Allow overriding mount options for /dev and /dev/pts
This is useful to optionally set /dev ro,noexec. Treat /dev and /dev/pts the same as /proc and /sys. Make sure the Type is right though. Many config.json snippets on the Internet suggest /dev is tmpfs, not devtmpfs.
This commit is contained in:
parent
3fd4b83fa3
commit
2b72da8bf9
|
@ -103,33 +103,28 @@ func addOverlay(ctx context.Context, conf *Config, lower *fs.Inode, name string,
|
||||||
// mandatory mounts that are required by the OCI specification.
|
// mandatory mounts that are required by the OCI specification.
|
||||||
func compileMounts(spec *specs.Spec) []specs.Mount {
|
func compileMounts(spec *specs.Spec) []specs.Mount {
|
||||||
// Keep track of whether proc and sys were mounted.
|
// Keep track of whether proc and sys were mounted.
|
||||||
var procMounted, sysMounted bool
|
var procMounted, sysMounted, devMounted, devptsMounted bool
|
||||||
var mounts []specs.Mount
|
var mounts []specs.Mount
|
||||||
|
|
||||||
// Always mount /dev.
|
|
||||||
mounts = append(mounts, specs.Mount{
|
|
||||||
Type: devtmpfs.Name,
|
|
||||||
Destination: "/dev",
|
|
||||||
})
|
|
||||||
|
|
||||||
mounts = append(mounts, specs.Mount{
|
|
||||||
Type: devpts.Name,
|
|
||||||
Destination: "/dev/pts",
|
|
||||||
})
|
|
||||||
|
|
||||||
// Mount all submounts from the spec.
|
// Mount all submounts from the spec.
|
||||||
for _, m := range spec.Mounts {
|
for _, m := range spec.Mounts {
|
||||||
if !specutils.IsSupportedDevMount(m) {
|
if !specutils.IsSupportedDevMount(m) {
|
||||||
log.Warningf("ignoring dev mount at %q", m.Destination)
|
log.Warningf("ignoring dev mount at %q", m.Destination)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
mounts = append(mounts, m)
|
|
||||||
switch filepath.Clean(m.Destination) {
|
switch filepath.Clean(m.Destination) {
|
||||||
case "/proc":
|
case "/proc":
|
||||||
procMounted = true
|
procMounted = true
|
||||||
case "/sys":
|
case "/sys":
|
||||||
sysMounted = true
|
sysMounted = true
|
||||||
|
case "/dev":
|
||||||
|
m.Type = devtmpfs.Name
|
||||||
|
devMounted = true
|
||||||
|
case "/dev/pts":
|
||||||
|
m.Type = devpts.Name
|
||||||
|
devptsMounted = true
|
||||||
}
|
}
|
||||||
|
mounts = append(mounts, m)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Mount proc and sys even if the user did not ask for it, as the spec
|
// Mount proc and sys even if the user did not ask for it, as the spec
|
||||||
|
@ -147,6 +142,18 @@ func compileMounts(spec *specs.Spec) []specs.Mount {
|
||||||
Destination: "/sys",
|
Destination: "/sys",
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
if !devMounted {
|
||||||
|
mandatoryMounts = append(mandatoryMounts, specs.Mount{
|
||||||
|
Type: devtmpfs.Name,
|
||||||
|
Destination: "/dev",
|
||||||
|
})
|
||||||
|
}
|
||||||
|
if !devptsMounted {
|
||||||
|
mandatoryMounts = append(mandatoryMounts, specs.Mount{
|
||||||
|
Type: devpts.Name,
|
||||||
|
Destination: "/dev/pts",
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
// The mandatory mounts should be ordered right after the root, in case
|
// The mandatory mounts should be ordered right after the root, in case
|
||||||
// there are submounts of these mandatory mounts already in the spec.
|
// there are submounts of these mandatory mounts already in the spec.
|
||||||
|
|
|
@ -334,15 +334,9 @@ func IsSupportedDevMount(m specs.Mount) bool {
|
||||||
var existingDevices = []string{
|
var existingDevices = []string{
|
||||||
"/dev/fd", "/dev/stdin", "/dev/stdout", "/dev/stderr",
|
"/dev/fd", "/dev/stdin", "/dev/stdout", "/dev/stderr",
|
||||||
"/dev/null", "/dev/zero", "/dev/full", "/dev/random",
|
"/dev/null", "/dev/zero", "/dev/full", "/dev/random",
|
||||||
"/dev/urandom", "/dev/shm", "/dev/pts", "/dev/ptmx",
|
"/dev/urandom", "/dev/shm", "/dev/ptmx",
|
||||||
}
|
}
|
||||||
dst := filepath.Clean(m.Destination)
|
dst := filepath.Clean(m.Destination)
|
||||||
if dst == "/dev" {
|
|
||||||
// OCI spec uses many different mounts for the things inside of '/dev'. We
|
|
||||||
// have a single mount at '/dev' that is always mounted, regardless of
|
|
||||||
// whether it was asked for, as the spec says we SHOULD.
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
for _, dev := range existingDevices {
|
for _, dev := range existingDevices {
|
||||||
if dst == dev || strings.HasPrefix(dst, dev+"/") {
|
if dst == dev || strings.HasPrefix(dst, dev+"/") {
|
||||||
return false
|
return false
|
||||||
|
|
Loading…
Reference in New Issue