From 622fe63eb37f957ee5c29684e24f1d2d636fd086 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 3 Apr 2017 11:57:55 +0200 Subject: Adding support for bind-ro nspawn option for read-only bind mounts. Signed-off-by: Daniel Baumann --- lib/container/start | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) (limited to 'lib/container/start') diff --git a/lib/container/start b/lib/container/start index 0009fd0..014e859 100755 --- a/lib/container/start +++ b/lib/container/start @@ -221,6 +221,27 @@ then done fi + BIND_RO="$(awk -F= '/^bind-ro=/ { print $2 }' ${CONFIG}/${NAME}.conf)" + + if [ -n "${BIND_RO}" ] + then + BINDS_RO="$(echo ${BIND_RO} | sed -e 's|;| |g')" + + for BIND_RO in ${BINDS_RO} + do + DIRECTORY="$(echo ${BIND_RO} | awk -F: '{ print $1 }')" + + mkdir -p "${DIRECTORY}" + done + + BIND_RO="" + + for DIRECTORIES in ${BINDS_RO} + do + BIND_RO="${BIND_RO} --bind ${DIRECTORIES}" + done + fi + BOOT="$(awk -F= '/^boot=/ { print $2 }' ${CONFIG}/${NAME}.conf || echo yes)" case "${BOOT}" in @@ -437,7 +458,7 @@ case "${START}" in *) # Run - ${SETARCH} systemd-nspawn --keep-unit ${BIND} ${BOOT} ${CAPABILITY} ${DIRECTORY} ${DROP_CAPABILITY} ${MACHINE} ${NETWORK_VETH_EXTRA} ${LINK_JOURNAL} ${REGISTER} + ${SETARCH} systemd-nspawn --keep-unit ${BIND} ${BIND_RO} ${BOOT} ${CAPABILITY} ${DIRECTORY} ${DROP_CAPABILITY} ${MACHINE} ${NETWORK_VETH_EXTRA} ${LINK_JOURNAL} ${REGISTER} # Post hooks for FILE in "${HOOKS}/post-${COMMAND}".* "${HOOKS}/${NAME}.post-${COMMAND}" -- cgit v1.2.3