diff --git a/crates/openshell-driver-docker/src/lib.rs b/crates/openshell-driver-docker/src/lib.rs index db197685d..a74609fb5 100644 --- a/crates/openshell-driver-docker/src/lib.rs +++ b/crates/openshell-driver-docker/src/lib.rs @@ -9,8 +9,8 @@ use bollard::Docker; use bollard::errors::Error as BollardError; use bollard::models::{ ContainerCreateBody, ContainerSummary, ContainerSummaryStateEnum, DeviceRequest, - EndpointSettings, HostConfig, Mount, MountTypeEnum, NetworkCreateRequest, NetworkingConfig, - RestartPolicy, RestartPolicyNameEnum, SystemInfo, + EndpointSettings, HostConfig, NetworkCreateRequest, NetworkingConfig, RestartPolicy, + RestartPolicyNameEnum, SystemInfo, }; use bollard::query_parameters::{ CreateContainerOptionsBuilder, CreateImageOptions, DownloadFromContainerOptionsBuilder, @@ -865,28 +865,22 @@ impl ComputeDriver for DockerComputeDriver { } } -fn build_mounts(config: &DockerDriverRuntimeConfig) -> Vec { - let mut mounts = vec![bind_mount( - &config.supervisor_bin, - SUPERVISOR_MOUNT_PATH, - true, +fn build_binds(config: &DockerDriverRuntimeConfig) -> Vec { + let mut binds = vec![format!( + "{}:{}:ro,z", + config.supervisor_bin.display(), + SUPERVISOR_MOUNT_PATH )]; if let Some(tls) = &config.guest_tls { - mounts.push(bind_mount(&tls.ca, TLS_CA_MOUNT_PATH, true)); - mounts.push(bind_mount(&tls.cert, TLS_CERT_MOUNT_PATH, true)); - mounts.push(bind_mount(&tls.key, TLS_KEY_MOUNT_PATH, true)); - } - mounts -} - -fn bind_mount(source: &Path, target: &str, read_only: bool) -> Mount { - Mount { - target: Some(target.to_string()), - source: Some(source.display().to_string()), - typ: Some(MountTypeEnum::BIND), - read_only: Some(read_only), - ..Default::default() + binds.push(format!("{}:{}:ro,z", tls.ca.display(), TLS_CA_MOUNT_PATH)); + binds.push(format!( + "{}:{}:ro,z", + tls.cert.display(), + TLS_CERT_MOUNT_PATH + )); + binds.push(format!("{}:{}:ro,z", tls.key.display(), TLS_KEY_MOUNT_PATH)); } + binds } fn build_environment(sandbox: &DriverSandbox, config: &DockerDriverRuntimeConfig) -> Vec { @@ -999,7 +993,7 @@ fn build_container_create_body( nano_cpus: resource_limits.nano_cpus, memory: resource_limits.memory_bytes, device_requests: docker_gpu_device_requests(spec.gpu), - mounts: Some(build_mounts(config)), + binds: Some(build_binds(config)), restart_policy: Some(RestartPolicy { name: Some(RestartPolicyNameEnum::UNLESS_STOPPED), maximum_retry_count: None, diff --git a/crates/openshell-driver-docker/src/tests.rs b/crates/openshell-driver-docker/src/tests.rs index 41c9a5901..c89019398 100644 --- a/crates/openshell-driver-docker/src/tests.rs +++ b/crates/openshell-driver-docker/src/tests.rs @@ -317,11 +317,11 @@ fn build_environment_keeps_path_driver_controlled() { } #[test] -fn build_mounts_uses_docker_tls_directory() { - let mounts = build_mounts(&runtime_config()); - let targets = mounts +fn build_binds_uses_docker_tls_directory() { + let binds = build_binds(&runtime_config()); + let targets = binds .iter() - .filter_map(|mount| mount.target.clone()) + .filter_map(|bind| bind.split(':').nth(1).map(String::from)) .collect::>(); assert!(targets.contains(&SUPERVISOR_MOUNT_PATH.to_string())); assert!(targets.contains(&TLS_CA_MOUNT_PATH.to_string()));