Merge pull request #314 from bergwolf/rootfs_ro

support readonly rootfs

Author: laijs

src/api.h

@@ -2,7 +2,7 @@
 #define _HYPERSTART_API_H_
 
 // when APIVERSION < 1000000, the version MUST be exactly matched on both sides
-#define APIVERSION 4243
+#define APIVERSION 4244
 
 // control command id
 enum {

src/container.c

@@ -287,10 +287,13 @@ static int container_setup_mount(struct hyper_container *container)
 	char src[512];
 
 	// current dir is container rootfs, the operations on "./PATH" are the operations on container's "/PATH"
-	hyper_mkdir("./proc", 0755);
-	hyper_mkdir("./sys", 0755);
-	hyper_mkdir("./dev", 0755);
-	hyper_mkdir("./lib/modules", 0755);
+	if (!container->readonly) {
+		hyper_mkdir("./proc", 0755);
+		hyper_mkdir("./sys", 0755);
+		hyper_mkdir("./dev", 0755);
+		hyper_mkdir("./lib/modules", 0755);
+
+	}
 
 	if (mount("proc", "./proc", "proc", MS_NOSUID| MS_NODEV| MS_NOEXEC, NULL) < 0 ||
 	    mount("sysfs", "./sys", "sysfs", MS_NOSUID| MS_NODEV| MS_NOEXEC, NULL) < 0 ||
@@ -377,7 +380,7 @@ static int container_recreate_symlink(char *oldpath, char *newpath)
 static int container_setup_init_layer(struct hyper_container *container,
 				      int setup_dns)
 {
-	if (!container->initialize)
+	if (!container->initialize || container->readonly)
 		return 0;
 
 	hyper_mkdir("./etc/", 0755);
@@ -471,7 +474,7 @@ static int container_setup_hostname()
 
 static int container_setup_workdir(struct hyper_container *container)
 {
-	if (container->initialize) {
+	if (container->initialize && !container->readonly) {
 		// create workdir
 		return hyper_mkdir(container->exec.workdir, 0755);
 	}
@@ -572,6 +575,7 @@ static int hyper_setup_container_rootfs(void *data)
 	if (container->fstype) {
 		char dev[128];
 		char *options = NULL;
+		unsigned long flags = 0;
 
 		/* wait for rootfs ready message */
 		if (hyper_eventfd_recv(arg->container_root_dev_efd) < 0) {
@@ -587,10 +591,13 @@ static int hyper_setup_container_rootfs(void *data)
 		sprintf(dev, "/dev/%s", container->image);
 		fprintf(stdout, "device %s\n", dev);
 
+		if (container->readonly)
+			flags = MS_RDONLY;
+
 		if (!strncmp(container->fstype, "xfs", strlen("xfs")))
 			options = "nouuid";
 
-		if (mount(dev, root, container->fstype, 0, options) < 0) {
+		if (mount(dev, root, container->fstype, flags, options) < 0) {
 			perror("mount device failed");
 			goto fail;
 		}
@@ -604,6 +611,10 @@ static int hyper_setup_container_rootfs(void *data)
 			perror("mount src dir failed");
 			goto fail;
 		}
+		if (container->readonly && mount(NULL, root, NULL, MS_BIND | MS_REMOUNT | MS_RDONLY, NULL) < 0) {
+			perror("mount src dir readonly failed");
+			goto fail;
+		}
 	}
 
 	fprintf(stdout, "root directory for container is %s/%s, init task %s\n",

src/container.h

@@ -51,6 +51,7 @@ struct hyper_container {
 	int			sys_num;
 	int			ports_num;
 	int			initialize;
+	int			readonly;
 };
 
 struct hyper_pod;

src/parse.c

@@ -716,6 +716,12 @@ static int hyper_parse_container(struct hyper_pod *pod, struct hyper_container *
 				dbg_pr(stdout, "need to initialize container\n");
 			}
 			i++;
+		} else if (json_token_streq(json, t, "readOnly") && t->size == 1) {
+			if (!json_token_streq(json, &toks[++i], "false")) {
+				c->readonly = 1;
+				dbg_pr(stdout, "container rootfs is readonly\n");
+			}
+			i++;
 		} else if (json_token_streq(json, t, "ports") && t->size == 1) {
 			next = container_parse_ports(c, json, &toks[++i]);
 			if (next < 0)