search

projectatomic / docker

Docker - the open-source application container engine
http://www.docker.com
Apache License 2.0
81 stars 58 forks source link

/dev should not be readonly with --readonly flag #283

Closed rhatdan closed 6 years ago

rhatdan commented 6 years ago

/dev is mounted on a tmpfs inside of a container. Processes inside of containers some times need to create devices nodes, or to setup a socket that listens on /dev/log Allowing these containers to run with the --readonly flag makes sense. Making a tmpfs readonly does not add any security to the container, since there is plenty of places where the container can write tmpfs content.

I have no idea why /dev was excluded.

Signed-off-by: Daniel J Walsh dwalsh@redhat.com

- What I did

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

rhatdan commented 6 years ago

@runcom PTAL This was just merged upstream.

rhatdan commented 6 years ago

https://github.com/moby/moby/pull/35344