stage1: implement read-only rootfs #2612
Conversation
| @@ -720,10 +724,10 @@ func writeEnvFile(p *stage1commontypes.Pod, env types.Environment, appName types | |||
|
|
|||
| // PodToSystemd creates the appropriate systemd service unit files for | |||
| // all the constituent apps of the Pod | |||
| func PodToSystemd(p *stage1commontypes.Pod, interactive bool, flavor string, privateUsers string) error { | |||
| func PodToSystemd(p *stage1commontypes.Pod, interactive bool, flavor string, privateUsers string, rootFsIsReadOnly bool) error { | |||
There was a problem hiding this comment.
Needs functional tests
tmrts
force-pushed
the
implement/read-only-rootfs
branch
from
31d150e
to
8b8fb81
Compare
| @@ -386,7 +386,7 @@ func findBinPath(p *stage1commontypes.Pod, appName types.ACName, app types.App, | |||
| } | |||
|
|
|||
| // appToSystemd transforms the provided RuntimeApp+ImageManifest into systemd units | |||
| func appToSystemd(p *stage1commontypes.Pod, ra *schema.RuntimeApp, interactive bool, flavor string, privateUsers string) error { | |||
| func appToSystemd(p *stage1commontypes.Pod, ra *schema.RuntimeApp, interactive bool, flavor string, privateUsers string, rootFsIsReadOnly bool) error { | |||
There was a problem hiding this comment.
we should really think about refactoring this function, it becomes bigger and bigger, maybe in "functional options" style.
There was a problem hiding this comment.
Please open a PR for functional options and assign it to me 👍
There was a problem hiding this comment.
@s-urbaniak Thank you :)
|
This needs to be per-app, not per-pod, e.g. https://github.com/coreos/rkt/blob/623fc3140681aeff1f353717a4943e2538769c51/rkt/run.go#L96 |
jonboulle
added
needs/some-changes
priority/P0
and removed
needs/review
priority/P1
labels
tmrts
force-pushed
the
implement/read-only-rootfs
branch
from
8b8fb81
to
0f304fc
Compare
tmrts
changed the title
|
Depends on appc/spec#603 @jonboulle PTAL |
tmrts
added
needs/review
depends-on/appc
do not merge
and removed
needs/some-changes
labels
tmrts
force-pushed
the
implement/read-only-rootfs
branch
from
0f304fc
to
2918d04
Compare
| @@ -465,6 +465,10 @@ func appToSystemd(p *stage1commontypes.Pod, ra *schema.RuntimeApp, interactive b | |||
| unit.NewUnitOption("Service", "CapabilityBoundingSet", strings.Join(capabilitiesStr, " ")), | |||
| } | |||
|
|
|||
| if ra.ReadOnlyRootFS { | |||
| opts = append(opts, unit.NewUnitOption("Service", "ReadOnlyDirectory", "/")) | |||
There was a problem hiding this comment.
Indeed, spelling mistake.
I also wonder if we need to add ReadWriteDirectories= for the RW volumes when we have a read-only rootfs.
More tests to add in tests/rkt_volume_test.go?
|
Shouldn't we expose a CLI option too? |
|
yeah we should On Thu, May 12, 2016 at 2:59 PM, Iago López Galeiras <
|
|
Basically we need appReadOnlyRootFS On Thu, May 12, 2016 at 3:01 PM, Tamer TAS notifications@github.com wrote:
|
|
Actually, read only flag is NOT blocking for this, because rktnetes always generates pod manifests anyway. |
|
So we can do that in a follow-up. Sorry about all the github spam, tra la la la |
|
Does it work fine with volumes? E.g. a read-write "host" volume + this new rootfs-read-only option. Does the volume stay read-write as expected? |
We probably need to add the target mountpoints to ReadWriteDirectories (if RW)... |
tmrts
force-pushed
the
implement/read-only-rootfs
branch
2 times, most recently
from
087d17d
to
3fca517
Compare
tmrts
force-pushed
the
implement/read-only-rootfs
branch
2 times, most recently
from
2301627
to
499da86
Compare
tmrts
force-pushed
the
implement/read-only-rootfs
branch
from
499da86
to
9fb0614
Compare
| @@ -367,6 +598,32 @@ func TestPodManifest(t *testing.T) { | |||
| "", | |||
| }, | |||
| { | |||
| // Simple read after write with volume mounted in a read-only rootfs, no apps in pod manifest. | |||
There was a problem hiding this comment.
I don't understand this one. There is no mount point, so the volume is not mounted and the test writes directly in the read-only rootfs. Why does it pass?
There was a problem hiding this comment.
ReadOnlyRootFS is not set 😄
There was a problem hiding this comment.
Nevermind my previous comment, you're correct
|
Can we have a summary somewhere of the tests added?
|
| | `--stage1-hash` | none | Image hash (ex. `--stage1-hash=sha512-dedce9f5ea50`) | A hash of a stage1 image. The image must exist in the store. | | ||
| | `--stage1-name` | none | Image name (ex. `--stage1-name=coreos.com/rkt/stage1-coreos`) | A name of a stage1 image. Will perform a discovery if the image is not in the store. | | ||
| | `--stage1-path` | none | Absolute or relative path | A path to a stage1 image. | | ||
| | `--stage1-url` | none | URL with protocol | A URL to a stage1 image. HTTP/HTTPS/File/Docker URLs are supported. | |
There was a problem hiding this comment.
If you sort this, you should also sort the same in Documentation/subcommands/prepare.md
There was a problem hiding this comment.
This could be done in a follow-up PR if you prefer.
There was a problem hiding this comment.
I sorted this because this PR was originally implementing runtime flags, I'll submit another PR for sorting docs
Using the Pod manifest `readOnlyRootFS` option mounts the rootfs of the app as read-only using systemd-exec unit option `ReadOnlyDirectories`. Uses `ReadWriteDirectories` systemd-exec unit option for mounting read-write volumes. Fixes rkt#2487
Tests shouldn't fail completely when a case fails
tmrts
force-pushed
the
implement/read-only-rootfs
branch
from
9fb0614
to
2526677
Compare
Using the Pod manifest
readOnlyRootFSoption mounts the rootfs of the appas read-only using systemd-exec unit option
ReadOnlyDirectories.Fixes #2487