From 5a2762a353f0153dfbc2098fce00b4c2941cd984 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Sun, 4 Feb 2024 19:46:51 +0900 Subject: [PATCH] Do not make read-only mounts recursively read-only Docker v25 (API v1.44) treats read-only mounts as recursively read-only by default, but this appeared to be too much breaking for Kubernetes. So cri-dockerd has to disable RRO by setting `BindOptions.ReadOnlyNonRecursive`. Fix issue 309 Signed-off-by: Akihiro Suda --- core/helpers_test.go | 4 ++-- libdocker/helpers.go | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/core/helpers_test.go b/core/helpers_test.go index 42bbce70b..df26d0e1e 100644 --- a/core/helpers_test.go +++ b/core/helpers_test.go @@ -330,13 +330,13 @@ func TestGenerateMountBindings(t *testing.T) { } expectedResult := []dockermount.Mount{ {Type: dockermount.TypeBind, Source: "/mnt/1", Target: "/var/lib/mysql/1", BindOptions: &dockermount.BindOptions{CreateMountpoint: true}}, - {Type: dockermount.TypeBind, Source: "/mnt/2", Target: "/var/lib/mysql/2", ReadOnly: true, BindOptions: &dockermount.BindOptions{CreateMountpoint: true}}, + {Type: dockermount.TypeBind, Source: "/mnt/2", Target: "/var/lib/mysql/2", ReadOnly: true, BindOptions: &dockermount.BindOptions{CreateMountpoint: true, ReadOnlyNonRecursive: true}}, {Type: dockermount.TypeBind, Source: "/mnt/3", Target: "/var/lib/mysql/3", BindOptions: &dockermount.BindOptions{CreateMountpoint: true}}, // Relabeling is not handled here {Type: dockermount.TypeBind, Source: "/mnt/4", Target: "/var/lib/mysql/4", BindOptions: &dockermount.BindOptions{CreateMountpoint: true}}, {Type: dockermount.TypeBind, Source: "/mnt/5", Target: "/var/lib/mysql/5", BindOptions: &dockermount.BindOptions{CreateMountpoint: true, Propagation: dockermount.PropagationRSlave}}, {Type: dockermount.TypeBind, Source: "/mnt/6", Target: "/var/lib/mysql/6", BindOptions: &dockermount.BindOptions{CreateMountpoint: true, Propagation: dockermount.PropagationRShared}}, {Type: dockermount.TypeBind, Source: "/mnt/7", Target: "/var/lib/mysql/7", BindOptions: &dockermount.BindOptions{CreateMountpoint: true}}, - {Type: dockermount.TypeBind, Source: "/mnt/8", Target: "/var/lib/mysql/8", ReadOnly: true, BindOptions: &dockermount.BindOptions{CreateMountpoint: true, Propagation: dockermount.PropagationRShared}}, // Relabeling is not handled here + {Type: dockermount.TypeBind, Source: "/mnt/8", Target: "/var/lib/mysql/8", ReadOnly: true, BindOptions: &dockermount.BindOptions{CreateMountpoint: true, ReadOnlyNonRecursive: true, Propagation: dockermount.PropagationRShared}}, // Relabeling is not handled here } result := libdocker.GenerateMountBindings(mounts, "") diff --git a/libdocker/helpers.go b/libdocker/helpers.go index 37e339dee..f5b91ed06 100644 --- a/libdocker/helpers.go +++ b/libdocker/helpers.go @@ -226,6 +226,11 @@ func GenerateMountBindings(mounts []*v1.Mount, terminationMessagePath string) [] } if m.Readonly { bind.ReadOnly = true + + // Docker v25 treats read-only mounts as recursively read-only by default, + // but this appeared to be too much breaking for Kubernetes + // https://github.com/Mirantis/cri-dockerd/issues/309 + bind.BindOptions.ReadOnlyNonRecursive = true } switch m.Propagation { case v1.MountPropagation_PROPAGATION_PRIVATE: