Merge pull request #33087 from Microsoft/jjh/blockreadonly

Windows: Block read-only
Upstream-commit: 6e0e283387e78c912d7ae482d333d3b81e003bf8
Component: engine

components/engine/runconfig/config.go

@@ -79,6 +79,11 @@ func DecodeContainerConfig(src io.Reader) (*container.Config, *container.HostCon
 		return nil, nil, nil, err
 	}
 
+	// Validate ReadonlyRootfs
+	if err := validateReadonlyRootfs(hc); err != nil {
+		return nil, nil, nil, err
+	}
+
 	return w.Config, hc, w.NetworkingConfig, nil
 }
 

components/engine/runconfig/hostconfig_unix.go

@@ -103,3 +103,8 @@ func validateResources(hc *container.HostConfig, si *sysinfo.SysInfo) error {
 func validatePrivileged(hc *container.HostConfig) error {
 	return nil
 }
+
+// validateReadonlyRootfs performs platform specific validation of the ReadonlyRootfs setting
+func validateReadonlyRootfs(hc *container.HostConfig) error {
+	return nil
+}

components/engine/runconfig/hostconfig_windows.go

@@ -82,3 +82,15 @@ func validatePrivileged(hc *container.HostConfig) error {
 	}
 	return nil
 }
+
+// validateReadonlyRootfs performs platform specific validation of the ReadonlyRootfs setting
+func validateReadonlyRootfs(hc *container.HostConfig) error {
+	// We may not be passed a host config, such as in the case of docker commit
+	if hc == nil {
+		return nil
+	}
+	if hc.ReadonlyRootfs {
+		return fmt.Errorf("invalid --read-only: Windows does not support this feature")
+	}
+	return nil
+}