Merge pull request #20479 from ygalblum/quadlet-read-only

Quadlet - explicit support for read-only-tmpfs

docs/source/markdown/podman-systemd.unit.5.md

@@ -185,6 +185,7 @@ Valid options for `[Container]` are listed below:
 | PublishPort=50-59                    | --publish 50-59                                      |
 | Pull=never                           | --pull=never                                         |
 | ReadOnly=true                        | --read-only                                          |
+| ReadOnlyTmpfs=true                   | --read-only-tmpfs                                    |
 | RunInit=true                         | --init                                               |
 | SeccompProfile=/tmp/s.json           | --security-opt seccomp=/tmp/s.json                   |
 | SecurityLabelDisable=true            | --security-opt label=disable                         |
@@ -199,7 +200,6 @@ Valid options for `[Container]` are listed below:
 | Ulimit=nofile:1000:10000             | --ulimit nofile:1000:10000                           |
 | User=bin                             | --user bin                                           |
 | UserNS=keep-id:uid=200,gid=210       | --userns keep-id:uid=200,gid=210                     |
-| VolatileTmp=true                     | --tmpfs /tmp                                         |
 | Volume=/source:/dest                 | --volume /source:/dest                               |
 | WorkingDir=$HOME                     | --workdir $HOME                                      |
 
@@ -521,6 +521,10 @@ This is equivalent to the Podman `--pull` option
 
 If enabled, makes the image read-only.
 
+### `ReadOnlyTmpfs=` (defaults to `yes`)
+
+If ReadOnly is set to `yes`, mount a read-write tmpfs on /dev, /dev/shm, /run, /tmp, and /var/tmp.
+
 ### `RunInit=` (default to `no`)
 
 If enabled, the container has a minimal init process inside the
@@ -598,12 +602,6 @@ which can be modified with `UserNS`, but if that is not specified, this UID is a
 Set the user namespace mode for the container. This is equivalent to the Podman `--userns` option and
 generally has the form `MODE[:OPTIONS,...]`.
 
-### `VolatileTmp=` (defaults to `no`)
-
-If enabled, the container has a fresh tmpfs mounted on `/tmp`.
-
-**NOTE:** Podman automatically copies any content from the image onto the tmpfs
-
 ### `Volume=`
 
 Mount a volume in the container. This is equivalent to the Podman `--volume` option, and

pkg/systemd/quadlet/quadlet.go

@@ -116,6 +116,7 @@ const (
 	KeyPublishPort           = "PublishPort"
 	KeyPull                  = "Pull"
 	KeyReadOnly              = "ReadOnly"
+	KeyReadOnlyTmpfs         = "ReadOnlyTmpfs"
 	KeyRemapGID              = "RemapGid"
 	KeyRemapUID              = "RemapUid"
 	KeyRemapUIDSize          = "RemapUidSize"
@@ -197,6 +198,7 @@ var (
 		KeyPublishPort:           true,
 		KeyPull:                  true,
 		KeyReadOnly:              true,
+		KeyReadOnlyTmpfs:         true,
 		KeyRemapGID:              true,
 		KeyRemapUID:              true,
 		KeyRemapUIDSize:          true,
@@ -606,15 +608,13 @@ func ConvertContainer(container *parser.UnitFile, names map[string]string, isUse
 		podman.addBool("--read-only", readOnly)
 	}
 
+	if readOnlyTmpfs, ok := container.LookupBoolean(ContainerGroup, KeyReadOnlyTmpfs); ok {
+		podman.addBool("--read-only-tmpfs", readOnlyTmpfs)
+	}
+
 	volatileTmp := container.LookupBooleanWithDefault(ContainerGroup, KeyVolatileTmp, false)
-	if volatileTmp {
+	if volatileTmp && !readOnly {
-		/* Read only mode already has a tmpfs by default */
+		podman.add("--tmpfs", "/tmp:rw,size=512M,mode=1777")
-		if !readOnly {
-			podman.add("--tmpfs", "/tmp:rw,size=512M,mode=1777")
-		}
-	} else if readOnly {
-		/* !volatileTmp, disable the default tmpfs from --read-only */
-		podman.add("--read-only-tmpfs=false")
 	}
 
 	if err := handleUser(container, ContainerGroup, podman); err != nil {

test/e2e/quadlet/readonly-notmpfs.container

@@ -4,4 +4,4 @@
 [Container]
 Image=localhost/imagename
 ReadOnly=yes
-VolatileTmp=no
+ReadOnlyTmpfs=no

test/e2e/quadlet/readonly-tmpfs.container

@@ -0,0 +1,7 @@
+## assert-podman-args "--read-only-tmpfs"
+## assert-podman-args "--read-only"
+
+[Container]
+Image=localhost/imagename
+ReadOnly=yes
+ReadOnlyTmpfs=yes

test/e2e/quadlet/readonly.container

@@ -0,0 +1,6 @@
+## !assert-podman-args "--read-only-tmpfs"
+## assert-podman-args "--read-only"
+
+[Container]
+Image=localhost/imagename
+ReadOnly=yes

test/e2e/quadlet/volatiletmp-readonly.container

@@ -0,0 +1,6 @@
+## !assert-podman-args "--tmpfs" "/tmp:rw,size=512M,mode=1777"
+
+[Container]
+Image=localhost/imagename
+VolatileTmp=yes
+ReadOnly=yes

test/e2e/quadlet/volatiletmp-readwrite.container

@@ -1,8 +1,5 @@
-## !assert-podman-args "--read-only"
-## assert-podman-args "--read-only=false"
 ## assert-podman-args "--tmpfs" "/tmp:rw,size=512M,mode=1777"
 
 [Container]
 Image=localhost/imagename
 VolatileTmp=yes
-ReadOnly=no

test/e2e/quadlet_test.go

@@ -709,9 +709,12 @@ BOGUS=foo
 		Entry("ports.container", "ports.container", 0, ""),
 		Entry("ports_ipv6.container", "ports_ipv6.container", 0, ""),
 		Entry("pull.container", "pull.container", 0, ""),
+		Entry("readonly.container", "readonly.container", 0, ""),
+		Entry("readonly-tmpfs.container", "readonly-tmpfs.container", 0, ""),
 		Entry("readonly-notmpfs.container", "readonly-notmpfs.container", 0, ""),
 		Entry("readwrite-notmpfs.container", "readwrite-notmpfs.container", 0, ""),
-		Entry("readwrite.container", "readwrite.container", 0, ""),
+		Entry("volatiletmp-readwrite.container", "volatiletmp-readwrite.container", 0, ""),
+		Entry("volatiletmp-readonly.container", "volatiletmp-readonly.container", 0, ""),
 		Entry("remap-auto.container", "remap-auto.container", 0, ""),
 		Entry("remap-auto2.container", "remap-auto2.container", 0, ""),
 		Entry("remap-keep-id.container", "remap-keep-id.container", 0, ""),