Merge pull request #801 from liubin/f/713-add-mount-option

add --mount option for nerdctl run

Author: AkihiroSuda

README.md

@@ -384,7 +384,33 @@ Volume flags:
     Requires kernel >= 5.12, and crun >= 1.4 or runc >= 1.1 (PR [#3272](https://github.com/opencontainers/runc/pull/3272)). With older runc, `rro` just works as `ro`.
   - :whale:     option `shared`, `slave`, `private`: Non-recursive "shared" / "slave" / "private" propagation
   - :whale:     option `rshared`, `rslave`, `rprivate`: Recursive "shared" / "slave" / "private" propagation
-- :whale: `--tmpfs`: Mount a tmpfs directory
+- :whale: `--tmpfs`: Mount a tmpfs directory, e.g. `--tmpfs /tmp:size=64m,exec`.
+- :whale: `--mount`: Attach a filesystem mount to the container.
+  Consists of multiple key-value pairs, separated by commas and each
+  consisting of a `<key>=<value>` tuple.
+  e.g., `-- mount type=bind,source=/src,target=/app,bind-propagation=shared`.
+  - :whale: The `type` of the mount, which can be `bind`, `volume`, `tmpfs`.
+    The defaul type will be set to `volume` if not specified.
+    i.e., `--mount src=vol-1,dst=/app,readonly` equals `--mount type=volum,src=vol-1,dst=/app,readonly`
+  - :whale: The `source` of the mount. For bind mounts, this is the path to the file
+    or directory. May be specified as `source` or `src`.
+  - :whale: The `destination` takes as its value the path where the file or directory
+    is mounted in the container. May be specified as `destination`, `dst`,
+    or `target`.
+  - :whale: The `readonly` or `ro`, `rw`, `rro` option changes filesystem permissinos.
+    See description for `--volume` for more deails.
+  - :whale: The `bind-propagation` option is only for `bind` mount which is used to set the
+    bind propagation. May be one of `rprivate`, `private`, `rshared`, `shared`,
+    `rslave`, `slave`.
+    See description for `--volume` for more deails.
+  - :whale: The `tmpfs-size` and `tmpfs-mode` options are only for `tmpfs` bind mount,
+    e.g., `--mount type=tmpfs,target=/app,tmpfs-size=10m,tmpfs-mode=1770`.
+    - `tmpfs-size`: Size of the tmpfs mount in bytes. Unlimited by default.
+    - `tmpfs-mode`: File mode of the tmpfs in **octal**.
+      Defaults to `1777` or world-writable.
+
+Unimplemented `docker run --mount` flags: `bind-nonrecursive`, `volume-nocopy`,
+`volume-label`, `volume-driver`, `volume-opt`, `consistency`.
 
 Rootfs flags:
 - :whale: `--read-only`: Mount the container's root filesystem as read only

cmd/nerdctl/run.go

@@ -189,6 +189,7 @@ func setCreateFlags(cmd *cobra.Command) {
 	cmd.Flags().StringArrayP("volume", "v", nil, "Bind mount a volume")
 	// tmpfs needs to be StringArray, not StringSlice, to prevent "/foo:size=64m,exec" from being split to {"/foo:size=64m", "exec"}
 	cmd.Flags().StringArray("tmpfs", nil, "Mount a tmpfs directory")
+	cmd.Flags().StringArray("mount", nil, "Attach a filesystem mount to the container")
 	// #endregion
 
 	// rootfs flags

cmd/nerdctl/run_mount.go

@@ -75,8 +75,7 @@ func withMounts(mounts []specs.Mount) oci.SpecOpts {
 	}
 }
 
-// parseMountFlags parses --volume and --tmpfs.
-// parseMountFlags will also parse --mount in a future release.
+// parseMountFlags parses --volume, --mount and --tmpfs.
 func parseMountFlags(cmd *cobra.Command, volStore volumestore.VolumeStore) ([]*mountutil.Processed, error) {
 	var parsed []*mountutil.Processed
 	if flagVSlice, err := cmd.Flags().GetStringArray("volume"); err != nil {
@@ -103,6 +102,19 @@ func parseMountFlags(cmd *cobra.Command, volStore volumestore.VolumeStore) ([]*m
 			parsed = append(parsed, x)
 		}
 	}
+
+	if mountsSlice, err := cmd.Flags().GetStringArray("mount"); err != nil {
+		return nil, err
+	} else {
+		for _, v := range strutil.DedupeStrSlice(mountsSlice) {
+			x, err := mountutil.ProcessFlagMount(v, volStore)
+			if err != nil {
+				return nil, err
+			}
+			parsed = append(parsed, x)
+		}
+	}
+
 	return parsed, nil
 }
 
@@ -205,7 +217,7 @@ func generateMountOpts(cmd *cobra.Command, ctx context.Context, client *containe
 				return nil, nil, err
 			}
 
-			//Copying content in AnonymousVolume and namedVolume
+			// Copying content in AnonymousVolume and namedVolume
 			if x.Type == "volume" {
 				if err := copyExistingContents(target, x.Mount.Source); err != nil {
 					return nil, nil, err

cmd/nerdctl/run_mount_linux_test.go

@@ -22,6 +22,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/containerd/containerd/mount"
 	"github.com/containerd/nerdctl/pkg/testutil"
 	"gotest.tools/v3/assert"
 )
@@ -248,3 +249,230 @@ func TestRunTmpfs(t *testing.T) {
 	// for https://github.com/containerd/nerdctl/issues/594
 	base.Cmd("run", "--rm", "--tmpfs", "/dev/shm:rw,exec,size=1g", testutil.AlpineImage, "grep", "/dev/shm", "/proc/mounts").AssertOutWithFunc(f([]string{"rw", "nosuid", "nodev", "size=1048576k"}, []string{"noexec"}))
 }
+
+func TestRunBindMountTmpfs(t *testing.T) {
+	t.Parallel()
+	base := testutil.NewBase(t)
+	f := func(allow []string) func(stdout string) error {
+		return func(stdout string) error {
+			lines := strings.Split(strings.TrimSpace(stdout), "\n")
+			if len(lines) != 1 {
+				return fmt.Errorf("expected 1 lines, got %q", stdout)
+			}
+			for _, s := range allow {
+				if !strings.Contains(stdout, s) {
+					return fmt.Errorf("expected stdout to contain %q, got %q", s, stdout)
+				}
+			}
+			return nil
+		}
+	}
+	base.Cmd("run", "--rm", "--mount", "type=tmpfs,target=/tmp", testutil.AlpineImage, "grep", "/tmp", "/proc/mounts").AssertOutWithFunc(f([]string{"rw", "nosuid", "nodev", "noexec"}))
+	base.Cmd("run", "--rm", "--mount", "type=tmpfs,target=/tmp,tmpfs-size=64m", testutil.AlpineImage, "grep", "/tmp", "/proc/mounts").AssertOutWithFunc(f([]string{"rw", "nosuid", "nodev", "size=65536k"}))
+}
+
+func TestRunBindMountBind(t *testing.T) {
+	t.Parallel()
+	base := testutil.NewBase(t)
+	tID := testutil.Identifier(t)
+	rwDir, err := os.MkdirTemp(t.TempDir(), "rw")
+	if err != nil {
+		t.Fatal(err)
+	}
+	roDir, err := os.MkdirTemp(t.TempDir(), "ro")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	containerName := tID
+	defer base.Cmd("rm", "-f", containerName).Run()
+	base.Cmd("run",
+		"-d",
+		"--name", containerName,
+		"--mount", fmt.Sprintf("type=bind,src=%s,target=/mnt1", rwDir),
+		"--mount", fmt.Sprintf("type=bind,src=%s,target=/mnt2,ro", roDir),
+		testutil.AlpineImage,
+		"top",
+	).AssertOK()
+	base.Cmd("exec", containerName, "sh", "-exc", "echo -n str1 > /mnt1/file1").AssertOK()
+	base.Cmd("exec", containerName, "sh", "-exc", "echo -n str2 > /mnt2/file2").AssertFail()
+
+	base.Cmd("run",
+		"--rm",
+		"--mount", fmt.Sprintf("type=bind,src=%s,target=/mnt1", rwDir),
+		testutil.AlpineImage,
+		"cat", "/mnt1/file1",
+	).AssertOutExactly("str1")
+
+	// check `bind-propagation`
+	f := func(allow string) func(stdout string) error {
+		return func(stdout string) error {
+			lines := strings.Split(strings.TrimSpace(stdout), "\n")
+			if len(lines) != 1 {
+				return fmt.Errorf("expected 1 lines, got %q", stdout)
+			}
+			fields := strings.Split(lines[0], " ")
+			if len(fields) < 4 {
+				return fmt.Errorf("invalid /proc/mounts format %q", stdout)
+			}
+
+			options := strings.Split(fields[3], ",")
+
+			found := false
+			for _, s := range options {
+				if allow == s {
+					found = true
+					break
+				}
+			}
+			if !found {
+				return fmt.Errorf("expected stdout to contain %q, got %+v", allow, options)
+			}
+			return nil
+		}
+	}
+	base.Cmd("exec", containerName, "grep", "/mnt1", "/proc/mounts").AssertOutWithFunc(f("rw"))
+	base.Cmd("exec", containerName, "grep", "/mnt2", "/proc/mounts").AssertOutWithFunc(f("ro"))
+}
+
+func TestRunBindMountPropagation(t *testing.T) {
+	tID := testutil.Identifier(t)
+
+	if !isRootfsShareableMount() {
+		t.Skipf("rootfs doesn't support shared mount, skip test %s", tID)
+	}
+
+	t.Parallel()
+	base := testutil.NewBase(t)
+
+	testCases := []struct {
+		propagation string
+		assertFunc  func(containerName, containerNameReplica string)
+	}{
+		{
+			propagation: "rshared",
+			assertFunc: func(containerName, containerNameReplica string) {
+				// replica can get sub-mounts from original
+				base.Cmd("exec", containerNameReplica, "cat", "/mnt1/replica/foo.txt").AssertOutExactly("toreplica")
+
+				// and sub-mounts from replica will be propagated to the original too
+				base.Cmd("exec", containerName, "cat", "/mnt1/bar/bar.txt").AssertOutExactly("fromreplica")
+			},
+		},
+		{
+			propagation: "rslave",
+			assertFunc: func(containerName, containerNameReplica string) {
+				// replica can get sub-mounts from original
+				base.Cmd("exec", containerNameReplica, "cat", "/mnt1/replica/foo.txt").AssertOutExactly("toreplica")
+
+				// but sub-mounts from replica will not be propagated to the original
+				base.Cmd("exec", containerName, "cat", "/mnt1/bar/bar.txt").AssertFail()
+			},
+		},
+		{
+			propagation: "rprivate",
+			assertFunc: func(containerName, containerNameReplica string) {
+				// replica can't get sub-mounts from original
+				base.Cmd("exec", containerNameReplica, "cat", "/mnt1/replica/foo.txt").AssertFail()
+				// and sub-mounts from replica will not be propagated to the original too
+				base.Cmd("exec", containerName, "cat", "/mnt1/bar/bar.txt").AssertFail()
+			},
+		},
+		{
+			propagation: "",
+			assertFunc: func(containerName, containerNameReplica string) {
+				// replica can't get sub-mounts from original
+				base.Cmd("exec", containerNameReplica, "cat", "/mnt1/replica/foo.txt").AssertFail()
+				// and sub-mounts from replica will not be propagated to the original too
+				base.Cmd("exec", containerName, "cat", "/mnt1/bar/bar.txt").AssertFail()
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		propagationName := tc.propagation
+		if propagationName == "" {
+			propagationName = "default"
+		}
+
+		t.Logf("Running test propagation case %s", propagationName)
+
+		rwDir, err := os.MkdirTemp(t.TempDir(), "rw")
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		containerName := tID + "-" + propagationName
+		containerNameReplica := containerName + "-replica"
+
+		mountOption := fmt.Sprintf("type=bind,src=%s,target=/mnt1,bind-propagation=%s", rwDir, tc.propagation)
+		if tc.propagation == "" {
+			mountOption = fmt.Sprintf("type=bind,src=%s,target=/mnt1", rwDir)
+		}
+
+		containers := []struct {
+			name        string
+			mountOption string
+		}{
+			{
+				name:        containerName,
+				mountOption: fmt.Sprintf("type=bind,src=%s,target=/mnt1,bind-propagation=rshared", rwDir),
+			},
+			{
+				name:        containerNameReplica,
+				mountOption: mountOption,
+			},
+		}
+		for _, c := range containers {
+			base.Cmd("run", "-d",
+				"--privileged",
+				"--name", c.name,
+				"--mount", c.mountOption,
+				testutil.AlpineImage,
+				"top").AssertOK()
+			defer base.Cmd("rm", "-f", c.name).Run()
+		}
+
+		// mount in the first container
+		base.Cmd("exec", containerName, "sh", "-exc", "mkdir /app && mkdir /mnt1/replica && mount --bind /app /mnt1/replica && echo -n toreplica > /app/foo.txt").AssertOK()
+		base.Cmd("exec", containerName, "cat", "/mnt1/replica/foo.txt").AssertOutExactly("toreplica")
+
+		// mount in the second container
+		base.Cmd("exec", containerNameReplica, "sh", "-exc", "mkdir /bar && mkdir /mnt1/bar").AssertOK()
+		base.Cmd("exec", containerNameReplica, "sh", "-exc", "mount --bind /bar /mnt1/bar").AssertOK()
+
+		base.Cmd("exec", containerNameReplica, "sh", "-exc", "echo -n fromreplica > /bar/bar.txt").AssertOK()
+		base.Cmd("exec", containerNameReplica, "cat", "/mnt1/bar/bar.txt").AssertOutExactly("fromreplica")
+
+		// call case specific assert function
+		tc.assertFunc(containerName, containerNameReplica)
+
+		// umount mount point in the first privileged container
+		base.Cmd("exec", containerNameReplica, "sh", "-exc", "umount /mnt1/bar").AssertOK()
+		base.Cmd("exec", containerName, "sh", "-exc", "umount /mnt1/replica").AssertOK()
+	}
+}
+
+// isRootfsShareableMount will check if /tmp or / support shareable mount
+func isRootfsShareableMount() bool {
+	existFunc := func(mi mount.Info) bool {
+		for _, opt := range strings.Split(mi.Optional, " ") {
+			if strings.HasPrefix(opt, "shared:") {
+				return true
+			}
+		}
+		return false
+	}
+
+	mi, err := mount.Lookup("/tmp")
+	if err == nil {
+		return existFunc(mi)
+	}
+
+	mi, err = mount.Lookup("/")
+	if err == nil {
+		return existFunc(mi)
+	}
+
+	return false
+}

pkg/mountutil/mountutil_freebsd.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/oci"
+	"github.com/containerd/nerdctl/pkg/mountutil/volumestore"
 	"github.com/sirupsen/logrus"
 )
 
@@ -61,3 +62,7 @@ func parseVolumeOptions(vType, src, optsRaw string) ([]string, []oci.SpecOpts, e
 func ProcessFlagTmpfs(s string) (*Processed, error) {
 	return nil, errdefs.ErrNotImplemented
 }
+
+func ProcessFlagMount(s string, volStore volumestore.VolumeStore) (*Processed, error) {
+	return nil, errdefs.ErrNotImplemented
+}