diff options
| author | Fabricio Voznika <fvoznika@google.com> | 2018-08-24 10:16:38 -0700 |
|---|---|---|
| committer | Shentubot <shentubot@google.com> | 2018-08-24 10:17:42 -0700 |
| commit | a81a4402a265aec6715172cd3502ee7eebbf64aa (patch) | |
| tree | ca68f0086761e850760931820f3dd34d9affd764 /runsc/sandbox | |
| parent | 64403265a04aa0c8be3ebb652a09f6e2d7a84ca7 (diff) | |
Add option to panic gofer if writes are attempted over RO mounts
This is used when '--overlay=true' to guarantee writes are not sent to gofer.
PiperOrigin-RevId: 210116288
Change-Id: I7616008c4c0e8d3668e07a205207f46e2144bf30
Diffstat (limited to 'runsc/sandbox')
| -rw-r--r-- | runsc/sandbox/sandbox.go | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go index e5d1f791d..7789608f8 100644 --- a/runsc/sandbox/sandbox.go +++ b/runsc/sandbox/sandbox.go @@ -345,6 +345,10 @@ func (s *Sandbox) createGoferProcess(spec *specs.Spec, conf *boot.Config, bundle setUIDGIDMappings(cmd, spec) nss := filterNS([]specs.LinuxNamespaceType{specs.UserNamespace}, spec) + if conf.Overlay { + args = append(args, "--panic-on-write=true") + } + // Start the gofer in the given namespace. log.Debugf("Starting gofer: %s %v", binPath, args) if err := startInNS(cmd, nss); err != nil { |