From a729853bc712910574a7417f67764ec8c523928b Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Fri, 6 Apr 2018 14:01:38 +0100 Subject: [PATCH] Always make sysfs read-write with privileged It does not make any sense to vary this based on whether the rootfs is read only. We removed all the other mount dependencies on read-only eg see #35344. Signed-off-by: Justin Cormack --- daemon/oci_linux.go | 10 ++++------ integration-cli/docker_cli_run_test.go | 2 +- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go index a83f155fda..a3638ace21 100644 --- a/daemon/oci_linux.go +++ b/daemon/oci_linux.go @@ -685,12 +685,10 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c } if c.HostConfig.Privileged { - if !s.Root.Readonly { - // clear readonly for /sys - for i := range s.Mounts { - if s.Mounts[i].Destination == "/sys" { - clearReadOnly(&s.Mounts[i]) - } + // clear readonly for /sys + for i := range s.Mounts { + if s.Mounts[i].Destination == "/sys" { + clearReadOnly(&s.Mounts[i]) } } s.Linux.ReadonlyPaths = nil diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index a4984862ee..3b6e3cbbdf 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -2688,7 +2688,7 @@ func (s *DockerSuite) TestRunContainerWithReadonlyRootfs(c *check.C) { if root := os.Getenv("DOCKER_REMAP_ROOT"); root != "" { testPriv = false } - testReadOnlyFile(c, testPriv, "/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname", "/sys/kernel") + testReadOnlyFile(c, testPriv, "/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname") } func (s *DockerSuite) TestPermissionsPtsReadonlyRootfs(c *check.C) {