diff --git a/cmd/oci-runtime-tool/generate.go b/cmd/oci-runtime-tool/generate.go index 3509a88f9..2bb86b394 100644 --- a/cmd/oci-runtime-tool/generate.go +++ b/cmd/oci-runtime-tool/generate.go @@ -59,10 +59,10 @@ var generateFlags = []cli.Flag{ cli.StringSliceFlag{Name: "poststop", Usage: "set command to run in poststop hooks"}, cli.StringSliceFlag{Name: "prestart", Usage: "set command to run in prestart hooks"}, cli.BoolFlag{Name: "privileged", Usage: "enable privileged container settings"}, - cli.BoolFlag{Name: "read-only", Usage: "make the container's rootfs read-only"}, cli.StringSliceFlag{Name: "readonly-paths", Usage: "specifies paths readonly inside container"}, - cli.StringFlag{Name: "root-propagation", Usage: "mount propagation for root"}, - cli.StringFlag{Name: "rootfs", Value: "rootfs", Usage: "path to the rootfs"}, + cli.StringFlag{Name: "rootfs-path", Value: "rootfs", Usage: "path to the root filesystem"}, + cli.StringFlag{Name: "rootfs-propagation", Usage: "mount propagation for rootfs"}, + cli.BoolFlag{Name: "rootfs-readonly", Usage: "make the container's rootfs readonly"}, cli.StringFlag{Name: "seccomp-allow", Usage: "specifies syscalls to respond with allow"}, cli.StringFlag{Name: "seccomp-arch", Usage: "specifies additional architectures permitted to be used for system calls"}, cli.StringFlag{Name: "seccomp-default", Usage: "specifies default action to be used for system calls and removes existing rules with specified action"}, @@ -155,10 +155,10 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - g.SetRootPath(context.String("rootfs")) + g.SetRootPath(context.String("rootfs-path")) - if context.IsSet("read-only") { - g.SetRootReadonly(context.Bool("read-only")) + if context.IsSet("rootfs-readonly") { + g.SetRootReadonly(context.Bool("rootfs-readonly")) } if context.IsSet("uid") { @@ -335,8 +335,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.IsSet("root-propagation") { - rp := context.String("root-propagation") + if context.IsSet("rootfs-propagation") { + rp := context.String("rootfs-propagation") if err := g.SetLinuxRootPropagation(rp); err != nil { return err } diff --git a/completions/bash/oci-runtime-tool b/completions/bash/oci-runtime-tool index 2f1faf8ed..1d095a6eb 100644 --- a/completions/bash/oci-runtime-tool +++ b/completions/bash/oci-runtime-tool @@ -299,8 +299,8 @@ _oci-runtime-tool_generate() { --poststop --prestart --readonly-paths - --root-propagation - --rootfs + --rootfs-path + --rootfs-propagation --seccomp-allow --seccomp-arch --seccomp-default @@ -326,7 +326,7 @@ _oci-runtime-tool_generate() { local boolean_options=" --no-new-privileges --privileged - --read-only + --rootfs-readonly --tty " diff --git a/man/oci-runtime-tool-generate.1.md b/man/oci-runtime-tool-generate.1.md index d7ba38866..dd87b8cb4 100644 --- a/man/oci-runtime-tool-generate.1.md +++ b/man/oci-runtime-tool-generate.1.md @@ -214,17 +214,17 @@ read the configuration from `config.json`. Specifies paths readonly inside container. e.g. --readonly-paths=/proc/sys This option can be specified multiple times. -**--read-only**=true|false - Mount the container's root filesystem as read only. - - By default a container will have its root filesystem writable allowing processes to write files anywhere. By specifying the `--read-only` flag the container will have its root filesystem mounted as read only prohibiting any writes. +**--rootfs-path**=ROOTFSPATH + Path to the root filesystem -**--root-propagation**=PROPOGATIONMODE +**--rootfs-propagation**=PROPOGATIONMODE Mount propagation for root filesystem. Values are "shared, rshared, private, rprivate, slave, rslave" -**--rootfs**=ROOTFSPATH - Path to the rootfs +**--rootfs-readonly**=true|false + Mount the container's root filesystem as read only. + + By default a container will have its root filesystem writable allowing processes to write files anywhere. By specifying the `--rootfs-readonly` flag the container will have its root filesystem mounted as read only prohibiting any writes. **--seccomp-allow**=SYSCALL Specifies syscalls to be added to the ALLOW list.