Nomad alloc dir, task dir, and secrets dir are mounted read-only

[tgross]

The Nomad alloc dir, task dir, and secrets dir are mounted via the following qemu arguments:

-fsdev local,security_model=mapped,id=fsdev-fs0,path=/run/nomad/dev/data/alloc/9e4ccafc-f877-15b5-8620-cd2562322c02/alloc,readonly \
-device virtio-9p-pci,id=fs0,fsdev=fsdev-fs0,mount_tag=allocDir,bus=pci.0,addr=0x2 \
-fsdev local,security_model=mapped,id=fsdev-fs1,path=/run/nomad/dev/data/alloc/9e4ccafc-f877-15b5-8620-cd2562322c02/vm/local,readonly \
-device virtio-9p-pci,id=fs1,fsdev=fsdev-fs1,mount_tag=localDir,bus=pci.0,addr=0x3 \
-fsdev local,security_model=mapped,id=fsdev-fs2,path=/run/nomad/dev/data/alloc/9e4ccafc-f877-15b5-8620-cd2562322c02/vm/secrets,readonly \
-device virtio-9p-pci,id=fs2,fsdev=fsdev-fs2,mount_tag=secretsDir,bus=pci.0,addr=0x4

This results in read-only file systems in the VM:

$ touch /secrets/foo.txt
touch: cannot touch '/secrets/foo.txt': Read-only file system

[jrasell]

Hi @tgross and thanks for raising this issue. While this is surprising, it is currently expected behaviour as we have concerns that allowing read/write could allow a VM to write arbitrarily large amounts of data to the directories, filling up the host and causing cascading problems.

I'll follow up with a note within the README to call this out, and will keep this issue open as we certainly want to remove this restriction in the future.