lxd/device/disk: Consider readonly for other volume types

Prior to this change, the following disk types could have `readonly: true` in their device config and still be mounted rw in VMs: - root disks - cloud-init config drive (unknown to me if a CD image would be writable) - `source: ceph:...` disks - Delegated ceph block volumes Signed-off-by: Wesley Hershberger <[email protected]>
canonical · Feb 27, 2025 · 5a43b28 · 5a43b28
1 parent 16abd2c
commit 5a43b28
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/lxd/device/disk.go b/lxd/device/disk.go
@@ -1052,6 +1052,10 @@ func (d *disk) startVM() (*deviceConfig.RunConfig, error) {
 		opts = append(opts, "cache="+d.config["io.cache"])
 	}
 
+	if shared.IsTrue(d.config["readonly"]) || d.config["source.snapshot"] != "" {
+		opts = append(opts, "ro")
+	}
+
 	// Add I/O limits if set.
 	var diskLimits *deviceConfig.DiskLimits
 	if d.config["limits.read"] != "" || d.config["limits.write"] != "" || d.config["limits.max"] != "" {
@@ -1228,10 +1232,6 @@ func (d *disk) startVM() (*deviceConfig.RunConfig, error) {
 				mount.Opts = append(mount.Opts, d.detectVMPoolMountOpts()...)
 			}
 
-			if shared.IsTrue(d.config["readonly"]) || d.config["source.snapshot"] != "" {
-				mount.Opts = append(mount.Opts, "ro")
-			}
-
 			// If the source being added is a directory or cephfs share, then we will use the lxd-agent
 			// directory sharing feature to mount the directory inside the VM, and as such we need to
 			// indicate to the VM the target path to mount to.