Merge pull request #3802 from filipochnik/docker-readonly-rootfs

Add ReadonlyRootfs option to the Docker driver
hashicorp · Jan 29, 2018 · d11fdc7 · d11fdc7
2 parents 172bea2 + 7507a1e
commit d11fdc7
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 0 deletions.
diff --git a/client/driver/docker.go b/client/driver/docker.go
@@ -216,6 +216,7 @@ type DockerDriverConfig struct {
 	Devices          []DockerDevice      `mapstructure:"devices"`            // To allow mounting USB or other serial control devices
 	CapAdd           []string            `mapstructure:"cap_add"`            // Flags to pass directly to cap-add
 	CapDrop          []string            `mapstructure:"cap_drop"`           // Flags to pass directly to cap-drop
+	ReadonlyRootfs   bool                `mapstructure:"readonly_rootfs"`    // Mount the container’s root filesystem as read only
 }
 
 func sliceMergeUlimit(ulimitsRaw map[string]string) ([]docker.ULimit, error) {
@@ -670,6 +671,9 @@ func (d *DockerDriver) Validate(config map[string]interface{}) error {
 			"cap_drop": {
 				Type: fields.TypeArray,
 			},
+			"readonly_rootfs": {
+				Type: fields.TypeBool,
+			},
 		},
 	}
 
@@ -1243,6 +1247,7 @@ func (d *DockerDriver) createContainerConfig(ctx *ExecContext, task *structs.Tas
 	hostConfig.SecurityOpt = driverConfig.SecurityOpt
 	hostConfig.Sysctls = driverConfig.Sysctl
 	hostConfig.Ulimits = driverConfig.Ulimit
+	hostConfig.ReadonlyRootfs = driverConfig.ReadonlyRootfs
 
 	hostConfig.NetworkMode = driverConfig.NetworkMode
 	if hostConfig.NetworkMode == "" {

diff --git a/client/driver/docker_test.go b/client/driver/docker_test.go
@@ -2247,3 +2247,25 @@ func TestDockerDriver_Kill(t *testing.T) {
 	err = handle.Kill()
 	assert.Nil(err)
 }
+
+func TestDockerDriver_ReadonlyRootfs(t *testing.T) {
+	if !tu.IsTravis() {
+		t.Parallel()
+	}
+	if !testutil.DockerIsConnected(t) {
+		t.Skip("Docker not connected")
+	}
+
+	task, _, _ := dockerTask(t)
+	task.Config["readonly_rootfs"] = true
+
+	client, handle, cleanup := dockerSetup(t, task)
+	defer cleanup()
+
+	waitForExist(t, client, handle)
+
+	container, err := client.InspectContainer(handle.ContainerID())
+	assert.Nil(t, err, "Error inspecting container: %v", err)
+
+	assert.True(t, container.HostConfig.ReadonlyRootfs, "ReadonlyRootfs option not set")
+}
diff --git a/website/source/docs/drivers/docker.html.md b/website/source/docs/drivers/docker.html.md
@@ -356,6 +356,9 @@ The `docker` driver supports the following configuration in the job spec.  Only
     }
     ```
 
+* `readonly_rootfs` - (Optional) `true` or `false` (default). Mount
+  the container's filesystem as read only.
+
 ### Container Name
 
 Nomad creates a container after pulling an image. Containers are named