Merge pull request #6729 from thaJeztah/1.5_backport_improve_containe…

…r_mount [release/1.5 backport] Make the temp mount as ready only in container WithVolumes
containerd · Mar 24, 2022 · 83a2c03 · 83a2c03
2 parents f277cda + 05b04a1
commit 83a2c03
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/pkg/cri/opts/container.go b/pkg/cri/opts/container.go
@@ -66,6 +66,12 @@ func WithVolumes(volumeMounts map[string]string) containerd.NewContainerOpts {
 		if err != nil {
 			return err
 		}
+		// Since only read is needed, append ReadOnly mount option to prevent linux kernel
+		// from syncing whole filesystem in umount syscall.
+		if len(mounts) == 1 && mounts[0].Type == "overlay" {
+			mounts[0].Options = append(mounts[0].Options, "ro")
+		}
+
 		root, err := ioutil.TempDir("", "ctd-volume")
 		if err != nil {
 			return err