Mount test

[liangchenye]

validate the runtime mount information by using docker/pkg/mount
and validate the rootfs readonly setting

[wking]

We should probably be using a logging framework for these so folks can adjust the verbosity.

[mrunalp]

We can use logrus which is already imported.

[cyphar]

Minor thing: If we're going to start pulling code from other repositories we should mention the license (I know it's the same as this project but it's a different project). We should also mention the commit ID of when we pulled it.

[liangchenye]

Thanks, LICENCE.md and commit ID are added.

[liangchenye]

Updated, PTAL @mrunalp @wking

[wking]

On Thu, Jun 02, 2016 at 02:13:36AM -0700, 梁辰晔 (Liang Chenye) wrote:

Updated, PTAL @mrunalp @wking

3f334dc → 49ecdec is forking and vendoring docker/pkg/mount? Can't
we get the Docker maintainers to agree on a more neutral place for
shared development? It seems inefficient to fork.

[liangchenye]

3f334dc → 49ecdec is forking and vendoring docker/pkg/mount? Can't
we get the Docker maintainers to agree on a more neutral place for
shared development? It seems inefficient to fork.

Yes, it is forking and vendoring docker/pkg/mount and does not take much time actually.
A neutral place is an elegant solution, the disadvantage is it still brings unnecessary code and I worried it will take a long time to convince Docker maintainers.

[mrunalp]

nit: infos -> mounts ?

[liangchenye]

The returned struct of mount.GetMounts() is named of 'Info", so I use infos previously.
Now it changes to mountInfos.

[mrunalp]

The check for mount options doesn't work for strictatime. It is passed as MS_STRICTATIME to the /dev mount syscall as it errors out when passed as an option. We should probably skip checking mount options or only check for ones that actually are visible in the mount output.

[wking]

On Mon, Jun 06, 2016 at 02:38:39PM -0700, Mrunal Patel wrote:

It is passed as MS_STRICTATIME to the /dev mount syscall as it
errors out when passed as an option…

Just to clarify, that distinction is ‘mountflags’ vs. ‘data’ in
mount(2). Does the “doesn't work in ‘data’” restriction apply to only
a subset of filesystem-independent mount options 1?

[mrunalp]

@wking Yes, it mountflags vs data. And yes I would think that the filesystem-independent options may or may not be visible in the output.

[liangchenye]

Remove 'option' checking for now for three reasons:

1. some flags like 'strictatime' are invisible but not all flags are not invisible.
   I did not see any rule about this in the mount page or document.
2. options like 'newinstance' is invisible too
   Also I did not see any explanation about it.
3. data like 'a=b' is could be detected, but the output format is a little different (mode=666 vs mode=0666). It will be complicated and may not cover all the differences.

[mrunalp]

LGTM. We need to remove cgroups mount from runc config which is non-standard. I'll create a follow-on PR for that.