Merge pull request #224 from chenyukang/pass-root-readonly

Fix #209, pass root-readonly
2024-05-05 23:26:32 +02:00 · 2021-08-25 10:01:51 +09:00 · 2021-08-25 10:01:51 +09:00 · 14856066b1
parent a14ce13bcd 1aa467f7da
commit 14856066b1
3 changed files with 19 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -47,7 +47,7 @@ youki is not at the practical stage yet. However, it is getting closer to practi
 |    Seccomp     |             Filtering system calls              |                     WIP on [#25](https://github.com/containers/youki/issues/25)                     |
 |     Hooks      | Add custom processing during container creation |                                                  ✅                                                  |
 |    Rootless    |   Running a container without root privileges   | It works, but cgroups isn't supported. WIP on [#77](https://github.com/containers/youki/issues/77)  |
-| OCI Compliance |        Compliance with OCI Runtime Spec         |                                   39 out of 55 test cases passing                                   |
+| OCI Compliance |        Compliance with OCI Runtime Spec         |                                   40 out of 55 test cases passing                                   |

 # Getting Started

@ -158,6 +158,8 @@ Go and node-tap are required to run integration test. See the [opencontainers/ru
 ```
 $ git submodule update --init --recursive
 $ ./integration_test.sh
+# run specific test_cases with pattern
+$ ./integration_test.sh linux_*
 ```

 ### Setting up Vagrant
--- a/integration_test.sh
+++ b/integration_test.sh
@ -2,6 +2,7 @@

 ROOT=$(pwd)
 RUNTIME=${ROOT}/youki
+PATTERN=${1:-.}

 cd integration_test/src/github.com/opencontainers/runtime-tools

@ -64,7 +65,7 @@ test_cases=(
  "process_rlimits/process_rlimits.t"
  "process_rlimits_fail/process_rlimits_fail.t"
  # "process_user/process_user.t"
-  # "root_readonly_true/root_readonly_true.t"
+  "root_readonly_true/root_readonly_true.t"
  # Record the tests that runc also fails to pass below, maybe we will fix this by origin integration test, issue: https://github.com/containers/youki/issues/56
  # "start/start.t"
  "state/state.t"
@ -93,6 +94,10 @@ for case in "${test_cases[@]}"; do
    continue
  fi

+  if [ $PATTERN != "." ] && [[ ! $case =~ $PATTERN ]]; then
+    continue    
+  fi 
+
  echo "Running $case"
  logfile="./log/$case.log"
  mkdir -p "$(dirname $logfile)"
--- a/src/process/init.rs
+++ b/src/process/init.rs
@ -311,6 +311,16 @@ pub fn container_init(
        }
    }

+    if let Some(true) = spec.root.as_ref().map(|r| r.readonly.unwrap_or(false)) {
+        nix_mount(
+            None::<&str>,
+            "/",
+            None::<&str>,
+            MsFlags::MS_RDONLY | MsFlags::MS_REMOUNT | MsFlags::MS_BIND,
+            None::<&str>,
+        )?
+    }
+
    if let Some(paths) = &linux.readonly_paths {
        // mount readonly path
        for path in paths {