Add --read-only-tmpfs options

The --read-only-tmpfs option caused podman to mount tmpfs on /run, /tmp, /var/tmp
if the container is running int read-only mode.

The default is true, so you would need to execute a command like

--read-only --read-only-tmpfs=false to turn off this behaviour.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

cmd/podman/common.go

@@ -434,6 +434,10 @@ func getCreateFlags(c *cliconfig.PodmanCommand) {
 		"read-only", false,
 		"Make containers root filesystem read-only",
 	)
+	createFlags.Bool(
+		"read-only-tmpfs", true,
+		"When running containers in read-only mode mount a read-write tmpfs on /run, /tmp and /var/tmp",
+	)
 	createFlags.String(
 		"restart", "",
 		"Restart is not supported.  Please use a systemd unit file for restart",

cmd/podman/shared/container.go

@@ -658,7 +658,8 @@ func GetCtrInspectInfo(config *libpod.ContainerConfig, ctrInspectData *inspect.C
 			OomKillDisable:       memDisableOOMKiller,
 			PidsLimit:            pidsLimit,
 			Privileged:           config.Privileged,
-			ReadonlyRootfs:       spec.Root.Readonly,
+			ReadOnlyRootfs:       spec.Root.Readonly,
+			ReadOnlyTmpfs:        createArtifact.ReadOnlyTmpfs,
 			Runtime:              config.OCIRuntime,
 			NetworkMode:          string(createArtifact.NetMode),
 			IpcMode:              string(createArtifact.IpcMode),

cmd/podman/shared/create.go

@@ -650,6 +650,7 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 		PortBindings:   portBindings,
 		Quiet:          c.Bool("quiet"),
 		ReadOnlyRootfs: c.Bool("read-only"),
+		ReadOnlyTmpfs:  c.Bool("read-only-tmpfs"),
 		Resources: cc.CreateResourceConfig{
 			BlkioWeight:       blkioWeight,
 			BlkioWeightDevice: c.StringSlice("blkio-weight-device"),

cmd/podman/shared/intermediate.go

@@ -434,6 +434,7 @@ func NewIntermediateLayer(c *cliconfig.PodmanCommand, remote bool) GenericCLIRes
 	m["publish-all"] = newCRBool(c, "publish-all")
 	m["quiet"] = newCRBool(c, "quiet")
 	m["read-only"] = newCRBool(c, "read-only")
+	m["read-only-tmpfs"] = newCRBool(c, "read-only-tmpfs")
 	m["restart"] = newCRString(c, "restart")
 	m["rm"] = newCRBool(c, "rm")
 	m["rootfs"] = newCRBool(c, "rootfs")

cmd/podman/shared/intermediate_varlink.go

@@ -141,6 +141,7 @@ func (g GenericCLIResults) MakeVarlink() iopodman.Create {
 		PublishAll:             BoolToPtr(g.Find("publish-all")),
 		Quiet:                  BoolToPtr(g.Find("quiet")),
 		Readonly:               BoolToPtr(g.Find("read-only")),
+		Readonlytmpfs:          BoolToPtr(g.Find("read-only-tmpfs")),
 		Restart:                StringToPtr(g.Find("restart")),
 		Rm:                     BoolToPtr(g.Find("rm")),
 		Rootfs:                 BoolToPtr(g.Find("rootfs")),
@@ -397,6 +398,7 @@ func VarlinkCreateToGeneric(opts iopodman.Create) GenericCLIResults {
 	m["publish-all"] = boolFromVarlink(opts.PublishAll, "publish-all", false)
 	m["quiet"] = boolFromVarlink(opts.Quiet, "quiet", false)
 	m["read-only"] = boolFromVarlink(opts.Readonly, "read-only", false)
+	m["read-only-tmpfs"] = boolFromVarlink(opts.Readonlytmpfs, "read-only-tmpfs", true)
 	m["restart"] = stringFromVarlink(opts.Restart, "restart", nil)
 	m["rm"] = boolFromVarlink(opts.Rm, "rm", false)
 	m["rootfs"] = boolFromVarlink(opts.Rootfs, "rootfs", false)

cmd/podman/varlink/io.podman.varlink

@@ -346,6 +346,7 @@ type Create (
     publishAll: ?bool,
     quiet: ?bool,
     readonly: ?bool,
+    readonlytmpfs: ?bool,
     restart: ?string,
     rm: ?bool,
     rootfs: ?bool,

completions/bash/podman

@@ -1765,6 +1765,7 @@ _podman_container_run() {
 	    --publish-all -P
 	    --quiet
 	    --read-only
+	    --read-only-tmpfs
 	    --tty -t
 	"
 

docs/podman-create.1.md

@@ -542,6 +542,9 @@ By default a container will have its root filesystem writable allowing processes
 to write files anywhere.  By specifying the `--read-only` flag the container will have
 its root filesystem mounted as read only prohibiting any writes.
 
+**--read-only-tmpfs**=*true*|*false*
+If container is running in --read-only mode, then mount a read-write tmpfs on /run, /tmp, and /var/tmp.  The default is *true*
+
 **--restart=""**
 
 Not implemented.

docs/podman-run.1.md

@@ -534,6 +534,9 @@ By default a container will have its root filesystem writable allowing processes
 to write files anywhere.  By specifying the `--read-only` flag the container will have
 its root filesystem mounted as read only prohibiting any writes.
 
+**--read-only-tmpfs**=*true*|*false*
+If container is running in --read-only mode, then mount a read-write tmpfs on /run, /tmp, and /var/tmp.  The default is *true*
+
 **--restart=""**
 
 Not implemented.
@@ -905,7 +908,11 @@ still need to write temporary data.  The best way to handle this is to mount
 tmpfs directories on /run and /tmp.
 
 ```
-$ podman run --read-only --tmpfs /run --tmpfs /tmp -i -t fedora /bin/bash
+$ podman run --read-only -i -t fedora /bin/bash
+```
+
+```
+$ podman run --read-only --read-only-tmpfs=false --tmpfs /run -i -t fedora /bin/bash
 ```
 
 ### Exposing log messages from the container to the host's log

libpod/container_internal_linux.go

@@ -420,7 +420,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 // It also expects to be able to write to /sys/fs/cgroup/systemd and /var/log/journal
 func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) error {
 	options := []string{"rw", "rprivate", "noexec", "nosuid", "nodev"}
-	for _, dest := range []string{"/run", "/run/lock"} {
+	for _, dest := range []string{"/run"} {
 		if MountExists(mounts, dest) {
 			continue
 		}

pkg/inspect/inspect.go

@@ -38,7 +38,8 @@ type HostConfig struct {
 	PidMode              string                      `json:"PidMode"`
 	Privileged           bool                        `json:"Privileged"`
 	PublishAllPorts      bool                        `json:"PublishAllPorts"` //TODO
-	ReadonlyRootfs       bool                        `json:"ReadonlyRootfs"`
+	ReadOnlyRootfs       bool                        `json:"ReadonlyRootfs"`
+	ReadOnlyTmpfs        bool                        `json:"ReadonlyTmpfs"`
 	SecurityOpt          []string                    `json:"SecurityOpt"`
 	UTSMode              string                      `json:"UTSMode"`
 	UsernsMode           string                      `json:"UsernsMode"`

pkg/spec/createconfig.go

@@ -113,6 +113,7 @@ type CreateConfig struct {
 	PublishAll         bool     //publish-all
 	Quiet              bool     //quiet
 	ReadOnlyRootfs     bool     //read-only
+	ReadOnlyTmpfs      bool     //read-only-tmpfs
 	Resources          CreateResourceConfig
 	Rm                 bool              //rm
 	StopSignal         syscall.Signal    // stop-signal

pkg/spec/spec.go

@@ -341,6 +341,31 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 		}
 	}
 
+	if config.ReadOnlyRootfs && config.ReadOnlyTmpfs {
+		options := []string{"rw", "rprivate", "nosuid", "nodev", "tmpcopyup"}
+		for _, i := range []string{"/tmp", "/var/tmp"} {
+			if libpod.MountExists(g.Config.Mounts, i) {
+				continue
+			}
+			// Default options if nothing passed
+			tmpfsMnt := spec.Mount{
+				Destination: i,
+				Type:        "tmpfs",
+				Source:      "tmpfs",
+				Options:     options,
+			}
+			g.AddMount(tmpfsMnt)
+		}
+		if !libpod.MountExists(g.Config.Mounts, "/run") {
+			tmpfsMnt := spec.Mount{
+				Destination: "/run",
+				Type:        "tmpfs",
+				Source:      "tmpfs",
+				Options:     append(options, "noexec", "size=65536k"),
+			}
+			g.AddMount(tmpfsMnt)
+		}
+	}
 	for name, val := range config.Env {
 		g.AddProcessEnv(name, val)
 	}