From 426823ca37cf07ffef185e544998ed8962d01909 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Correa=20G=C3=B3mez?= <ablocorrea@hotmail.com>
Date: Sun, 12 Sep 2021 21:02:20 +0200
Subject: [PATCH] config: Add readonly_rootfs config option like docker plugin

---
 CHANGELOG.md |  1 +
 README.md    | 12 +++++++++++-
 config.go    |  2 ++
 driver.go    |  1 +
 4 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 31550972..acce7999 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 FEATURES:
 * config: Map host devices into container. [[GH-41](https://github.com/hashicorp/nomad-driver-podman/pull/41)]
+* config: Allow mounting rootfs as read-only.
 
 BUG FIXES:
 * log: Use error key context to log errors rather than Go err style. [[GH-126](https://github.com/hashicorp/nomad-driver-podman/pull/126)]
diff --git a/README.md b/README.md
index 056f05a2..91fee676 100644
--- a/README.md
+++ b/README.md
@@ -231,7 +231,7 @@ config {
 }
 ```
 
-* **devices** - (Optional) A list of `host-device[:container-device][:permissions]` definitions. 
+* **devices** - (Optional) A list of `host-device[:container-device][:permissions]` definitions.
 Each entry adds a host device to the container. Optional permissions can be used to specify device permissions, it is combination of r for read, w for write, and m for mknod(2). See podman documentation for more details.
 
 ```
@@ -372,6 +372,16 @@ config {
 }
 ```
 
+* **readonly_rootfs** - (Optional)  true or false (default). Mount the rootfs as read-only.
+
+```
+config {
+  readonly_rootfs = true
+}
+```
+
+
+
 ## Network Configuration
 
 [nomad lifecycle hooks](https://www.nomadproject.io/docs/job-specification/lifecycle) combined with the drivers `network_mode` allows very flexible network namespace definitions. This feature does not build upon the native podman pod structure but simply reuses the networking namespace of one container for other tasks in the same group.
diff --git a/config.go b/config.go
index 08a3b9a2..7b4a7de4 100644
--- a/config.go
+++ b/config.go
@@ -66,6 +66,7 @@ var (
 		"tty":                hclspec.NewAttr("tty", "bool", false),
 		"volumes":            hclspec.NewAttr("volumes", "list(string)", false),
 		"force_pull":         hclspec.NewAttr("force_pull", "bool", false),
+		"readonly_rootfs":    hclspec.NewAttr("readonly_rootfs", "bool", false),
 	})
 )
 
@@ -120,4 +121,5 @@ type TaskConfig struct {
 	Init              bool               `codec:"init"`
 	Tty               bool               `codec:"tty"`
 	ForcePull         bool               `codec:"force_pull"`
+	ReadOnlyRootfs    bool               `codec:"readonly_rootfs"`
 }
diff --git a/driver.go b/driver.go
index cc4d116d..e7f733dd 100644
--- a/driver.go
+++ b/driver.go
@@ -429,6 +429,7 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 	createOpts.ContainerSecurityConfig.CapAdd = driverConfig.CapAdd
 	createOpts.ContainerSecurityConfig.CapDrop = driverConfig.CapDrop
 	createOpts.ContainerSecurityConfig.User = cfg.User
+	createOpts.ContainerSecurityConfig.ReadOnlyFilesystem = driverConfig.ReadOnlyRootfs
 
 	// Network config options
 	if cfg.DNS != nil {