Add containers.conf read-only flag support

If you are running temporary containers within podman play kube we should really be running these in read-only mode. For automotive they plan on running all of their containers in read-only temporal mode. Adding this option guarantees that the container image is not being modified during the running of the container. The containers can only write to tmpfs mounted directories. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2025-10-18 03:33:32 +08:00 · 2022-12-10 06:35:58 -05:00
parent 2a46b5e117
commit 338b283935
14 changed files with 117 additions and 40 deletions
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@ -472,6 +472,8 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 	if ro := opts.ReadOnly; ro != itypes.OptionalBoolUndefined {
 		s.ReadOnlyFilesystem = (ro == itypes.OptionalBoolTrue)
 	}
+	// This should default to true for kubernetes yaml
+	s.ReadWriteTmpfs = true

 	// Make sure the container runs in a systemd unit which is
 	// stored as a label at container creation.
--- a/pkg/specgen/generate/storage.go
+++ b/pkg/specgen/generate/storage.go
@ -159,14 +159,19 @@ func finalizeMounts(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Ru
 	// Check for conflicts between named volumes and mounts
 	for dest := range baseMounts {
 		if _, ok := baseVolumes[dest]; ok {
-			return nil, nil, nil, fmt.Errorf("conflict at mount destination %v: %w", dest, specgen.ErrDuplicateDest)
+			return nil, nil, nil, fmt.Errorf("baseMounts conflict at mount destination %v: %w", dest, specgen.ErrDuplicateDest)
 		}
 	}
 	for dest := range baseVolumes {
 		if _, ok := baseMounts[dest]; ok {
-			return nil, nil, nil, fmt.Errorf("conflict at mount destination %v: %w", dest, specgen.ErrDuplicateDest)
+			return nil, nil, nil, fmt.Errorf("baseVolumes conflict at mount destination %v: %w", dest, specgen.ErrDuplicateDest)
 		}
 	}
+
+	if s.ReadWriteTmpfs {
+		baseMounts = addReadWriteTmpfsMounts(baseMounts, s.Volumes)
+	}
+
 	// Final step: maps to arrays
 	finalMounts := make([]spec.Mount, 0, len(baseMounts))
 	for _, mount := range baseMounts {
@ -427,3 +432,29 @@ func InitFSMounts(mounts []spec.Mount) error {
 	}
 	return nil
 }
+
+func addReadWriteTmpfsMounts(mounts map[string]spec.Mount, volumes []*specgen.NamedVolume) map[string]spec.Mount {
+	readonlyTmpfs := []string{"/tmp", "/var/tmp", "/run"}
+	options := []string{"rw", "rprivate", "nosuid", "nodev", "tmpcopyup"}
+	for _, dest := range readonlyTmpfs {
+		if _, ok := mounts[dest]; ok {
+			continue
+		}
+		for _, m := range volumes {
+			if m.Dest == dest {
+				continue
+			}
+		}
+		mnt := spec.Mount{
+			Destination: dest,
+			Type:        define.TypeTmpfs,
+			Source:      define.TypeTmpfs,
+			Options:     options,
+		}
+		if dest != "/run" {
+			mnt.Options = append(mnt.Options, "noexec")
+		}
+		mounts[dest] = mnt
+	}
+	return mounts
+}
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@ -384,6 +384,10 @@ type ContainerSecurityConfig struct {
 	// ReadOnlyFilesystem indicates that everything will be mounted
 	// as read-only
 	ReadOnlyFilesystem bool `json:"read_only_filesystem,omitempty"`
+	// ReadWriteTmpfs indicates that when running with a ReadOnlyFilesystem
+	// mount temporary file systems
+	ReadWriteTmpfs bool `json:"read_write_tmpfs,omitempty"`
+
 	// Umask is the umask the init process of the container will be run with.
 	Umask string `json:"umask,omitempty"`
 	// ProcOpts are the options used for the proc mount.