From 960155cdaad49ccea07e45152f124beeb7e7fdcc Mon Sep 17 00:00:00 2001 From: Fabricio Voznika Date: Tue, 23 Mar 2021 16:19:02 -0700 Subject: Add --file-access-mounts flag --file-access-mounts flag is similar to --file-access, but controls non-root mounts that were previously mounted in shared mode only. This gives more flexibility to control how mounts are shared within a container. PiperOrigin-RevId: 364669882 --- runsc/config/flags.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'runsc/config/flags.go') diff --git a/runsc/config/flags.go b/runsc/config/flags.go index adbee506c..1d996c841 100644 --- a/runsc/config/flags.go +++ b/runsc/config/flags.go @@ -67,7 +67,8 @@ func RegisterFlags() { flag.Bool("oci-seccomp", false, "Enables loading OCI seccomp filters inside the sandbox.") // Flags that control sandbox runtime behavior: FS related. - flag.Var(fileAccessTypePtr(FileAccessExclusive), "file-access", "specifies which filesystem to use for the root mount: exclusive (default), shared. Volume mounts are always shared.") + flag.Var(fileAccessTypePtr(FileAccessExclusive), "file-access", "specifies which filesystem validation to use for the root mount: exclusive (default), shared.") + flag.Var(fileAccessTypePtr(FileAccessShared), "file-access-mounts", "specifies which filesystem validation to use for volumes other than the root mount: shared (default), exclusive.") flag.Bool("overlay", false, "wrap filesystem mounts with writable overlay. All modifications are stored in memory inside the sandbox.") flag.Bool("verity", false, "specifies whether a verity file system will be mounted.") flag.Bool("overlayfs-stale-read", true, "assume root mount is an overlay filesystem") -- cgit v1.2.3