Merge pull request #2883 from kmalec/add-support-for-readonly-mount

rkt driver support for read-only volumes mounts
hashicorp · Jul 31, 2017 · 1585a5b · 1585a5b
2 parents 6641999 + 809292d
commit 1585a5b
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 5 deletions.
diff --git a/client/driver/rkt.go b/client/driver/rkt.go
@@ -80,7 +80,7 @@ type RktDriverConfig struct {
 	Net              []string            `mapstructure:"net"`                // Networks for the containers
 	PortMapRaw       []map[string]string `mapstructure:"port_map"`           //
 	PortMap          map[string]string   `mapstructure:"-"`                  // A map of host port and the port name defined in the image manifest file
-	Volumes          []string            `mapstructure:"volumes"`            // Host-Volumes to mount in, syntax: /path/to/host/directory:/destination/path/in/container
+	Volumes          []string            `mapstructure:"volumes"`            // Host-Volumes to mount in, syntax: /path/to/host/directory:/destination/path/in/container[:readOnly]
 	InsecureOptions  []string            `mapstructure:"insecure_options"`   // list of args for --insecure-options
 
 	NoOverlay bool `mapstructure:"no_overlay"` // disable overlayfs for rkt run
@@ -319,11 +319,22 @@ func (d *RktDriver) Start(ctx *ExecContext, task *structs.Task) (*StartResponse,
 		}
 		for i, rawvol := range driverConfig.Volumes {
 			parts := strings.Split(rawvol, ":")
-			if len(parts) != 2 {
+			readOnly := "false"
+			// job spec:
+			//   volumes = ["/host/path:/container/path[:readOnly]"]
+			// the third parameter is optional, mount is read-write by default
+			if len(parts) == 3 {
+				if parts[2] == "readOnly" {
+					d.logger.Printf("[DEBUG] Mounting %s:%s as readOnly", parts[0], parts[1])
+					readOnly = "true"
+				} else {
+					d.logger.Printf("[WARN] Unknown volume parameter '%s' ignored for mount %s", parts[2], parts[0])
+				}
+			} else if len(parts) != 2 {
 				return nil, fmt.Errorf("invalid rkt volume: %q", rawvol)
 			}
 			volName := fmt.Sprintf("%s-%s-%d", d.DriverContext.allocID, sanitizedName, i)
-			cmdArgs = append(cmdArgs, fmt.Sprintf("--volume=%s,kind=host,source=%s", volName, parts[0]))
+			cmdArgs = append(cmdArgs, fmt.Sprintf("--volume=%s,kind=host,source=%s,readOnly=%s", volName, parts[0], readOnly))
 			cmdArgs = append(cmdArgs, fmt.Sprintf("--mount=volume=%s,target=%s", volName, parts[1]))
 		}
 	}

diff --git a/website/source/docs/drivers/rkt.html.md b/website/source/docs/drivers/rkt.html.md
@@ -103,12 +103,14 @@ The `rkt` driver supports the following configuration in the job spec:
 * `no_overlay` - (Optional) When enabled, will use `--no-overlay=true` flag for 'rkt run'.
   Useful when running jobs on older systems affected by https://github.com/rkt/rkt/issues/1922
 
-* `volumes` - (Optional) A list of `host_path:container_path` strings to bind
+* `volumes` - (Optional) A list of `host_path:container_path[:readOnly]` strings to bind
   host paths to container paths.
+  Mount is done read-write by default; an optional third parameter `readOnly` can be provided
+  to make it read-only.
 
     ```hcl
     config {
-      volumes = ["/path/on/host:/path/in/container"]
+      volumes = ["/path/on/host:/path/in/container", "/readonly/path/on/host:/path/in/container:readOnly"]
     }
     ```