summaryrefslogtreecommitdiff
path: root/vendor/github.com/containerd/containerd/oci/spec_opts.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/containerd/containerd/oci/spec_opts.go')
-rw-r--r--vendor/github.com/containerd/containerd/oci/spec_opts.go20
1 files changed, 20 insertions, 0 deletions
diff --git a/vendor/github.com/containerd/containerd/oci/spec_opts.go b/vendor/github.com/containerd/containerd/oci/spec_opts.go
index 9c9160c591..65811fc23d 100644
--- a/vendor/github.com/containerd/containerd/oci/spec_opts.go
+++ b/vendor/github.com/containerd/containerd/oci/spec_opts.go
@@ -663,6 +663,10 @@ func WithUser(userstr string) SpecOpts {
return err
}
+ // Use a read-only mount when trying to get user/group information
+ // from the container's rootfs. Since the option does read operation
+ // only, we append ReadOnly mount option to prevent the Linux kernel
+ // from syncing whole filesystem in umount syscall.
return mount.WithReadonlyTempMount(ctx, mounts, f)
default:
return fmt.Errorf("invalid USER value %s", userstr)
@@ -723,6 +727,10 @@ func WithUserID(uid uint32) SpecOpts {
return err
}
+ // Use a read-only mount when trying to get user/group information
+ // from the container's rootfs. Since the option does read operation
+ // only, we append ReadOnly mount option to prevent the Linux kernel
+ // from syncing whole filesystem in umount syscall.
return mount.WithReadonlyTempMount(ctx, mounts, setUser)
}
}
@@ -767,6 +775,10 @@ func WithUsername(username string) SpecOpts {
return err
}
+ // Use a read-only mount when trying to get user/group information
+ // from the container's rootfs. Since the option does read operation
+ // only, we append ReadOnly mount option to prevent the Linux kernel
+ // from syncing whole filesystem in umount syscall.
return mount.WithReadonlyTempMount(ctx, mounts, setUser)
} else if s.Windows != nil {
s.Process.User.Username = username
@@ -845,6 +857,10 @@ func WithAdditionalGIDs(userstr string) SpecOpts {
return err
}
+ // Use a read-only mount when trying to get user/group information
+ // from the container's rootfs. Since the option does read operation
+ // only, we append ReadOnly mount option to prevent the Linux kernel
+ // from syncing whole filesystem in umount syscall.
return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids)
}
}
@@ -906,6 +922,10 @@ func WithAppendAdditionalGroups(groups ...string) SpecOpts {
return err
}
+ // Use a read-only mount when trying to get user/group information
+ // from the container's rootfs. Since the option does read operation
+ // only, we append ReadOnly mount option to prevent the Linux kernel
+ // from syncing whole filesystem in umount syscall.
return mount.WithReadonlyTempMount(ctx, mounts, setAdditionalGids)
}
}
View Lorry Controller Status