--read-write-tmpfs=false should set /dev/* tmpfs to readonly #12954
Conversation
openshift-ci
bot
added
do-not-merge/work-in-progress
|
@giuseppe When I do this I attempt to make /dev, /dev/tty, /dev/shm, /dev/mqueue as read-only but crun blows up with ./bin/podman run -ti --read-only --read-only-tmpfs=false alpine sh |
|
I've fixed an issue in crun so it works when I've tried with runc and it fails as well, so I think it should be optional to set |
|
this seems to help with your PR: containers/crun#859 |
|
@kolyshkin WDYT? |
|
I think if we leave any tmpfs writable, we don't solve the problem. |
|
Fixes: #12937 |
|
As @giuseppe mentioned earlier, runc can't work with ro /dev, but this fix is easy opencontainers/runc#3345 (and very similar to containers/crun#857). One other thing, @rhatdan, I also find it very confusing how |
|
@kolyshkin I am not crazy about adding another function, Since I believe the original goal of --read-only-tmpfs (A badly named option, which we should probably change) was to make the entire container read-only. (At least the way I think about it). |
|
Changed the option to read-write-tmpfs. |
rhatdan
changed the title
rhatdan
added
the
kind/feature
|
This PR is waiting for an updated released version of runc, which will allow it to work with /dev set to read/only mode. |
Depending on how soon you need it. We can certainly release runc 1.1.1, either now (= soon) with this change alone, or a bit later, waiting for a few more fixes to pile up. |
Backport PR: opencontainers/runc#3355 |
|
Well since this is a post 4.0 feature, it is not needed immediately, but soon. |
rhatdan
force-pushed
the
tmpfs
branch
2 times, most recently
from
ecc6563
to
9329fca
Compare
rhatdan
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
rhatdan
force-pushed
the
tmpfs
branch
3 times, most recently
from
23268a9
to
8f10141
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
rhatdan
force-pushed
the
tmpfs
branch
3 times, most recently
from
68c331b
to
28e0ef1
Compare
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
github-actions
bot
added
the
kind/api-change
rhatdan
force-pushed
the
tmpfs
branch
3 times, most recently
from
eac20a3
to
1f312b6
Compare
|
This is my fault, #16240. Can you run |
| ####> are applicable to all of those. | ||
| #### **--read-write-tmpfs** | ||
|
|
||
| If container is running in --read-only mode, then mount a read-write tmpfs on /run, /tmp, and /var/tmp. When false, Podman the entire container has no tmpfs that are read/write unless specified on the command line. Podman mounts /dev, /dev/mqueue, /dev/pts, /dev/shm as read only. The default is *true* |
There was a problem hiding this comment.
When false, Podman the entire container
Does not parse. I think Podman is the part that needs to go, but I'm not sure what the intention was.
Did you deliberately un-underscore the directory names? Our guidelines say:
Strings of characters or numbers can be highlighted with
backticks. Paths of any kind must be highlighted.
(which suggests that backticks are preferred, underscores are ok, but leaving them unadorned is not).
| run_podman run --rm --read-only $IMAGE touch ${rwdir}/foo | ||
| run_podman run --rm --read-only --read-write-tmpfs=true $IMAGE touch ${rwdir}/foo | ||
| run_podman 1 run --rm --read-only --read-write-tmpfs=false $IMAGE touch ${rwdir}/foo | ||
| is "$output" "touch: ${rwdir}/foo: Read-only file system" "Should fail with ${rwdir}/foo read only file system" |
There was a problem hiding this comment.
Inconsistent indentation: some of these are tabs, some are eight spaces.
| # FIXME once ubuntu gets a newer crun | ||
| if is_ubuntu; then | ||
| if [ $(podman_runtime) == "crun" ]; then | ||
| skip "The version of crun shipped by ubuntu is too old. Needs crun-1.4.2 or greater" |
There was a problem hiding this comment.
I have a find-obsolete-skips script that I run periodically. Could you add "FIXME:" to this and the above skip/Skips ? That will bring these to my attention when I run the script next time.
| skip "The version of crun shipped by ubuntu is too old. Needs crun-1.4.2 or greater" | ||
| fi | ||
| fi | ||
| HOST=$(random_string 25) |
There was a problem hiding this comment.
leftover from copy/paste (hence misleading, because it's never used). Please remove.
cmd/podman/containers/create.go
Outdated
| @@ -114,6 +114,11 @@ func commonFlags(cmd *cobra.Command) error { | |||
| if cmd.Flags().Changed("image-volume") { | |||
| cliVals.ImageVolume = cmd.Flag("image-volume").Value.String() | |||
| } | |||
|
|
|||
| if cmd.Flags().Changed("read-write-tmpfs") && !cliVals.ReadOnly { | |||
| return errors.New("--read-write-tmpfs is only used if --read-only=true") | |||
There was a problem hiding this comment.
I think this would be clearer as "...is only valid if", or "...is only meaningful when..."
| @@ -477,7 +477,7 @@ tmpfs directories on _/run_ and _/tmp_. | |||
| ``` | |||
| $ podman run --read-only -i -t fedora /bin/bash | |||
|
|
|||
| $ podman run --read-only --read-only-tmpfs=false --tmpfs /run -i -t fedora /bin/bash | |||
| $ podman run --read-only --read-write-tmpfs=false --tmpfs /run -i -t fedora /bin/bash | |||
There was a problem hiding this comment.
(commenting on code that github does not show by default, so please click the uparrow-on-bar to see lines 473-475). Those lines read:
The best way to handle this is to mount tmpfs directories on /run and /tmp.
This looks like a holdover from a previous age: the implication is that /run and /tmp are also read-only. I haven't taken the time to go through history, but is it possible that the read-only-tmpfs option (the one that is being renamed here) was added after this was written, and that this used to be true but no longer is? Can you re-review lines 473-475 and see if they should be rewritten, maybe something like
Read-only containers still mount
/run,/tmp,/var/tmp,/dev, and/dev/shmas read-write tmpfs. Use--read-write-tmpfs=falseto protect eventmpfsdirectories, and--tmpfs=PATHto explicitly limit the read-write tmpfs filesystems.
(Idea only. That reads horribly. My documentation-writing brain is not fully engaged yet).
rhatdan
force-pushed
the
tmpfs
branch
4 times, most recently
from
1551a20
to
970f3b8
Compare
| read-write tmpfs on _/run_, _/tmp_, and _/var/tmp_. When false, Podman sets | ||
| the entire container such that no tmpfs can be written to unless specified on | ||
| the command line. Podman mounts _/dev_, _/dev/mqueue_, _/dev/pts_, _/dev/shm_ | ||
| as read only. The default is *true* |
There was a problem hiding this comment.
I find this hard to parse, and am really confused by the discrepancies between the first list of "these are tmpfs" and the second. I'm just going to hope that @TomSweeneyRedHat will offer his always-helpful input. Otherwise my (much less refined) thinking goes something like:
Only valid in combination with **--read-only**. Default: **true**.
Normally a container run with **read-only** will mount the following `tmpfs` filesystems read/write:
[ complete enumeration of those filesystems, possibly with a reference to where in the code that list is found ]
With **--read-write-tmpfs=false**, even those filesystems are mounted read-only.
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
openshift-merge-robot
added
the
needs-rebase
Change the --read-only-tmpfs option to --read-write-tmpfs since this makes sense and the old name was doing the exact opposite. Fixes: containers#12937 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
openshift-merge-robot
removed
the
needs-rebase
|
Replaced by #16545 |
github-actions
bot
added
the
locked - please file new issue/PR
Change the --read-only-tmpfs option to --read-write-tmpfs since
this makes sense and the old name was doing the exact opposite.
Fixes: #12937
Signed-off-by: Daniel J Walsh dwalsh@redhat.com