From 960155cdaad49ccea07e45152f124beeb7e7fdcc Mon Sep 17 00:00:00 2001 From: Fabricio Voznika Date: Tue, 23 Mar 2021 16:19:02 -0700 Subject: Add --file-access-mounts flag --file-access-mounts flag is similar to --file-access, but controls non-root mounts that were previously mounted in shared mode only. This gives more flexibility to control how mounts are shared within a container. PiperOrigin-RevId: 364669882 --- runsc/config/config.go | 21 +++++++++++++++------ runsc/config/flags.go | 3 ++- 2 files changed, 17 insertions(+), 7 deletions(-) (limited to 'runsc/config') diff --git a/runsc/config/config.go b/runsc/config/config.go index 34ef48825..1e5858837 100644 --- a/runsc/config/config.go +++ b/runsc/config/config.go @@ -58,9 +58,12 @@ type Config struct { // DebugLogFormat is the log format for debug. DebugLogFormat string `flag:"debug-log-format"` - // FileAccess indicates how the filesystem is accessed. + // FileAccess indicates how the root filesystem is accessed. FileAccess FileAccessType `flag:"file-access"` + // FileAccessMounts indicates how non-root volumes are accessed. + FileAccessMounts FileAccessType `flag:"file-access-mounts"` + // Overlay is whether to wrap the root filesystem in an overlay. Overlay bool `flag:"overlay"` @@ -197,13 +200,19 @@ func (c *Config) validate() error { type FileAccessType int const ( - // FileAccessExclusive is the same as FileAccessShared, but enables - // extra caching for improved performance. It should only be used if - // the sandbox has exclusive access to the filesystem. + // FileAccessExclusive gives the sandbox exclusive access over files and + // directories in the filesystem. No external modifications are permitted and + // can lead to undefined behavior. + // + // Exclusive filesystem access enables more aggressive caching and offers + // significantly better performance. This is the default mode for the root + // volume. FileAccessExclusive FileAccessType = iota - // FileAccessShared sends IO requests to a Gofer process that validates the - // requests and forwards them to the host. + // FileAccessShared is used for volumes that can have external changes. It + // requires revalidation on every filesystem access to detect external + // changes, and reduces the amount of caching that can be done. This is the + // default mode for non-root volumes. FileAccessShared ) diff --git a/runsc/config/flags.go b/runsc/config/flags.go index adbee506c..1d996c841 100644 --- a/runsc/config/flags.go +++ b/runsc/config/flags.go @@ -67,7 +67,8 @@ func RegisterFlags() { flag.Bool("oci-seccomp", false, "Enables loading OCI seccomp filters inside the sandbox.") // Flags that control sandbox runtime behavior: FS related. - flag.Var(fileAccessTypePtr(FileAccessExclusive), "file-access", "specifies which filesystem to use for the root mount: exclusive (default), shared. Volume mounts are always shared.") + flag.Var(fileAccessTypePtr(FileAccessExclusive), "file-access", "specifies which filesystem validation to use for the root mount: exclusive (default), shared.") + flag.Var(fileAccessTypePtr(FileAccessShared), "file-access-mounts", "specifies which filesystem validation to use for volumes other than the root mount: shared (default), exclusive.") flag.Bool("overlay", false, "wrap filesystem mounts with writable overlay. All modifications are stored in memory inside the sandbox.") flag.Bool("verity", false, "specifies whether a verity file system will be mounted.") flag.Bool("overlayfs-stale-read", true, "assume root mount is an overlay filesystem") -- cgit v1.2.3