Conversation
@@ -720,10 +724,10 @@ func writeEnvFile(p *stage1commontypes.Pod, env types.Environment, appName types | |||
|
|||
// PodToSystemd creates the appropriate systemd service unit files for | |||
// all the constituent apps of the Pod | |||
func PodToSystemd(p *stage1commontypes.Pod, interactive bool, flavor string, privateUsers string) error { | |||
func PodToSystemd(p *stage1commontypes.Pod, interactive bool, flavor string, privateUsers string, rootFsIsReadOnly bool) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs functional tests
31d150e
to
8b8fb81
Compare
@@ -386,7 +386,7 @@ func findBinPath(p *stage1commontypes.Pod, appName types.ACName, app types.App, | |||
} | |||
|
|||
// appToSystemd transforms the provided RuntimeApp+ImageManifest into systemd units | |||
func appToSystemd(p *stage1commontypes.Pod, ra *schema.RuntimeApp, interactive bool, flavor string, privateUsers string) error { | |||
func appToSystemd(p *stage1commontypes.Pod, ra *schema.RuntimeApp, interactive bool, flavor string, privateUsers string, rootFsIsReadOnly bool) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should really think about refactoring this function, it becomes bigger and bigger, maybe in "functional options" style.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please open a PR for functional options and assign it to me 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done #2616
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@s-urbaniak Thank you :)
This needs to be per-app, not per-pod, e.g. https://github.com/coreos/rkt/blob/623fc3140681aeff1f353717a4943e2538769c51/rkt/run.go#L96 |
8b8fb81
to
0f304fc
Compare
Depends on appc/spec#603 @jonboulle PTAL |
0f304fc
to
2918d04
Compare
@@ -465,6 +465,10 @@ func appToSystemd(p *stage1commontypes.Pod, ra *schema.RuntimeApp, interactive b | |||
unit.NewUnitOption("Service", "CapabilityBoundingSet", strings.Join(capabilitiesStr, " ")), | |||
} | |||
|
|||
if ra.ReadOnlyRootFS { | |||
opts = append(opts, unit.NewUnitOption("Service", "ReadOnlyDirectory", "/")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't it ReadOnlyDirectories
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, spelling mistake.
I also wonder if we need to add ReadWriteDirectories= for the RW volumes when we have a read-only rootfs.
More tests to add in tests/rkt_volume_test.go?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack
Shouldn't we expose a CLI option too? |
yeah we should On Thu, May 12, 2016 at 2:59 PM, Iago López Galeiras <
|
Basically we need appReadOnlyRootFS On Thu, May 12, 2016 at 3:01 PM, Tamer TAS notifications@github.com wrote:
|
Actually, read only flag is NOT blocking for this, because rktnetes always generates pod manifests anyway. |
So we can do that in a follow-up. Sorry about all the github spam, tra la la la |
Does it work fine with volumes? E.g. a read-write "host" volume + this new rootfs-read-only option. Does the volume stay read-write as expected? |
We probably need to add the target mountpoints to ReadWriteDirectories (if RW)... |
087d17d
to
3fca517
Compare
2301627
to
499da86
Compare
499da86
to
9fb0614
Compare
@@ -367,6 +598,32 @@ func TestPodManifest(t *testing.T) { | |||
"", | |||
}, | |||
{ | |||
// Simple read after write with volume mounted in a read-only rootfs, no apps in pod manifest. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand this one. There is no mount point, so the volume is not mounted and the test writes directly in the read-only rootfs. Why does it pass?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ReadOnlyRootFS
is not set 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nevermind my previous comment, you're correct
Can we have a summary somewhere of the tests added?
|
| `--stage1-hash` | none | Image hash (ex. `--stage1-hash=sha512-dedce9f5ea50`) | A hash of a stage1 image. The image must exist in the store. | | ||
| `--stage1-name` | none | Image name (ex. `--stage1-name=coreos.com/rkt/stage1-coreos`) | A name of a stage1 image. Will perform a discovery if the image is not in the store. | | ||
| `--stage1-path` | none | Absolute or relative path | A path to a stage1 image. | | ||
| `--stage1-url` | none | URL with protocol | A URL to a stage1 image. HTTP/HTTPS/File/Docker URLs are supported. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you sort this, you should also sort the same in Documentation/subcommands/prepare.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could be done in a follow-up PR if you prefer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I sorted this because this PR was originally implementing runtime flags, I'll submit another PR for sorting docs
Using the Pod manifest `readOnlyRootFS` option mounts the rootfs of the app as read-only using systemd-exec unit option `ReadOnlyDirectories`. Uses `ReadWriteDirectories` systemd-exec unit option for mounting read-write volumes. Fixes rkt#2487
Tests shouldn't fail completely when a case fails
9fb0614
to
2526677
Compare
Using the Pod manifest
readOnlyRootFS
option mounts the rootfs of the appas read-only using systemd-exec unit option
ReadOnlyDirectories
.Fixes #2487