Support recursively read-only (RRO) bind mounts (kernel >= 5.12) #44978
Labels
area/security
kind/enhancement
Enhancements are not bugs or new features but can improve usability or performance.
status/1-design-review
Description
e.g.,
docker run -v /mnt:/mnt:rro,rprivate
to make its submounts such as/mnt/usbstorage
to be read-only.The existing
ro
mounts should remain non-recursive, for compatibility sake.The "rro" mount type has been supported by runc >= 1.1, on kernel >= 5.12.
The "rro" mount type has to be used in conjunction with
rprivate
propagation, in order to avoid accidentally having writable submounts.So, we should also have:
rprivate
propagation #44977(Not a hard dependency, as
-v /foo:/bar:rprivate
does not automatically fall back torslave
when the propagation is explicitly specified)Related:
nerdctl run -v /foo:/bar:rro,rprivate
containerd/nerdctl#511Fixes:
The text was updated successfully, but these errors were encountered: