chore: add ReadonlyRootfs and SecurityOpt option

Signed-off-by: Arjun Raja Yogidas <[email protected]>
runfinch · Dec 10, 2024 · e7f9e86 · e7f9e86
1 parent 2fa691c
commit e7f9e86
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 7 deletions.
diff --git a/api/handlers/container/create.go b/api/handlers/container/create.go
@@ -154,6 +154,11 @@ func (h *handler) create(w http.ResponseWriter, r *http.Request) {
 		groupAdd = req.HostConfig.GroupAdd
 	}
 
+	securityOpt := []string{}
+	if req.HostConfig.SecurityOpt != nil {
+		securityOpt = req.HostConfig.SecurityOpt
+	}
+
 	globalOpt := ncTypes.GlobalCommandOptions(*h.Config)
 	createOpt := ncTypes.ContainerCreateOptions{
 		Stdout:   nil,
@@ -205,7 +210,7 @@ func (h *handler) create(w http.ResponseWriter, r *http.Request) {
 		// #endregion
 
 		// #region for security flags
-		SecurityOpt: []string{}, // nerdctl default.
+		SecurityOpt: securityOpt, // nerdctl default.
 		CapAdd:      capAdd,
 		CapDrop:     capDrop,
 		Privileged:  req.HostConfig.Privileged,
@@ -246,6 +251,9 @@ func (h *handler) create(w http.ResponseWriter, r *http.Request) {
 			Stderr:        nil,
 		},
 		// #endregion
+
+		// #region for rootfs flags
+		ReadOnly: req.HostConfig.ReadonlyRootfs, // Is the container root filesystem in read-only
 	}
 
 	portMappings, err := translatePortMappings(req.HostConfig.PortBindings)

diff --git a/api/handlers/container/create_test.go b/api/handlers/container/create_test.go
@@ -652,6 +652,29 @@ var _ = Describe("Container Create API ", func() {
 			Expect(rr.Body).Should(MatchJSON(jsonResponse))
 		})
 
+		It("should set ReadonlyRootfs and SecurityOpt option", func() {
+			body := []byte(`{
+				"Image": "test-image",
+				"HostConfig": {
+					"ReadonlyRootfs": true,
+					"SecurityOpt": [ "seccomp=/path/to/custom_seccomp.json", "apparmor=unconfined"]
+				}
+			}`)
+			req, _ := http.NewRequest(http.MethodPost, "/containers/create", bytes.NewReader(body))
+
+			// expected create options
+			createOpt.ReadOnly = true
+			createOpt.SecurityOpt = []string{"seccomp=/path/to/custom_seccomp.json", "apparmor=unconfined"}
+
+			service.EXPECT().Create(gomock.Any(), "test-image", nil, equalTo(createOpt), equalTo(netOpt)).Return(
+				cid, nil)
+
+			// handler should return success message with 201 status code.
+			h.create(rr, req)
+			Expect(rr).Should(HaveHTTPStatus(http.StatusCreated))
+			Expect(rr.Body).Should(MatchJSON(jsonResponse))
+		})
+
 		It("should return 404 if the image was not found", func() {
 			body := []byte(`{"Image": "test-image"}`)
 			req, _ := http.NewRequest(http.MethodPost, "/containers/create", bytes.NewReader(body))

diff --git a/api/types/container_types.go b/api/types/container_types.go
@@ -81,13 +81,13 @@ type ContainerHostConfig struct {
 	IpcMode    string   // IPC namespace to use for the container
 	// TODO: Cgroup          CgroupSpec        // Cgroup to use for the container
 	// TODO: Links           []string          // List of links (in the name:alias form)
-	OomKillDisable bool   // specifies whether to disable OOM Killer
-	OomScoreAdj    int    // specifies the tune container’s OOM preferences (-1000 to 1000, rootless: 100 to 1000)
-	PidMode        string // PID namespace to use for the container
-	Privileged     bool   // Is the container in privileged mode
+	OomKillDisable bool     // specifies whether to disable OOM Killer
+	OomScoreAdj    int      // specifies the tune container’s OOM preferences (-1000 to 1000, rootless: 100 to 1000)
+	PidMode        string   // PID namespace to use for the container
+	Privileged     bool     // Is the container in privileged mode
+	ReadonlyRootfs bool     // Is the container root filesystem in read-only
+	SecurityOpt    []string // List of string values to customize labels for MLS systems, such as SELinux. (["key=value"])
 	// TODO: PublishAllPorts bool              // Should docker publish all exposed port for the container
-	// TODO: ReadonlyRootfs  bool              // Is the container root filesystem in read-only
-	// TODO: SecurityOpt     []string          // List of string values to customize labels for MLS systems, such as SELinux.
 	// TODO: StorageOpt      map[string]string `json:",omitempty"` // Storage driver options per container.
 	// TODO: Tmpfs           map[string]string `json:",omitempty"` // List of tmpfs (mounts) used for the container
 	// TODO: UTSMode         UTSMode           // UTS namespace to use for the container