runtime: add support for readonly sandbox bindmounts

If specified, sandbox_bind_mounts identifies host paths to be mounted (ro) into the sandboxes shared path. This is only valid if filesystem sharing is utilized. The provided path(s) will be bindmounted (ro) into the shared fs directory on the host, and thus mapped into the guest. If defaults are utilized, these mounts should be available in the guest at `/var/run/kata-containers/shared/containers/sandbox-mounts` These will not be exposed to the container workloads, and are only added for potential guest-services to consume (example: expose certs into the guest that are available on the host). Fixes: #1464 Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
2025-12-17 22:34:25 +01:00 · 2021-02-09 22:00:53 -08:00
parent acc4bc57f4
commit 48ed8f3c4a
8 changed files with 158 additions and 0 deletions
--- a/src/runtime/pkg/katautils/config_test.go
+++ b/src/runtime/pkg/katautils/config_test.go
@@ -1610,3 +1610,52 @@ func TestCheckFactoryConfig(t *testing.T) {
 		}
 	}
 }
+
+func TestValidateBindMounts(t *testing.T) {
+	assert := assert.New(t)
+
+	tmpdir1, err := ioutil.TempDir(testDir, "tmp1-")
+	assert.NoError(err)
+	defer os.RemoveAll(tmpdir1)
+
+	tmpdir2, err := ioutil.TempDir(testDir, "tmp2-")
+	assert.NoError(err)
+	defer os.RemoveAll(tmpdir2)
+
+	duplicate1 := filepath.Join(tmpdir1, "cat.txt")
+	duplicate2 := filepath.Join(tmpdir2, "cat.txt")
+	unique := filepath.Join(tmpdir1, "foobar.txt")
+
+	err = ioutil.WriteFile(duplicate1, []byte("kibble-monster"), 0644)
+	assert.NoError(err)
+
+	err = ioutil.WriteFile(duplicate2, []byte("furbag"), 0644)
+	assert.NoError(err)
+
+	err = ioutil.WriteFile(unique, []byte("fuzzball"), 0644)
+	assert.NoError(err)
+
+	type testData struct {
+		name        string
+		mounts      []string
+		expectError bool
+	}
+
+	data := []testData{
+		{"two unique directories", []string{tmpdir1, tmpdir2}, false},
+		{"unique directory and two unique files", []string{tmpdir1, duplicate1, unique}, false},
+		{"two files with same base name", []string{duplicate1, duplicate2}, true},
+		{"non existent path", []string{"/this/does/not/exist"}, true},
+		{"non existent path with existing path", []string{unique, "/this/does/not/exist"}, true},
+		{"non existent path with duplicates", []string{duplicate1, duplicate2, "/this/does/not/exist"}, true},
+		{"no paths", []string{}, false},
+	}
+	for i, d := range data {
+		err := validateBindMounts(d.mounts)
+		if d.expectError {
+			assert.Error(err, "test %d (%+v)", i, d.name)
+		} else {
+			assert.NoError(err, "test %d (%+v)", i, d.name)
+		}
+	}
+}