feat: Add ReadonlyRootfs option (runfinch#233)

Signed-off-by: Arjun Raja Yogidas <[email protected]>

Author: coderbirju

api/handlers/container/create.go

@@ -193,6 +193,10 @@ func (h *handler) create(w http.ResponseWriter, r *http.Request) {
 	if req.HostConfig.Runtime != "" {
 		runtime = req.HostConfig.Runtime
 	}
+	securityOpt := []string{}
+	if req.HostConfig.SecurityOpt != nil {
+		securityOpt = req.HostConfig.SecurityOpt
+	}
 
 	globalOpt := ncTypes.GlobalCommandOptions(*h.Config)
 	createOpt := ncTypes.ContainerCreateOptions{
@@ -251,7 +255,7 @@ func (h *handler) create(w http.ResponseWriter, r *http.Request) {
 		// #endregion
 
 		// #region for security flags
-		SecurityOpt: []string{}, // nerdctl default.
+		SecurityOpt: securityOpt,
 		CapAdd:      capAdd,
 		CapDrop:     capDrop,
 		Privileged:  req.HostConfig.Privileged,
@@ -293,6 +297,11 @@ func (h *handler) create(w http.ResponseWriter, r *http.Request) {
 			Stderr:        nil,
 		},
 		// #endregion
+
+		// #region for rootfs flags
+		ReadOnly: req.HostConfig.ReadonlyRootfs, // Is the container root filesystem in read-only
+		// #endregion
+
 	}
 
 	portMappings, err := translatePortMappings(req.HostConfig.PortBindings)

api/handlers/container/create_test.go

@@ -905,6 +905,29 @@ var _ = Describe("Container Create API ", func() {
 			Expect(rr.Body).Should(MatchJSON(jsonResponse))
 		})
 
+		It("should set ReadonlyRootfs and SecurityOpt option", func() {
+			body := []byte(`{
+				"Image": "test-image",
+				"HostConfig": {
+					"ReadonlyRootfs": true,
+					"SecurityOpt": [ "seccomp=/path/to/custom_seccomp.json", "apparmor=unconfined"]
+				}
+			}`)
+			req, _ := http.NewRequest(http.MethodPost, "/containers/create", bytes.NewReader(body))
+
+			// expected create options
+			createOpt.ReadOnly = true
+			createOpt.SecurityOpt = []string{"seccomp=/path/to/custom_seccomp.json", "apparmor=unconfined"}
+
+			service.EXPECT().Create(gomock.Any(), "test-image", nil, equalTo(createOpt), equalTo(netOpt)).Return(
+				cid, nil)
+
+			// handler should return success message with 201 status code.
+			h.create(rr, req)
+			Expect(rr).Should(HaveHTTPStatus(http.StatusCreated))
+			Expect(rr.Body).Should(MatchJSON(jsonResponse))
+		})
+
 		Context("translate port mappings", func() {
 			It("should return empty if port mappings is nil", func() {
 				Expect(translatePortMappings(nil)).Should(BeEmpty())

api/types/container_types.go

@@ -86,15 +86,15 @@ type ContainerHostConfig struct {
 	OomKillDisable bool // specifies whether to disable OOM Killer
 	// TODO: OomScoreAdj        int    // specifies the tune container’s OOM preferences (-1000 to 1000, rootless: 100 to 1000)
 	// TODO: OomScoreAdjChanged bool   // OomScoreAdjChanged specifies whether the OOM preferences
-	PidMode    string // PID namespace to use for the container
-	Privileged bool   // Is the container in privileged mode
-	// TODO: ReadonlyRootfs bool              // Is the container root filesystem in read-only
-	// TODO: SecurityOpt []string          // List of string values to customize labels for MLS systems, such as SELinux. (["key=value"])
-	Tmpfs   map[string]string `json:",omitempty"` // List of tmpfs (mounts) used for the container
-	UTSMode string            // UTS namespace to use for the container
-	ShmSize int64             // Size of /dev/shm in bytes. The size must be greater than 0.
-	Sysctls map[string]string `json:",omitempty"` // List of Namespaced sysctls used for the container
-	Runtime string            `json:",omitempty"` // Runtime to use with this container
+	PidMode        string            // PID namespace to use for the container
+	Privileged     bool              // Is the container in privileged mode
+	ReadonlyRootfs bool              // Is the container root filesystem in read-only
+	SecurityOpt    []string          // List of string values to customize labels for MLS systems, such as SELinux. (["key=value"])
+	Tmpfs          map[string]string `json:",omitempty"` // List of tmpfs (mounts) used for the container
+	UTSMode        string            // UTS namespace to use for the container
+	ShmSize        int64             // Size of /dev/shm in bytes. The size must be greater than 0.
+	Sysctls        map[string]string `json:",omitempty"` // List of Namespaced sysctls used for the container
+	Runtime        string            `json:",omitempty"` // Runtime to use with this container
 	// TODO: PublishAllPorts bool              // Should docker publish all exposed port for the container
 	// TODO: StorageOpt      map[string]string `json:",omitempty"` // Storage driver options per container.
 	// TODO: UsernsMode      UsernsMode        // The user namespace to use for the container

e2e/tests/container_create.go

@@ -1355,6 +1355,33 @@ func ContainerCreate(opt *option.Option) {
 			Expect(ok).Should(BeTrue())
 			Expect(runtimeName).Should(Equal(options.HostConfig.Runtime))
 		})
+
+		It("should create a container with readonly root filesystem", func() {
+			// Define options
+			options.Cmd = []string{"sleep", "Infinity"}
+			options.HostConfig.ReadonlyRootfs = true
+
+			// Create container
+			statusCode, ctr := createContainer(uClient, url, testContainerName, options)
+			Expect(statusCode).Should(Equal(http.StatusCreated))
+			Expect(ctr.ID).ShouldNot(BeEmpty())
+
+			// Additional verification through native inspect
+			nativeResp := command.Stdout(opt, "inspect", "--mode=native", testContainerName)
+			var nativeInspect []map[string]interface{}
+			err := json.Unmarshal(nativeResp, &nativeInspect)
+			Expect(err).Should(BeNil())
+			Expect(nativeInspect).Should(HaveLen(1))
+
+			// Verify readonly root in the spec
+			spec, ok := nativeInspect[0]["Spec"].(map[string]interface{})
+			Expect(ok).Should(BeTrue())
+			root, ok := spec["root"].(map[string]interface{})
+			Expect(ok).Should(BeTrue())
+			readonly, ok := root["readonly"].(bool)
+			Expect(ok).Should(BeTrue())
+			Expect(readonly).Should(BeTrue())
+		})
 	})
 }