arcalot · dustinblack · May 7, 2024 · May 7, 2024 · May 8, 2024 · webbnh
diff --git a/connector.go b/connector.go
@@ -48,7 +48,8 @@ func (c *Connector) Deploy(ctx context.Context, image string) (deployer.Plugin,
 		SetVolumes(hostConfig.Binds).
 		SetCgroupNs(string(hostConfig.CgroupnsMode)).
 		SetNetworkMode(string(hostConfig.NetworkMode)).
-		SetPrivileged(hostConfig.Privileged)
+		SetPrivileged(hostConfig.Privileged).
+		SetReadOnlyRoot(&hostConfig.ReadonlyRootfs)
 
 	stdin, stdout, err := c.podmanCliWrapper.Deploy(image, commandArgs, []string{"--atp"})
 

diff --git a/internal/argsbuilder/argsbuilder.go b/internal/argsbuilder/argsbuilder.go
@@ -1,6 +1,7 @@
 package argsbuilder
 
 import (
+	"strconv"
 	"strings"
 )
 
@@ -53,3 +54,10 @@ func (a *argsBuilder) SetPrivileged(privileged bool) ArgsBuilder {
 	}
 	return a
 }
+
+func (a *argsBuilder) SetReadOnlyRoot(readOnlyRootfs *bool) ArgsBuilder {
+	if readOnlyRootfs != nil {
+		*a.commandArgs = append(*a.commandArgs, "--read-only="+strconv.FormatBool(*readOnlyRootfs))
+	}
+	return a
+}
diff --git a/internal/argsbuilder/argsbuilder_interface.go b/internal/argsbuilder/argsbuilder_interface.go
@@ -7,6 +7,7 @@ type ArgsBuilder interface {
 	SetContainerName(name string) ArgsBuilder
 	SetNetworkMode(networkMode string) ArgsBuilder
 	SetPrivileged(privileged bool) ArgsBuilder
+	SetReadOnlyRoot(readOnlyRootfs *bool) ArgsBuilder
 }
 
 func NewBuilder(commandArgs *[]string) ArgsBuilder {

diff --git a/schema.go b/schema.go
@@ -340,6 +340,16 @@ var Schema = schema.NewTypedScopeSchema[*Config](
 				schema.PointerTo(util.JSONEncode(false)),
 				nil,
 			),
+			"ReadonlyRootfs": schema.NewPropertySchema(
+				schema.NewBoolSchema(),
+				schema.NewDisplayValue(schema.PointerTo("ReadonlyRootfs"), schema.PointerTo("Execute container process with or without a read only root file system"), nil),
+				false,
+				nil,
+				nil,
+				nil,
+				nil,
+				nil,
+			),
 		},
 	),
 	schema.NewStructMappedObjectSchema[*nat.PortBinding](