From 5502607e17451f05c7b72b3b218643bb8eb42ae7 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Wed, 14 Oct 2020 10:30:33 -0700
Subject: [PATCH] container_create: fix /etc/resolv.conf to be ro

... for a read-only container.

So, here is a story.

Commit 0dfec710f2a55c1183 (PR #599, merged Jun 14 2017) fixed the
`/etc/resolv.conf` and `/etc/hosts` bind mounts to be read-only
in case the container has `readonly_rootfs = true`.

A test case was added by commit 8b4e3036ea80304 (PR #603, merged
Jun 16 2017) to verify that `/etc/resolv.conf` is indeed read-only
for a read-only container.

Later, the test case was broken by commit 25dfde90443c2d (PR #1159,
merged Nov 20 2017) to expect success from writing to `/etc/resolv.conf`
for read-only container.

Later, `ro` for `/etc/resolv.conf` was broken by commit 4c096f2812
(PR #1562, merged May 18 2018), which went unnoticed until now
because of the broken test case.

This commit reinstates the `ro` flag, and fixes the test case.
This is important since this file is outside of a container,
and not having it ro basically enables a container to write
to a file system outside of the container.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 server/container_create_linux.go | 2 +-
 test/ctr.bats                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/container_create_linux.go b/server/container_create_linux.go
index 50502d59efb..4ed36d524fc 100644
--- a/server/container_create_linux.go
+++ b/server/container_create_linux.go
@@ -647,7 +647,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai
 			Destination: "/etc/resolv.conf",
 			Type:        "bind",
 			Source:      sb.ResolvPath(),
-			Options:     []string{"bind", "nodev", "nosuid", "noexec"},
+			Options:     append(options, []string{"bind", "nodev", "nosuid", "noexec"}...),
 		})
 	}
 
diff --git a/test/ctr.bats b/test/ctr.bats
index adeaafd66a5..0df68307731 100644
--- a/test/ctr.bats
+++ b/test/ctr.bats
@@ -731,7 +731,7 @@ function wait_until_exit() {
 		"$TESTDATA"/container_config.json > "$newconfig"
 	ctr_id=$(crictl create "$pod_id" "$newconfig" "$TESTDATA"/sandbox_config.json)
 	crictl start "$ctr_id"
-	wait_until_exit "$ctr_id"
+	EXPECTED_EXIT_STATUS=1 wait_until_exit "$ctr_id"
 }
 
 @test "ctr create with non-existent command" {