Do not make read-only mounts recursively read-only

Docker v25 (API v1.44) treats read-only mounts as recursively read-only by default, but this appeared to be too much breaking for Kubernetes. So cri-dockerd has to disable RRO by setting `BindOptions.ReadOnlyNonRecursive`. Fix issue 309 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Mirantis · Feb 7, 2024 · 5a2762a · 5a2762a
1 parent 619729a
commit 5a2762a
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/core/helpers_test.go b/core/helpers_test.go
@@ -330,13 +330,13 @@ func TestGenerateMountBindings(t *testing.T) {
 	}
 	expectedResult := []dockermount.Mount{
 		{Type: dockermount.TypeBind, Source: "/mnt/1", Target: "/var/lib/mysql/1", BindOptions: &dockermount.BindOptions{CreateMountpoint: true}},
-		{Type: dockermount.TypeBind, Source: "/mnt/2", Target: "/var/lib/mysql/2", ReadOnly: true, BindOptions: &dockermount.BindOptions{CreateMountpoint: true}},
+		{Type: dockermount.TypeBind, Source: "/mnt/2", Target: "/var/lib/mysql/2", ReadOnly: true, BindOptions: &dockermount.BindOptions{CreateMountpoint: true, ReadOnlyNonRecursive: true}},
 		{Type: dockermount.TypeBind, Source: "/mnt/3", Target: "/var/lib/mysql/3", BindOptions: &dockermount.BindOptions{CreateMountpoint: true}}, // Relabeling is not handled here
 		{Type: dockermount.TypeBind, Source: "/mnt/4", Target: "/var/lib/mysql/4", BindOptions: &dockermount.BindOptions{CreateMountpoint: true}},
 		{Type: dockermount.TypeBind, Source: "/mnt/5", Target: "/var/lib/mysql/5", BindOptions: &dockermount.BindOptions{CreateMountpoint: true, Propagation: dockermount.PropagationRSlave}},
 		{Type: dockermount.TypeBind, Source: "/mnt/6", Target: "/var/lib/mysql/6", BindOptions: &dockermount.BindOptions{CreateMountpoint: true, Propagation: dockermount.PropagationRShared}},
 		{Type: dockermount.TypeBind, Source: "/mnt/7", Target: "/var/lib/mysql/7", BindOptions: &dockermount.BindOptions{CreateMountpoint: true}},
-		{Type: dockermount.TypeBind, Source: "/mnt/8", Target: "/var/lib/mysql/8", ReadOnly: true, BindOptions: &dockermount.BindOptions{CreateMountpoint: true, Propagation: dockermount.PropagationRShared}}, // Relabeling is not handled here
+		{Type: dockermount.TypeBind, Source: "/mnt/8", Target: "/var/lib/mysql/8", ReadOnly: true, BindOptions: &dockermount.BindOptions{CreateMountpoint: true, ReadOnlyNonRecursive: true, Propagation: dockermount.PropagationRShared}}, // Relabeling is not handled here
 	}
 	result := libdocker.GenerateMountBindings(mounts, "")
 

diff --git a/libdocker/helpers.go b/libdocker/helpers.go
@@ -226,6 +226,11 @@ func GenerateMountBindings(mounts []*v1.Mount, terminationMessagePath string) []
 		}
 		if m.Readonly {
 			bind.ReadOnly = true
+
+			// Docker v25 treats read-only mounts as recursively read-only by default,
+			// but this appeared to be too much breaking for Kubernetes
+			// https://github.com/Mirantis/cri-dockerd/issues/309
+			bind.BindOptions.ReadOnlyNonRecursive = true
 		}
 		switch m.Propagation {
 		case v1.MountPropagation_PROPAGATION_PRIVATE: