.NewAttachPoint("/", fsgofer.Config{
- ROMount: spec.Root.Readonly,
+ ROMount: spec.Root.Readonly || conf.Overlay,
PanicOnWrite: g.panicOnWrite,
})
if err != nil {
@@ -181,7 +181,7 @@ func (g *Gofer) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
for _, m := range spec.Mounts {
if specutils.Is9PMount(m) {
cfg := fsgofer.Config{
- ROMount: isReadonlyMount(m.Options),
+ ROMount: isReadonlyMount(m.Options) || conf.Overlay,
PanicOnWrite: g.panicOnWrite,
HostUDS: conf.FSGoferHostUDS,
}