Add --read-only for service create and service update#30162
Add --read-only for service create and service update#30162LK4D4 merged 2 commits intomoby:masterfrom
--read-only for service create and service update#30162Conversation
cpuguy83
added
status/1-design-review
status/needs-vendoring
and removed
status/0-triage
labels
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
design looks good to me; left some general thoughts on the tests
There was a problem hiding this comment.
I don't think we need to test this here; this functionality is already tested in testReadOnlyFile()
There was a problem hiding this comment.
Thanks @thaJeztah. That test has been removed.
There was a problem hiding this comment.
I think it would be good to test that running an docker service update without specifying the --read-only flag, does not change ReadonlyRootfs from true to false
There was a problem hiding this comment.
Thanks. I added a unit test to cover this scenario.
There was a problem hiding this comment.
Looking at all these tests; I'm not sure how much of this is tested in SwarmKit, but possibly it could even be changed to a unit test (i.e., test that the client is setting / updating the ReadonlyRootfs in the TaskTemplate)
/cc @vdemeester perhaps you have some thoughts on that?
There was a problem hiding this comment.
Thanks. Some of the test has been changed to unit tests.
cli/command/service/opts.go
Outdated
There was a problem hiding this comment.
Oh, can you version this flag, so that it only shows if the daemon is docker 1.14 or above?
flags.SetAnnotation(flagReadonlyRootfs, "version", []string{"1.26"})(hm, thinking of which, I think there's some other flags that we need to update as well)
|
@yongtang there are some comments from @thaJeztah |
|
@LK4D4 Thanks for the reminder. moby/swarmkit#1872 was merged yesterday. I will work on updating this PR shortly. |
yongtang
force-pushed
the
29972-service-read-only
branch
from
8a162eb to
6393cc0
Compare
|
@thaJeztah Thanks for the review. The PR has been updated. And some of the tests have been changed to unit tests. Please take a look and let me know if there are any issues. |
yongtang
force-pushed
the
29972-service-read-only
branch
from
6393cc0 to
4e61743
Compare
|
@yongtang I'm not sure, but failures look real enough |
|
@LK4D4 Ah the failure is related to the changes in SwarmKit about explicitly disallow network pluginv1 creation in swarm mode (See discussion in moby/swarmkit#1899, moby/swarmkit#1894, and #30332) The failure is being addressed in PR #30548 now. Please take a look. |
|
@yongtang cool, thanks! |
|
@yongtang just merged it. |
yongtang
force-pushed
the
29972-service-read-only
branch
from
4e61743 to
2ede0eb
Compare
|
Thanks @LK4D4! This PR has been updated as well now. |
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
changes LGTM perhaps you can also update the completion scripts for bash and zsh as part of this PR? I think bash change should go here; https://github.com/docker/docker/blob/master/contrib/completion/bash/docker#L2833 (but double check 😄)
This fix tries to address the issue raised in 29972 where it was not possible to specify `--read-only` for `docker service create` and `docker service update`, in order to have the container's root file system to be read only. This fix adds `--read-only` and update the `ReadonlyRootfs` in `HostConfig` through `service create` and `service update`. Related docs has been updated. Integration test has been added. This fix fixes 29972. Signed-off-by: Yong Tang <[email protected]>
This commit updates bash and zsh completion for flag `--read-only` in `service create/update`. Signed-off-by: Yong Tang <[email protected]>
yongtang
force-pushed
the
29972-service-read-only
branch
from
2ede0eb to
885e1f2
Compare
|
Thanks @thaJeztah. The PR has been updated with related bash and zsh completion added. |
|
LGTM |
|
@yongtang can you please open a PR to update |
Add `--read-only` for `service create` and `service update`
7 participants
- What I did
This fix tries to address the issue raised in #29972 where it was not possible to specify
--read-onlyfordocker service createanddocker service update, in order to have the container's root file system to be read only.- How I did it
This fix adds
--read-onlyand update theReadonlyRootfsinHostConfigthroughservice createandservice update.Related docs has been updated.
- How to verify it
Integration test has been added.
- Description for the changelog
Add
--read-onlyforservice createandservice update- A picture of a cute animal (not mandatory but encouraged)
This fix fixes #29972.
Related SwarmKit PR is moby/swarmkit#1872
Signed-off-by: Yong Tang [email protected]