opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-12-02 19:28:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add containers.conf read-only flag support

Browse Source 
If you are running temporary containers within podman play kube
we should really be running these in read-only mode. For automotive
they plan on running all of their containers in read-only temporal
mode. Adding this option guarantees that the container image is not
being modified during the running of the container.

The containers can only write to tmpfs mounted directories.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2022-12-10 06:35:58 -05:00
parent 2a46b5e117
commit 338b283935
14 changed files with 117 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
test/system/030-run.bats
View File

@@ -951,4 +951,17 @@ $IMAGE--c_ok" \
run_podman stop -t 0 $cid
}
@test "podman run read-only from containers.conf" {
containersconf=$PODMAN_TMPDIR/containers.conf
cat >$containersconf <<EOF
[containers]
read_only=true
EOF
CONTAINERS_CONF="$containersconf" run_podman 1 run --rm $IMAGE touch /testro
CONTAINERS_CONF="$containersconf" run_podman run --rm --read-only=false $IMAGE touch /testrw
CONTAINERS_CONF="$containersconf" run_podman run --rm $IMAGE touch /tmp/testrw
CONTAINERS_CONF="$containersconf" run_podman 1 run --rm --read-only-tmpfs=false $IMAGE touch /tmp/testro
}
# vim: filetype=sh

35
test/system/700-play.bats
View File

@@ -238,6 +238,41 @@ EOF
run_podman 1 container exists pod1-test3
}
@test "podman kube play read-only from containers.conf" {
containersconf=$PODMAN_TMPDIR/containers.conf
cat >$containersconf <<EOF
[containers]
read_only=true
EOF
YAML=$PODMAN_TMPDIR/test.yml
CONTAINERS_CONF="$containersconf" run_podman create --pod new:pod1 --read-only=false --name test1 $IMAGE touch /testrw
CONTAINERS_CONF="$containersconf" run_podman create --pod pod1 --name test2 $IMAGE touch /testro
CONTAINERS_CONF="$containersconf" run_podman create --pod pod1 --name test3 $IMAGE touch /tmp/testtmp
CONTAINERS_CONF="$containersconf" run_podman container inspect --format '{{.HostConfig.ReadonlyRootfs}}' test1 test2 test3
is "$output" "false.*true.*true" "Rootfs should be read/only"
# Now generate and run kube.yaml on a machine without the defaults set
CONTAINERS_CONF="$containersconf" run_podman kube generate pod1 -f $YAML
cat $YAML
run_podman kube play --replace $YAML
run_podman container inspect --format '{{.HostConfig.ReadonlyRootfs}}' pod1-test1 pod1-test2 pod1-test3
is "$output" "false.*true.*true" "Rootfs should be read/only"
run_podman inspect --format "{{.State.ExitCode}}" pod1-test1
is "$output" "0" "Container / should be read/write"
run_podman inspect --format "{{.State.ExitCode}}" pod1-test2
is "$output" "1" "Container / should be read/only"
run_podman inspect --format "{{.State.ExitCode}}" pod1-test3
is "$output" "0" "/tmp in a read-only container should be read/write"
run_podman kube down - < $YAML
run_podman 1 container exists pod1-test1
run_podman 1 container exists pod1-test2
run_podman 1 container exists pod1-test3
}
@test "podman play with user from image" {
TESTDIR=$PODMAN_TMPDIR/testdir
mkdir -p $TESTDIR