From 960155cdaad49ccea07e45152f124beeb7e7fdcc Mon Sep 17 00:00:00 2001 From: Fabricio Voznika Date: Tue, 23 Mar 2021 16:19:02 -0700 Subject: Add --file-access-mounts flag --file-access-mounts flag is similar to --file-access, but controls non-root mounts that were previously mounted in shared mode only. This gives more flexibility to control how mounts are shared within a container. PiperOrigin-RevId: 364669882 --- runsc/boot/fs.go | 7 +++---- runsc/boot/fs_test.go | 3 ++- runsc/boot/vfs.go | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) (limited to 'runsc/boot') diff --git a/runsc/boot/fs.go b/runsc/boot/fs.go index d1dacee03..32adde643 100644 --- a/runsc/boot/fs.go +++ b/runsc/boot/fs.go @@ -792,7 +792,7 @@ func (c *containerMounter) getMountNameAndOptions(conf *config.Config, m specs.M case bind: fd := c.fds.remove() fsName = gofervfs2.Name - opts = p9MountData(fd, c.getMountAccessType(m), conf.VFS2) + opts = p9MountData(fd, c.getMountAccessType(conf, m), conf.VFS2) // If configured, add overlay to all writable mounts. useOverlay = conf.Overlay && !mountFlags(m.Options).ReadOnly @@ -802,12 +802,11 @@ func (c *containerMounter) getMountNameAndOptions(conf *config.Config, m specs.M return fsName, opts, useOverlay, nil } -func (c *containerMounter) getMountAccessType(mount specs.Mount) config.FileAccessType { +func (c *containerMounter) getMountAccessType(conf *config.Config, mount specs.Mount) config.FileAccessType { if hint := c.hints.findMount(mount); hint != nil { return hint.fileAccessType() } - // Non-root bind mounts are always shared if no hints were provided. - return config.FileAccessShared + return conf.FileAccessMounts } // mountSubmount mounts volumes inside the container's root. Because mounts may diff --git a/runsc/boot/fs_test.go b/runsc/boot/fs_test.go index e986231e5..b4f12d034 100644 --- a/runsc/boot/fs_test.go +++ b/runsc/boot/fs_test.go @@ -243,7 +243,8 @@ func TestGetMountAccessType(t *testing.T) { t.Fatalf("newPodMountHints failed: %v", err) } mounter := containerMounter{hints: podHints} - if got := mounter.getMountAccessType(specs.Mount{Source: source}); got != tst.want { + conf := &config.Config{FileAccessMounts: config.FileAccessShared} + if got := mounter.getMountAccessType(conf, specs.Mount{Source: source}); got != tst.want { t.Errorf("getMountAccessType(), want: %v, got: %v", tst.want, got) } }) diff --git a/runsc/boot/vfs.go b/runsc/boot/vfs.go index 3fd28e516..9b3dacf46 100644 --- a/runsc/boot/vfs.go +++ b/runsc/boot/vfs.go @@ -494,7 +494,7 @@ func (c *containerMounter) getMountNameAndOptionsVFS2(conf *config.Config, m *mo // but unlikely to be correct in this context. return "", nil, false, fmt.Errorf("9P mount requires a connection FD") } - data = p9MountData(m.fd, c.getMountAccessType(m.Mount), true /* vfs2 */) + data = p9MountData(m.fd, c.getMountAccessType(conf, m.Mount), true /* vfs2 */) iopts = gofer.InternalFilesystemOptions{ UniqueID: m.Destination, } -- cgit v1.2.3