From 69353377be193839d968ab450b82b7f03bbee7e9 Mon Sep 17 00:00:00 2001
From: Shishir Mahajan <smahajan@roblox.com>
Date: Thu, 25 Jun 2020 17:46:03 -0700
Subject: [PATCH] Ability to launch nomad job in read-only mode.

---
 containerd/containerd.go |  4 ++++
 containerd/driver.go     | 26 ++++++++++++++------------
 2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/containerd/containerd.go b/containerd/containerd.go
index 051bb4e..5fa3c42 100644
--- a/containerd/containerd.go
+++ b/containerd/containerd.go
@@ -42,6 +42,10 @@ func (d *Driver) createContainer(image containerd.Image, containerName, containe
 		opts = append(opts, oci.WithPrivileged)
 	}
 
+	if config.ReadOnlyRootfs {
+		opts = append(opts, oci.WithRootFSReadonly())
+	}
+
 	if len(config.CapAdd) > 0 {
 		opts = append(opts, oci.WithAddedCapabilities(config.CapAdd))
 	}
diff --git a/containerd/driver.go b/containerd/driver.go
index 101334e..67a532f 100644
--- a/containerd/driver.go
+++ b/containerd/driver.go
@@ -69,12 +69,13 @@ var (
 	// this is used to validate the configuration specified for the plugin
 	// when a job is submitted.
 	taskConfigSpec = hclspec.NewObject(map[string]*hclspec.Spec{
-		"image":      hclspec.NewAttr("image", "string", true),
-		"command":    hclspec.NewAttr("command", "string", false),
-		"args":       hclspec.NewAttr("args", "list(string)", false),
-		"cap_add":    hclspec.NewAttr("cap_add", "list(string)", false),
-		"cap_drop":   hclspec.NewAttr("cap_drop", "list(string)", false),
-		"privileged": hclspec.NewAttr("privileged", "bool", false),
+		"image":           hclspec.NewAttr("image", "string", true),
+		"command":         hclspec.NewAttr("command", "string", false),
+		"args":            hclspec.NewAttr("args", "list(string)", false),
+		"cap_add":         hclspec.NewAttr("cap_add", "list(string)", false),
+		"cap_drop":        hclspec.NewAttr("cap_drop", "list(string)", false),
+		"privileged":      hclspec.NewAttr("privileged", "bool", false),
+		"readonly_rootfs": hclspec.NewAttr("readonly_rootfs", "bool", false),
 	})
 
 	// capabilities indicates what optional features this driver supports
@@ -97,12 +98,13 @@ type Config struct {
 // TaskConfig contains configuration information for a task that runs with
 // this plugin
 type TaskConfig struct {
-	Image      string   `codec:"image"`
-	Command    string   `codec:"command"`
-	Args       []string `codec:"args"`
-	CapAdd     []string `codec:"cap_add"`
-	CapDrop    []string `codec:"cap_drop"`
-	Privileged bool     `codec:"privileged"`
+	Image          string   `codec:"image"`
+	Command        string   `codec:"command"`
+	Args           []string `codec:"args"`
+	CapAdd         []string `codec:"cap_add"`
+	CapDrop        []string `codec:"cap_drop"`
+	Privileged     bool     `codec:"privileged"`
+	ReadOnlyRootfs bool     `codec:"readonly_rootfs"`
 }
 
 // TaskState is the runtime state which is encoded in the handle returned to