summaryrefslogtreecommitdiffhomepage
path: root/runsc/boot
diff options
context:
space:
mode:
authorFabricio Voznika <fvoznika@google.com>2021-03-23 16:19:02 -0700
committergVisor bot <gvisor-bot@google.com>2021-03-23 16:21:12 -0700
commit960155cdaad49ccea07e45152f124beeb7e7fdcc (patch)
tree7bd7019c629c072e68480872de858e692fa23e32 /runsc/boot
parent92374e51976c8a47e4705943f73cecbc6a27073b (diff)
Add --file-access-mounts flag
--file-access-mounts flag is similar to --file-access, but controls non-root mounts that were previously mounted in shared mode only. This gives more flexibility to control how mounts are shared within a container. PiperOrigin-RevId: 364669882
Diffstat (limited to 'runsc/boot')
-rw-r--r--runsc/boot/fs.go7
-rw-r--r--runsc/boot/fs_test.go3
-rw-r--r--runsc/boot/vfs.go2
3 files changed, 6 insertions, 6 deletions
diff --git a/runsc/boot/fs.go b/runsc/boot/fs.go
index d1dacee03..32adde643 100644
--- a/runsc/boot/fs.go
+++ b/runsc/boot/fs.go
@@ -792,7 +792,7 @@ func (c *containerMounter) getMountNameAndOptions(conf *config.Config, m specs.M
case bind:
fd := c.fds.remove()
fsName = gofervfs2.Name
- opts = p9MountData(fd, c.getMountAccessType(m), conf.VFS2)
+ opts = p9MountData(fd, c.getMountAccessType(conf, m), conf.VFS2)
// If configured, add overlay to all writable mounts.
useOverlay = conf.Overlay && !mountFlags(m.Options).ReadOnly
@@ -802,12 +802,11 @@ func (c *containerMounter) getMountNameAndOptions(conf *config.Config, m specs.M
return fsName, opts, useOverlay, nil
}
-func (c *containerMounter) getMountAccessType(mount specs.Mount) config.FileAccessType {
+func (c *containerMounter) getMountAccessType(conf *config.Config, mount specs.Mount) config.FileAccessType {
if hint := c.hints.findMount(mount); hint != nil {
return hint.fileAccessType()
}
- // Non-root bind mounts are always shared if no hints were provided.
- return config.FileAccessShared
+ return conf.FileAccessMounts
}
// mountSubmount mounts volumes inside the container's root. Because mounts may
diff --git a/runsc/boot/fs_test.go b/runsc/boot/fs_test.go
index e986231e5..b4f12d034 100644
--- a/runsc/boot/fs_test.go
+++ b/runsc/boot/fs_test.go
@@ -243,7 +243,8 @@ func TestGetMountAccessType(t *testing.T) {
t.Fatalf("newPodMountHints failed: %v", err)
}
mounter := containerMounter{hints: podHints}
- if got := mounter.getMountAccessType(specs.Mount{Source: source}); got != tst.want {
+ conf := &config.Config{FileAccessMounts: config.FileAccessShared}
+ if got := mounter.getMountAccessType(conf, specs.Mount{Source: source}); got != tst.want {
t.Errorf("getMountAccessType(), want: %v, got: %v", tst.want, got)
}
})
diff --git a/runsc/boot/vfs.go b/runsc/boot/vfs.go
index 3fd28e516..9b3dacf46 100644
--- a/runsc/boot/vfs.go
+++ b/runsc/boot/vfs.go
@@ -494,7 +494,7 @@ func (c *containerMounter) getMountNameAndOptionsVFS2(conf *config.Config, m *mo
// but unlikely to be correct in this context.
return "", nil, false, fmt.Errorf("9P mount requires a connection FD")
}
- data = p9MountData(m.fd, c.getMountAccessType(m.Mount), true /* vfs2 */)
+ data = p9MountData(m.fd, c.getMountAccessType(conf, m.Mount), true /* vfs2 */)
iopts = gofer.InternalFilesystemOptions{
UniqueID: m.Destination,
}