Explicitly set rw for privileged container.

Random-Liu · Random-Liu · commit f2ec6f50b591 · 2018-05-07T17:53:57.000-07:00
Signed-off-by: Lantao Liu &lt;lantaol@google.com&gt;
diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go
@@ -523,7 +523,7 @@ func clearReadOnly(m *runtimespec.Mount) {
 			opt = append(opt, o)
 		}
 	}
-	m.Options = opt
+	m.Options = append(opt, "rw")
 }
 
 // addDevices set device mapping without privilege.
diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go
@@ -635,14 +635,14 @@ func TestPrivilegedBindMount(t *testing.T) {
 		}
 		spec := g.Spec()
 		if test.expectedSysFSRO {
-			checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", []string{"ro"}, nil)
+			checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", []string{"ro"}, []string{"rw"})
 		} else {
-			checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", nil, []string{"ro"})
+			checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", []string{"rw"}, []string{"ro"})
 		}
 		if test.expectedCgroupFSRO {
-			checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", []string{"ro"}, nil)
+			checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", []string{"ro"}, []string{"rw"})
 		} else {
-			checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", nil, []string{"ro"})
+			checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", []string{"rw"}, []string{"ro"})
 		}
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -523,7 +523,7 @@ func clearReadOnly(m *runtimespec.Mount) {`
`523`	`523`	`opt = append(opt, o)`
`524`	`524`	`}`
`525`	`525`	`}`
`526`		`- m.Options = opt`
	`526`	`+ m.Options = append(opt, "rw")`
`527`	`527`	`}`
`528`	`528`
`529`	`529`	`// addDevices set device mapping without privilege.`
Original file line number	Diff line number	Diff line change
`@@ -635,14 +635,14 @@ func TestPrivilegedBindMount(t *testing.T) {`
`635`	`635`	`}`
`636`	`636`	`spec := g.Spec()`
`637`	`637`	`if test.expectedSysFSRO {`
`638`		`- checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", []string{"ro"}, nil)`
	`638`	`+ checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", []string{"ro"}, []string{"rw"})`
`639`	`639`	`} else {`
`640`		`- checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", nil, []string{"ro"})`
	`640`	`+ checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", []string{"rw"}, []string{"ro"})`
`641`	`641`	`}`
`642`	`642`	`if test.expectedCgroupFSRO {`
`643`		`- checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", []string{"ro"}, nil)`
	`643`	`+ checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", []string{"ro"}, []string{"rw"})`
`644`	`644`	`} else {`
`645`		`- checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", nil, []string{"ro"})`
	`645`	`+ checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", []string{"rw"}, []string{"ro"})`
`646`	`646`	`}`
`647`	`647`	`}`
`648`	`648`	`}`