Skip to content

Add ReadonlyRootfs in ContainerSpec for --read-only#1872

Merged
aaronlehmann merged 1 commit intomoby:masterfrom
yongtang:29972-service-read-only
Jan 27, 2017
Merged

Add ReadonlyRootfs in ContainerSpec for --read-only#1872
aaronlehmann merged 1 commit intomoby:masterfrom
yongtang:29972-service-read-only

Conversation

@yongtang
Copy link
Member

@yongtang yongtang commented Jan 14, 2017

This fix tries to address the issue raised in moby/moby#29972 where it was not possible to specify --read-only for docker service create and docker service update, in order to have the container's root file system to be read only.

This fix adds ReadonlyRootfs so that it is possible to specify --read-only for service update and service create

Related docker PR is moby/moby#30162

Signed-off-by: Yong Tang [email protected]

This was referenced Jan 14, 2017
Merged
Closed
@codecov-io
Copy link

codecov-io commented Jan 14, 2017
edited
Loading

Current coverage is 53.74% (diff: 100%)

Merging #1872 into master will decrease coverage by <.01%

@@             master      #1872   diff @@
==========================================
  Files           106        106          
  Lines         18367      18367          
  Methods           0          0          
  Messages          0          0          
  Branches          0          0          
==========================================
- Hits           9873       9872     -1   
+ Misses         7282       7281     -1   
- Partials       1212       1214     +2

Sunburst

Powered by Codecov. Last update f5a96ef...c2ae199

@aaronlehmann
Copy link
Collaborator

aaronlehmann commented Jan 17, 2017

ping @stevvooe

stevvooe
stevvooe reviewed Jan 17, 2017
View reviewed changes
api/specs.proto Outdated
// OpenStdin declares that the standard input (stdin) should be open.
bool open_stdin = 18;

// ReadonlyRootfs declares that the container root filesystem is read-only.
Copy link
Contributor

@stevvooe stevvooe Jan 17, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this interact with mounts that are not readonly?

@stevvooe
Copy link
Contributor

stevvooe commented Jan 17, 2017

I don't see any issue with this, other than I would just call it ReadOnly. It would be good to clarify what this actually means, as I can't find any documentation explaining it. Does it make all mounts read only or just the rootfs mount? For example, if you have a writable volume, does it make that read only? What about tmpfs?

@yongtang yongtang force-pushed the 29972-service-read-only branch from 1565920 to d0e23d5 Compare January 27, 2017 00:08
@yongtang
Copy link
Member Author

yongtang commented Jan 27, 2017

@stevvooe @aaronlehmann sorry for the late update. The PR has been updated with name changed to ReadOnly and added descriptions. Please take a look.

@stevvooe
Copy link
Contributor

stevvooe commented Jan 27, 2017

LGTM

aaronlehmann
aaronlehmann reviewed Jan 27, 2017
View reviewed changes
api/specs.proto Outdated
bool open_stdin = 18;

// ReadOnly declares that the container root filesystem is read-only.
// This only impacts the root filesystem, not additionally mounts (including
Copy link
Collaborator

@aaronlehmann aaronlehmann Jan 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: "not additional mounts"

Copy link
Member Author

@yongtang yongtang Jan 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @aaronlehmann. Done.

aaronlehmann
aaronlehmann reviewed Jan 27, 2017
View reviewed changes
api/specs.proto Outdated
// ReadOnly declares that the container root filesystem is read-only.
// This only impacts the root filesystem, not additionally mounts (including
// tmpfs). For additional mounts that are not part of the initial rootfs,
// they will be decided by the modes passed alone.
Copy link
Collaborator

@aaronlehmann aaronlehmann Jan 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this say "the modes passed in the mount definition"?

Copy link
Member Author

@yongtang yongtang Jan 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Done.

@yongtang
Add ReadOnly in ContainerSpec for --read-only
c2ae199 
This fix tries to address the issue raised in docker/29972 where
it was not possible to specify `--read-only` for `docker service create`
and `docker service update`, in order to have the container's root file
system to be read only.

This fix adds `ReadOnly` so that it is possible to specify
`--read-only` for `service update` and `service create`.

Signed-off-by: Yong Tang <[email protected]>
@yongtang yongtang force-pushed the 29972-service-read-only branch from d0e23d5 to c2ae199 Compare January 27, 2017 02:02
@yongtang
Copy link
Member Author

yongtang commented Jan 27, 2017

@aaronlehmann The PR has been updated. Please take a look.

@aaronlehmann
Copy link
Collaborator

aaronlehmann commented Jan 27, 2017

LGTM

@aaronlehmann aaronlehmann merged commit fe79e67 into moby:master Jan 27, 2017
@yongtang yongtang deleted the 29972-service-read-only branch January 27, 2017 07:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aaronlehmann aaronlehmann aaronlehmann left review comments

+1 more reviewer

@stevvooe stevvooe stevvooe left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@yongtang @codecov-io @aaronlehmann @stevvooe