Merge pull request #2570 from EduardoVega/2246-fix-chmod-ro-tmpfs-mount

Fix mount error when chmod RO tmpfs
opencontainers · Oct 26, 2020 · 9d4c02c · 9d4c02c
2 parents 6a28ca3 + fb4c27c
commit 9d4c02c
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -383,6 +383,12 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
 				return err
 			}
 		}
+		// Initially mounted rw in mountPropagate, remount to ro if flag set.
+		if m.Flags&unix.MS_RDONLY != 0 {
+			if err := remount(m, rootfs); err != nil {
+				return err
+			}
+		}
 		return nil
 	case "bind":
 		if err := prepareBindMount(m, rootfs); err != nil {
@@ -981,6 +987,12 @@ func mountPropagate(m *configs.Mount, rootfs string, mountLabel string) error {
 		flags &= ^unix.MS_RDONLY
 	}
 
+	// Mount it rw to allow chmod operation. A remount will be performed
+	// later to make it ro if set.
+	if m.Device == "tmpfs" {
+		flags &= ^unix.MS_RDONLY
+	}
+
 	copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP
 	if !(copyUp || strings.HasPrefix(dest, rootfs)) {
 		dest = filepath.Join(rootfs, dest)

diff --git a/tests/integration/mounts.bats b/tests/integration/mounts.bats
@@ -20,3 +20,12 @@ function teardown() {
 	[ "$status" -eq 0 ]
 	[[ "${lines[0]}" == *'/tmp/bind/config.json'* ]]
 }
+
+@test "runc run [ro tmpfs mount]" {
+	update_config 	' .mounts += [{"source": "tmpfs", "destination": "/mnt", "type": "tmpfs", "options": ["ro", "nodev", "nosuid", "mode=755"]}] 
+			| .process.args |= ["grep", "^tmpfs /mnt", "/proc/mounts"]' 
+
+	runc run test_ro_tmpfs_mount
+	[ "$status" -eq 0 ]
+	[[ "${lines[0]}" == *'ro,'* ]]
+}