Make /etc/hosts, /etc/resolv.conf, /etc/hostname read only if --read-only is enable

Signed-off-by: Antonio Murdaca <me@runcom.ninja>

daemon/volumes.go

@@ -241,13 +241,13 @@ func validMountMode(mode string) bool {
 func (container *Container) specialMounts() []execdriver.Mount {
 	var mounts []execdriver.Mount
 	if container.ResolvConfPath != "" {
-		mounts = append(mounts, execdriver.Mount{Source: container.ResolvConfPath, Destination: "/etc/resolv.conf", Writable: true, Private: true})
+		mounts = append(mounts, execdriver.Mount{Source: container.ResolvConfPath, Destination: "/etc/resolv.conf", Writable: !container.hostConfig.ReadonlyRootfs, Private: true})
 	}
 	if container.HostnamePath != "" {
-		mounts = append(mounts, execdriver.Mount{Source: container.HostnamePath, Destination: "/etc/hostname", Writable: true, Private: true})
+		mounts = append(mounts, execdriver.Mount{Source: container.HostnamePath, Destination: "/etc/hostname", Writable: !container.hostConfig.ReadonlyRootfs, Private: true})
 	}
 	if container.HostsPath != "" {
-		mounts = append(mounts, execdriver.Mount{Source: container.HostsPath, Destination: "/etc/hosts", Writable: true, Private: true})
+		mounts = append(mounts, execdriver.Mount{Source: container.HostsPath, Destination: "/etc/hosts", Writable: !container.hostConfig.ReadonlyRootfs, Private: true})
 	}
 	return mounts
 }

integration-cli/docker_cli_run_test.go

@@ -2951,7 +2951,15 @@ func (s *DockerSuite) TestRunContainerWithWritableRootfs(c *check.C) {
 func (s *DockerSuite) TestRunContainerWithReadonlyRootfs(c *check.C) {
 	testRequires(c, NativeExecDriver)
 
-	out, err := exec.Command(dockerBinary, "run", "--read-only", "--rm", "busybox", "touch", "/file").CombinedOutput()
+	for _, f := range []string{"/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname"} {
+		testReadOnlyFile(f, c)
+	}
+}
+
+func testReadOnlyFile(filename string, c *check.C) {
+	testRequires(c, NativeExecDriver)
+
+	out, err := exec.Command(dockerBinary, "run", "--read-only", "--rm", "busybox", "touch", filename).CombinedOutput()
 	if err == nil {
 		c.Fatal("expected container to error on run with read only error")
 	}
@@ -2961,6 +2969,42 @@ func (s *DockerSuite) TestRunContainerWithReadonlyRootfs(c *check.C) {
 	}
 }
 
+func (s *DockerSuite) TestRunContainerWithReadonlyEtcHostsAndLinkedContainer(c *check.C) {
+	testRequires(c, NativeExecDriver)
+
+	_, err := runCommand(exec.Command(dockerBinary, "run", "-d", "--name", "test-etc-hosts-ro-linked", "busybox", "top"))
+	c.Assert(err, check.IsNil)
+
+	out, _, err := runCommandWithOutput(exec.Command(dockerBinary, "run", "--read-only", "--link", "test-etc-hosts-ro-linked:testlinked", "busybox", "cat", "/etc/hosts"))
+	c.Assert(err, check.IsNil)
+
+	if !strings.Contains(string(out), "testlinked") {
+		c.Fatal("Expected /etc/hosts to be updated even if --read-only enabled")
+	}
+}
+
+func (s *DockerSuite) TestRunContainerWithReadonlyRootfsWithDnsFlag(c *check.C) {
+	testRequires(c, NativeExecDriver)
+
+	out, _, err := runCommandWithOutput(exec.Command(dockerBinary, "run", "--read-only", "--dns", "1.1.1.1", "busybox", "/bin/cat", "/etc/resolv.conf"))
+	c.Assert(err, check.IsNil)
+
+	if !strings.Contains(string(out), "1.1.1.1") {
+		c.Fatal("Expected /etc/resolv.conf to be updated even if --read-only enabled and --dns flag used")
+	}
+}
+
+func (s *DockerSuite) TestRunContainerWithReadonlyRootfsWithAddHostFlag(c *check.C) {
+	testRequires(c, NativeExecDriver)
+
+	out, _, err := runCommandWithOutput(exec.Command(dockerBinary, "run", "--read-only", "--add-host", "testreadonly:127.0.0.1", "busybox", "/bin/cat", "/etc/hosts"))
+	c.Assert(err, check.IsNil)
+
+	if !strings.Contains(string(out), "testreadonly") {
+		c.Fatal("Expected /etc/hosts to be updated even if --read-only enabled and --add-host flag used")
+	}
+}
+
 func (s *DockerSuite) TestRunVolumesFromRestartAfterRemoved(c *check.C) {
 	out, _, err := runCommandWithOutput(exec.Command(dockerBinary, "run", "-d", "--name", "voltest", "-v", "/foo", "busybox"))
 	if err != nil {