Create tmpfs mount in a container from any directory

[CsatariGergely]

Docker implemented the support to mount tmpfs volume on top of any directory in a container (see 1). Kubernetes should also support this functionality by exposing this possibility on its API.
This would be needed to allow --read-only containers, but the content of these directories could be still modified.

[Random-Liu]

@CsatariGergely Have you checked the Memory mode emptyDir, which mounts tmpfs into specified directory in container. http://kubernetes.io/docs/user-guide/volumes/#emptydir

[janosi]

@Random-Liu The --tmpfs option on the Docker API is about moving the content of an existing directory of a container into tmpfs when the container is started. E.g. /run or /var (or any other directory, of course). So, it preserves the content of the directory, and at the same time it moves that into a tmpfs.
I think, it is not possible with emptyDir.

[Random-Liu]

The --tmpfs flag mounts an empty tmpfs into the container.

https://docs.docker.com/engine/reference/commandline/run/#/mount-tmpfs-tmpfs

@janosi I can't tell there is any difference with emptyDir.

I also tried my self:

$ sudo docker run -it --tmpfs /var busybox ls /var
$ sudo docker run -it busybox ls /var
spool  www

[janosi]

@Random-Liu Please refer to [1], "Other cool stuff".
I.e. if the directory exists in the container image, the content of that is tar'd and moved into the new (and true, initially empty) tmpfs.

[1] http://www.projectatomic.io/blog/2015/12/making-docker-images-write-only-in-production/

[janosi]

We have a chance to work on this issue now. I would like to align the design before applying it on the code.
The change on the versioned API would look like this (/pkg/api/v1/types.go). Your comments are welcome!

There would be the following new field in type Container

//Optional. Cannot be changed. Support of Docker function --tmpfs to enable in-memory modification of
//some data in a read-only container. The listed mount points will be backed by a tmpfs. If a mount
//point exists in the container image the content of that is preserved when the tmpfs is created.
//Keeping the content is achieved by using tar on the existing content. For this reason "tar" shall
//be available and executable in the container.
TmpFsList []TmpFs `json:"tmpFsList,omitempty"`

There would be a new type TmpFs to allow the description of the target TmpFs mount point:

// TmpFs describes a tmpfs mount point in a container.
type TmpFs struct {
        // This must match the Name of a Volume.
        MountPath string `json:"mountPath"`
        // Mounted read-only if true, read-write otherwise (false or unspecified).
        // Defaults to false.
        ReadOnly bool `json:"readOnly,omitempty"`
        //noexec flag for tmpfs. Defaults to false.
        NoExec bool `json:"noExec,omitempty"`
        //nosuid flag for tmpfs. Defaults to false.
        NoSuId bool `json:"noSuId,omitempty"`
        //size of the tmpfs. Defaults to the amount of memory on the host.
        Size   *resource.Quantity `json:"size,omitempty"`
        //access mode. Default value is according to umask setting.
        Mode   string `json:"mode,omitempty"`
}

[janosi]

Please just ignore and close this issue.
It turned out, that in Docker removed the support of tar'ing the content of an existing dir in 1.10-rc2. Please see 1. Without that, it is really just an emptyDir.
Thank you!

[xiangpengzhao]

cc @thockin