From 809292da004228e4c286d65afc9d471281fa3ebb Mon Sep 17 00:00:00 2001 From: Karel Malec Date: Fri, 21 Jul 2017 13:05:15 +0200 Subject: [PATCH] Allow rkt driver to mount volumes read-only --- client/driver/rkt.go | 17 ++++++++++++++--- website/source/docs/drivers/rkt.html.md | 6 ++++-- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/client/driver/rkt.go b/client/driver/rkt.go index a21ef809bdab..15791fdfe3ec 100644 --- a/client/driver/rkt.go +++ b/client/driver/rkt.go @@ -80,7 +80,7 @@ type RktDriverConfig struct { Net []string `mapstructure:"net"` // Networks for the containers PortMapRaw []map[string]string `mapstructure:"port_map"` // PortMap map[string]string `mapstructure:"-"` // A map of host port and the port name defined in the image manifest file - Volumes []string `mapstructure:"volumes"` // Host-Volumes to mount in, syntax: /path/to/host/directory:/destination/path/in/container + Volumes []string `mapstructure:"volumes"` // Host-Volumes to mount in, syntax: /path/to/host/directory:/destination/path/in/container[:readOnly] InsecureOptions []string `mapstructure:"insecure_options"` // list of args for --insecure-options NoOverlay bool `mapstructure:"no_overlay"` // disable overlayfs for rkt run @@ -319,11 +319,22 @@ func (d *RktDriver) Start(ctx *ExecContext, task *structs.Task) (*StartResponse, } for i, rawvol := range driverConfig.Volumes { parts := strings.Split(rawvol, ":") - if len(parts) != 2 { + readOnly := "false" + // job spec: + // volumes = ["/host/path:/container/path[:readOnly]"] + // the third parameter is optional, mount is read-write by default + if len(parts) == 3 { + if parts[2] == "readOnly" { + d.logger.Printf("[DEBUG] Mounting %s:%s as readOnly", parts[0], parts[1]) + readOnly = "true" + } else { + d.logger.Printf("[WARN] Unknown volume parameter '%s' ignored for mount %s", parts[2], parts[0]) + } + } else if len(parts) != 2 { return nil, fmt.Errorf("invalid rkt volume: %q", rawvol) } volName := fmt.Sprintf("%s-%s-%d", d.DriverContext.allocID, sanitizedName, i) - cmdArgs = append(cmdArgs, fmt.Sprintf("--volume=%s,kind=host,source=%s", volName, parts[0])) + cmdArgs = append(cmdArgs, fmt.Sprintf("--volume=%s,kind=host,source=%s,readOnly=%s", volName, parts[0], readOnly)) cmdArgs = append(cmdArgs, fmt.Sprintf("--mount=volume=%s,target=%s", volName, parts[1])) } } diff --git a/website/source/docs/drivers/rkt.html.md b/website/source/docs/drivers/rkt.html.md index 3b25afb83da2..803eff6b4305 100644 --- a/website/source/docs/drivers/rkt.html.md +++ b/website/source/docs/drivers/rkt.html.md @@ -103,12 +103,14 @@ The `rkt` driver supports the following configuration in the job spec: * `no_overlay` - (Optional) When enabled, will use `--no-overlay=true` flag for 'rkt run'. Useful when running jobs on older systems affected by https://github.com/rkt/rkt/issues/1922 -* `volumes` - (Optional) A list of `host_path:container_path` strings to bind +* `volumes` - (Optional) A list of `host_path:container_path[:readOnly]` strings to bind host paths to container paths. + Mount is done read-write by default; an optional third parameter `readOnly` can be provided + to make it read-only. ```hcl config { - volumes = ["/path/on/host:/path/in/container"] + volumes = ["/path/on/host:/path/in/container", "/readonly/path/on/host:/path/in/container:readOnly"] } ```