container_create: fix /etc/resolv.conf to be ro

... for a read-only container. So, here is a story. Commit 0dfec71 (PR #599, merged Jun 14 2017) fixed the `/etc/resolv.conf` and `/etc/hosts` bind mounts to be read-only in case the container has `readonly_rootfs = true`. A test case was added by commit 8b4e303 (PR #603, merged Jun 16 2017) to verify that `/etc/resolv.conf` is indeed read-only for a read-only container. Later, the test case was broken by commit 25dfde9 (PR #1159, merged Nov 20 2017) to expect success from writing to `/etc/resolv.conf` for read-only container. Later, `ro` for `/etc/resolv.conf` was broken by commit 4c096f2 (PR #1562, merged May 18 2018), which went unnoticed until now because of the broken test case. This commit reinstates the `ro` flag, and fixes the test case. This is important since this file is outside of a container, and not having it ro basically enables a container to write to a file system outside of the container. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
cri-o · Oct 14, 2020 · 5502607 · 5502607
1 parent d04aa90
commit 5502607
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/server/container_create_linux.go b/server/container_create_linux.go
@@ -647,7 +647,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai
 			Destination: "/etc/resolv.conf",
 			Type:        "bind",
 			Source:      sb.ResolvPath(),
-			Options:     []string{"bind", "nodev", "nosuid", "noexec"},
+			Options:     append(options, []string{"bind", "nodev", "nosuid", "noexec"}...),
 		})
 	}
 

diff --git a/test/ctr.bats b/test/ctr.bats
@@ -731,7 +731,7 @@ function wait_until_exit() {
 		"$TESTDATA"/container_config.json > "$newconfig"
 	ctr_id=$(crictl create "$pod_id" "$newconfig" "$TESTDATA"/sandbox_config.json)
 	crictl start "$ctr_id"
-	wait_until_exit "$ctr_id"
+	EXPECTED_EXIT_STATUS=1 wait_until_exit "$ctr_id"
 }
 
 @test "ctr create with non-existent command" {