diff --git a/client/driver/docker.go b/client/driver/docker.go index fb05c646d73..5f2dedc29d4 100644 --- a/client/driver/docker.go +++ b/client/driver/docker.go @@ -216,6 +216,7 @@ type DockerDriverConfig struct { Devices []DockerDevice `mapstructure:"devices"` // To allow mounting USB or other serial control devices CapAdd []string `mapstructure:"cap_add"` // Flags to pass directly to cap-add CapDrop []string `mapstructure:"cap_drop"` // Flags to pass directly to cap-drop + ReadonlyRootfs bool `mapstructure:"readonly_rootfs"` // Mount the container’s root filesystem as read only } func sliceMergeUlimit(ulimitsRaw map[string]string) ([]docker.ULimit, error) { @@ -670,6 +671,9 @@ func (d *DockerDriver) Validate(config map[string]interface{}) error { "cap_drop": { Type: fields.TypeArray, }, + "readonly_rootfs": { + Type: fields.TypeBool, + }, }, } @@ -1243,6 +1247,7 @@ func (d *DockerDriver) createContainerConfig(ctx *ExecContext, task *structs.Tas hostConfig.SecurityOpt = driverConfig.SecurityOpt hostConfig.Sysctls = driverConfig.Sysctl hostConfig.Ulimits = driverConfig.Ulimit + hostConfig.ReadonlyRootfs = driverConfig.ReadonlyRootfs hostConfig.NetworkMode = driverConfig.NetworkMode if hostConfig.NetworkMode == "" { diff --git a/client/driver/docker_test.go b/client/driver/docker_test.go index a0fd49209b7..6dc5d97c5c1 100644 --- a/client/driver/docker_test.go +++ b/client/driver/docker_test.go @@ -2247,3 +2247,25 @@ func TestDockerDriver_Kill(t *testing.T) { err = handle.Kill() assert.Nil(err) } + +func TestDockerDriver_ReadonlyRootfs(t *testing.T) { + if !tu.IsTravis() { + t.Parallel() + } + if !testutil.DockerIsConnected(t) { + t.Skip("Docker not connected") + } + + task, _, _ := dockerTask(t) + task.Config["readonly_rootfs"] = true + + client, handle, cleanup := dockerSetup(t, task) + defer cleanup() + + waitForExist(t, client, handle) + + container, err := client.InspectContainer(handle.ContainerID()) + assert.Nil(t, err, "Error inspecting container: %v", err) + + assert.True(t, container.HostConfig.ReadonlyRootfs, "ReadonlyRootfs option not set") +} diff --git a/website/source/docs/drivers/docker.html.md b/website/source/docs/drivers/docker.html.md index 32d438cb156..c75238dfd29 100644 --- a/website/source/docs/drivers/docker.html.md +++ b/website/source/docs/drivers/docker.html.md @@ -356,6 +356,9 @@ The `docker` driver supports the following configuration in the job spec. Only } ``` +* `readonly_rootfs` - (Optional) `true` or `false` (default). Mount + the container's filesystem as read only. + ### Container Name Nomad creates a container after pulling an image. Containers are named