Add --read-only for service create and service update
#30162
Conversation
| out, err = d.Cmd("inspect", "--type", "container", "--format", "{{.HostConfig.ReadonlyRootfs}}", containers[0]) | ||
| c.Assert(err, checker.IsNil, check.Commentf(out)) | ||
|
|
||
| expected := "touch: /file: Read-only file system" |
There was a problem hiding this comment.
I don't think we need to test this here; this functionality is already tested in testReadOnlyFile()
There was a problem hiding this comment.
Thanks @thaJeztah. That test has been removed.
| c.Assert(err, checker.NotNil, check.Commentf(out)) | ||
| c.Assert(out, checker.Contains, expected) | ||
|
|
||
| out, err = d.Cmd("service", "update", "--read- "top") |
There was a problem hiding this comment.
I think it would be good to test that running an docker service update without specifying the --read-only flag, does not change ReadonlyRootfs from true to false
There was a problem hiding this comment.
Thanks. I added a unit test to cover this scenario.
| out, err = d.Cmd("service", "update", "--read- "top") | ||
| c.Assert(err, checker.IsNil, check.Commentf(out)) | ||
|
|
||
| out, err = d.Cmd("service", "inspect", "--format", "{{ .Spec.TaskTemplate.ContainerSpec.ReadonlyRootfs }}", "top") |
There was a problem hiding this comment.
Looking at all these tests; I'm not sure how much of this is tested in SwarmKit, but possibly it could even be changed to a unit test (i.e., test that the client is setting / updating the ReadonlyRootfs in the TaskTemplate)
/cc @vdemeester perhaps you have some thoughts on that?
There was a problem hiding this comment.
Thanks. Some of the test has been changed to unit tests.
| @@ -479,6 +481,7 @@ func addServiceFlags(cmd *cobra.Command, opts *serviceOptions) { | |||
| flags.BoolVar(&opts.healthcheck.noHealthcheck, flagNoHealthcheck, false, "Disable any container-specified HEALTHCHECK") | |||
|
|
|||
| flags.BoolVarP(&opts.tty, flagTTY, "t", false, "Allocate a pseudo-TTY") | |||
| flags.BoolVar(&opts.readonlyRootfs, flagReadonlyRootfs, false, "Mount the container's root filesystem as read only") | |||
There was a problem hiding this comment.
Oh, can you version this flag, so that it only shows if the daemon is docker 1.14 or above?
flags.SetAnnotation(flagReadonlyRootfs, "version", []string{"1.26"})(hm, thinking of which, I think there's some other flags that we need to update as well)
|
@yongtang there are some comments from @thaJeztah |
|
@LK4D4 Thanks for the reminder. moby/swarmkit#1872 was merged yesterday. I will work on updating this PR shortly. |
8a162eb to
6393cc0
Compare
|
@thaJeztah Thanks for the review. The PR has been updated. And some of the tests have been changed to unit tests. Please take a look and let me know if there are any issues. |
6393cc0 to
4e61743
Compare
|
@yongtang I'm not sure, but failures look real enough |
|
@LK4D4 Ah the failure is related to the changes in SwarmKit about explicitly disallow network pluginv1 creation in swarm mode (See discussion in moby/swarmkit#1899, moby/swarmkit#1894, and #30332) The failure is being addressed in PR #30548 now. Please take a look. |
|
@yongtang cool, thanks! |
|
@yongtang just merged it. |
4e61743 to
2ede0eb
Compare
|
Thanks @LK4D4! This PR has been updated as well now. |
There was a problem hiding this comment.
changes LGTM perhaps you can also update the completion scripts for bash and zsh as part of this PR? I think bash change should go here; https://github.com/docker/docker/blob/master/contrib/completion/bash/docker#L2833 (but double check 😄)
This fix tries to address the issue raised in 29972 where it was not possible to specify `--read-only` for `docker service create` and `docker service update`, in order to have the container's root file system to be read only. This fix adds `--read-only` and update the `ReadonlyRootfs` in `HostConfig` through `service create` and `service update`. Related docs has been updated. Integration test has been added. This fix fixes 29972. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This commit updates bash and zsh completion for flag `--read-only` in `service create/update`. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2ede0eb to
885e1f2
Compare
|
Thanks @thaJeztah. The PR has been updated with related bash and zsh completion added. |
|
LGTM |
|
@yongtang can you please open a PR to update |
Add `--read-only` for `service create` and `service update`
- What I did
This fix tries to address the issue raised in #29972 where it was not possible to specify
--read-onlyfordocker service createanddocker service update, in order to have the container's root file system to be read only.- How I did it
This fix adds
--read-onlyand update theReadonlyRootfsinHostConfigthroughservice createandservice update.Related docs has been updated.
- How to verify it
Integration test has been added.
- Description for the changelog
Add
--read-onlyforservice createandservice update- A picture of a cute animal (not mandatory but encouraged)
This fix fixes #29972.
Related SwarmKit PR is moby/swarmkit#1872
Signed-off-by: Yong Tang yong.tang.github@outlook.com