Skip to content
This repository was archived by the owner on Oct 13, 2023. It is now read-only.

[18.03] backport daemon/setMounts(): do not make /dev/shm ro#459

Merged
andrewhsu merged 2 commits intodocker-archive:18.03from
thaJeztah:18.03-backport-ipc-ro
Mar 14, 2018
Merged

[18.03] backport daemon/setMounts(): do not make /dev/shm ro#459
andrewhsu merged 2 commits intodocker-archive:18.03from
thaJeztah:18.03-backport-ipc-ro

Conversation

@thaJeztah
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah commented Mar 12, 2018

Backport of moby/moby#36526 for 18.03 (fixes moby/moby#36503)

git checkout -b 18.03-backport-ipc-ro upstream/18.03
git cherry-pick -s -S -x -Xsubtree=components/engine cad74056c09f6276b0f4a996a1511553177cd3d7
git cherry-pick -s -S -x -Xsubtree=components/engine 33dd562e3acff71ee18a2543d14fcbecf9bf0e62

no conflicts

@kolyshkin @thaJeztah
daemon/setMounts(): do not make /dev/shm ro
e22655d 
It has been pointed out that if --read-only flag is given, /dev/shm
also becomes read-only in case of --ipc private.

This happens because in this case the mount comes from OCI spec
(since commit 7120976), and is a regression caused by that
commit.

The meaning of --read-only flag is to only have a "main" container
filesystem read-only, not the auxiliary stuff (that includes /dev/shm,
other mounts and volumes, --tmpfs, /proc, /dev and so on).

So, let's make sure /dev/shm that comes from OCI spec is not made
read-only.

Fixes: 7120976 ("Implement none, private, and shareable ipc modes")

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit cad7405)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@kolyshkin @thaJeztah
daemon/oci_linux_test: add TestIpcPrivateVsReadonly
c64a65b 
The test case checks that in case of IpcMode: private and
ReadonlyRootfs: true (as in "docker run --ipc private --read-only")
the resulting /dev/shm mount is NOT made read-only.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 33dd562)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added this to the 18.03.0 milestone Mar 12, 2018
@thaJeztah
Copy link
Copy Markdown
Member Author

thaJeztah commented Mar 12, 2018

ping @kolyshkin @justincormack PTAL

@kolyshkin
Copy link
Copy Markdown
Contributor

kolyshkin commented Mar 13, 2018

LGTM

seemethere
seemethere approved these changes Mar 13, 2018
View reviewed changes
Copy link
Copy Markdown
Contributor

@seemethere seemethere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewhsu andrewhsu merged commit 1dd3bdc into docker-archive:18.03 Mar 14, 2018
@thaJeztah thaJeztah deleted the 18.03-backport-ipc-ro branch March 14, 2018 20:10
silvin-lubecki pushed a commit to silvin-lubecki/docker-ce that referenced this pull request Jan 31, 2020
@andrewhsu
Merge pull request docker-archive#459 from thaJeztah/18.03-backport-i…
7493950 
…pc-ro

[18.03] backport daemon/setMounts(): do not make /dev/shm ro
docker-jenkins pushed a commit that referenced this pull request Apr 28, 2020
@tiborvass
Merge pull request #459 from StefanScherer/add-rhel-7-s390x
bd9d1c4 
[master] Add rhel for s390x
Upstream-commit: f969b64
Component: packaging
akrasnov-drv pushed a commit to drivenets/docker-ce that referenced this pull request Apr 23, 2023
@tiborvass
Merge pull request docker-archive#459 from StefanScherer/add-rhel-7-s…
f969b64 
…390x

[master] Add rhel for s390x
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@seemethere seemethere seemethere approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

18.03.0

Development

Successfully merging this pull request may close these issues.

4 participants

@thaJeztah @kolyshkin @seemethere @andrewhsu