Add ReadOnly flag to run containers in readonly mode

This is needed for Automotive.

Signed-off-by: Daniel J Walsh <[email protected]>

Author: rhatdan

docs/containers.conf.5.md

@@ -241,6 +241,10 @@ is imposed.
 
 Copy the content from the underlying image into the newly created volume when the container is created instead of when it is started. If `false`, the container engine will not copy the content until the container is started. Setting it to `true` may have negative performance implications.
 
+**read_only**=true|false
+
+Run all containers with root file system mounted read-only. Set to false by default.
+
 **seccomp_profile**="/usr/share/containers/seccomp.json"
 
 Path to the seccomp.json profile which is used as the default seccomp profile

pkg/config/config.go

@@ -194,6 +194,9 @@ type ContainersConfig struct {
 	// performance implications.
 	PrepareVolumeOnCreate bool `toml:"prepare_volume_on_create,omitempty"`
 
+	// ReadOnly causes engine to run all containers with root file system mounted read-only
+	ReadOnly bool `toml:"read_only,omitempty"`
+
 	// SeccompProfile is the seccomp.json profile path which is used as the
 	// default for the runtime.
 	SeccompProfile string `toml:"seccomp_profile,omitempty"`

pkg/config/config_test.go

@@ -29,6 +29,7 @@ var _ = Describe("Config", func() {
 			gomega.Expect(defaultConfig.Containers.ApparmorProfile).To(gomega.Equal(apparmor.Profile))
 			gomega.Expect(defaultConfig.Containers.BaseHostsFile).To(gomega.Equal(""))
 			gomega.Expect(defaultConfig.Containers.PidsLimit).To(gomega.BeEquivalentTo(2048))
+			gomega.Expect(defaultConfig.Containers.ReadOnly).To(gomega.BeFalse())
 			gomega.Expect(defaultConfig.Engine.ServiceTimeout).To(gomega.BeEquivalentTo(5))
 			gomega.Expect(defaultConfig.NetNS()).To(gomega.BeEquivalentTo("private"))
 			gomega.Expect(defaultConfig.IPCNS()).To(gomega.BeEquivalentTo("shareable"))
@@ -443,6 +444,7 @@ image_copy_tmp_dir="storage"`
 			gomega.Expect(config.Containers.LogDriver).To(gomega.Equal("journald"))
 			gomega.Expect(config.Containers.LogTag).To(gomega.Equal("{{.Name}}|{{.ID}}"))
 			gomega.Expect(config.Containers.LogSizeMax).To(gomega.Equal(int64(100000)))
+			gomega.Expect(config.Containers.ReadOnly).To(gomega.BeTrue())
 			gomega.Expect(config.Engine.ImageParallelCopies).To(gomega.Equal(uint(10)))
 			gomega.Expect(config.Engine.PlatformToOCIRuntime).To(gomega.Equal(PlatformToOCIRuntimeMap))
 			gomega.Expect(config.Engine.ImageDefaultFormat).To(gomega.Equal("v2s2"))

pkg/config/containers.conf

@@ -216,6 +216,10 @@ default_sysctls = [
 #
 #prepare_volume_on_create = false
 
+# Run all containers with root file system mounted read-only
+#
+# read_only: false
+
 # Path to the seccomp.json profile which is used as the default seccomp profile
 # for the runtime.
 #

pkg/config/testdata/containers_override.conf

@@ -4,6 +4,7 @@ apparmor_profile = "overridden-default"
 log_driver = "journald"
 log_tag="{{.Name}}|{{.ID}}"
 log_size_max = 100000
+read_only=true
 
 [engine]
 image_parallel_copies=10