From 76cca08f8af36ae00578b5ffec16f2df89fe5028 Mon Sep 17 00:00:00 2001
From: Ygal Blum <ygal.blum@gmail.com>
Date: Wed, 25 Oct 2023 09:28:16 +0300
Subject: [PATCH] Quadlet - explicit support for read-only-tmpfs

Add Quadlet key and disconnect relationship withr read-only
Update and add tests
Update man with new key

Remove the reference to VolatileTmpfs in the man page to reduce its
usage, since the same functionality can be achieved using the Tmpfs key
while keeping its support to maintain backward compatibility

Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
---
 docs/source/markdown/podman-systemd.unit.5.md    | 12 +++++-------
 pkg/systemd/quadlet/quadlet.go                   | 16 ++++++++--------
 test/e2e/quadlet/readonly-notmpfs.container      |  2 +-
 test/e2e/quadlet/readonly-tmpfs.container        |  7 +++++++
 test/e2e/quadlet/readonly.container              |  6 ++++++
 test/e2e/quadlet/volatiletmp-readonly.container  |  6 ++++++
 ...container => volatiletmp-readwrite.container} |  3 ---
 test/e2e/quadlet_test.go                         |  5 ++++-
 8 files changed, 37 insertions(+), 20 deletions(-)
 create mode 100644 test/e2e/quadlet/readonly-tmpfs.container
 create mode 100644 test/e2e/quadlet/readonly.container
 create mode 100644 test/e2e/quadlet/volatiletmp-readonly.container
 rename test/e2e/quadlet/{readwrite.container => volatiletmp-readwrite.container} (56%)

diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md
index 483c47a93b..1e7364a023 100644
--- a/docs/source/markdown/podman-systemd.unit.5.md
+++ b/docs/source/markdown/podman-systemd.unit.5.md
@@ -185,6 +185,7 @@ Valid options for `[Container]` are listed below:
 | PublishPort=50-59                    | --publish 50-59                                      |
 | Pull=never                           | --pull=never                                         |
 | ReadOnly=true                        | --read-only                                          |
+| ReadOnlyTmpfs=true                   | --read-only-tmpfs                                    |
 | RunInit=true                         | --init                                               |
 | SeccompProfile=/tmp/s.json           | --security-opt seccomp=/tmp/s.json                   |
 | SecurityLabelDisable=true            | --security-opt label=disable                         |
@@ -199,7 +200,6 @@ Valid options for `[Container]` are listed below:
 | Ulimit=nofile:1000:10000             | --ulimit nofile:1000:10000                           |
 | User=bin                             | --user bin                                           |
 | UserNS=keep-id:uid=200,gid=210       | --userns keep-id:uid=200,gid=210                     |
-| VolatileTmp=true                     | --tmpfs /tmp                                         |
 | Volume=/source:/dest                 | --volume /source:/dest                               |
 | WorkingDir=$HOME                     | --workdir $HOME                                      |
 
@@ -521,6 +521,10 @@ This is equivalent to the Podman `--pull` option
 
 If enabled, makes the image read-only.
 
+### `ReadOnlyTmpfs=` (defaults to `yes`)
+
+If ReadOnly is set to `yes`, mount a read-write tmpfs on /dev, /dev/shm, /run, /tmp, and /var/tmp.
+
 ### `RunInit=` (default to `no`)
 
 If enabled, the container has a minimal init process inside the
@@ -598,12 +602,6 @@ which can be modified with `UserNS`, but if that is not specified, this UID is a
 Set the user namespace mode for the container. This is equivalent to the Podman `--userns` option and
 generally has the form `MODE[:OPTIONS,...]`.
 
-### `VolatileTmp=` (defaults to `no`)
-
-If enabled, the container has a fresh tmpfs mounted on `/tmp`.
-
-**NOTE:** Podman automatically copies any content from the image onto the tmpfs
-
 ### `Volume=`
 
 Mount a volume in the container. This is equivalent to the Podman `--volume` option, and
diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go
index befae8b7a8..c2841abf5c 100644
--- a/pkg/systemd/quadlet/quadlet.go
+++ b/pkg/systemd/quadlet/quadlet.go
@@ -116,6 +116,7 @@ const (
 	KeyPublishPort           = "PublishPort"
 	KeyPull                  = "Pull"
 	KeyReadOnly              = "ReadOnly"
+	KeyReadOnlyTmpfs         = "ReadOnlyTmpfs"
 	KeyRemapGID              = "RemapGid"
 	KeyRemapUID              = "RemapUid"
 	KeyRemapUIDSize          = "RemapUidSize"
@@ -197,6 +198,7 @@ var (
 		KeyPublishPort:           true,
 		KeyPull:                  true,
 		KeyReadOnly:              true,
+		KeyReadOnlyTmpfs:         true,
 		KeyRemapGID:              true,
 		KeyRemapUID:              true,
 		KeyRemapUIDSize:          true,
@@ -606,15 +608,13 @@ func ConvertContainer(container *parser.UnitFile, names map[string]string, isUse
 		podman.addBool("--read-only", readOnly)
 	}
 
+	if readOnlyTmpfs, ok := container.LookupBoolean(ContainerGroup, KeyReadOnlyTmpfs); ok {
+		podman.addBool("--read-only-tmpfs", readOnlyTmpfs)
+	}
+
 	volatileTmp := container.LookupBooleanWithDefault(ContainerGroup, KeyVolatileTmp, false)
-	if volatileTmp {
-		/* Read only mode already has a tmpfs by default */
-		if !readOnly {
-			podman.add("--tmpfs", "/tmp:rw,size=512M,mode=1777")
-		}
-	} else if readOnly {
-		/* !volatileTmp, disable the default tmpfs from --read-only */
-		podman.add("--read-only-tmpfs=false")
+	if volatileTmp && !readOnly {
+		podman.add("--tmpfs", "/tmp:rw,size=512M,mode=1777")
 	}
 
 	if err := handleUser(container, ContainerGroup, podman); err != nil {
diff --git a/test/e2e/quadlet/readonly-notmpfs.container b/test/e2e/quadlet/readonly-notmpfs.container
index 88087cec39..af65950e4f 100644
--- a/test/e2e/quadlet/readonly-notmpfs.container
+++ b/test/e2e/quadlet/readonly-notmpfs.container
@@ -4,4 +4,4 @@
 [Container]
 Image=localhost/imagename
 ReadOnly=yes
-VolatileTmp=no
+ReadOnlyTmpfs=no
diff --git a/test/e2e/quadlet/readonly-tmpfs.container b/test/e2e/quadlet/readonly-tmpfs.container
new file mode 100644
index 0000000000..317b0ff591
--- /dev/null
+++ b/test/e2e/quadlet/readonly-tmpfs.container
@@ -0,0 +1,7 @@
+## assert-podman-args "--read-only-tmpfs"
+## assert-podman-args "--read-only"
+
+[Container]
+Image=localhost/imagename
+ReadOnly=yes
+ReadOnlyTmpfs=yes
diff --git a/test/e2e/quadlet/readonly.container b/test/e2e/quadlet/readonly.container
new file mode 100644
index 0000000000..7eb6fe0516
--- /dev/null
+++ b/test/e2e/quadlet/readonly.container
@@ -0,0 +1,6 @@
+## !assert-podman-args "--read-only-tmpfs"
+## assert-podman-args "--read-only"
+
+[Container]
+Image=localhost/imagename
+ReadOnly=yes
diff --git a/test/e2e/quadlet/volatiletmp-readonly.container b/test/e2e/quadlet/volatiletmp-readonly.container
new file mode 100644
index 0000000000..ef490af598
--- /dev/null
+++ b/test/e2e/quadlet/volatiletmp-readonly.container
@@ -0,0 +1,6 @@
+## !assert-podman-args "--tmpfs" "/tmp:rw,size=512M,mode=1777"
+
+[Container]
+Image=localhost/imagename
+VolatileTmp=yes
+ReadOnly=yes
diff --git a/test/e2e/quadlet/readwrite.container b/test/e2e/quadlet/volatiletmp-readwrite.container
similarity index 56%
rename from test/e2e/quadlet/readwrite.container
rename to test/e2e/quadlet/volatiletmp-readwrite.container
index ef491eec6c..e375d5d050 100644
--- a/test/e2e/quadlet/readwrite.container
+++ b/test/e2e/quadlet/volatiletmp-readwrite.container
@@ -1,8 +1,5 @@
-## !assert-podman-args "--read-only"
-## assert-podman-args "--read-only=false"
 ## assert-podman-args "--tmpfs" "/tmp:rw,size=512M,mode=1777"
 
 [Container]
 Image=localhost/imagename
 VolatileTmp=yes
-ReadOnly=no
diff --git a/test/e2e/quadlet_test.go b/test/e2e/quadlet_test.go
index 3279ddd5d6..f2a00b971f 100644
--- a/test/e2e/quadlet_test.go
+++ b/test/e2e/quadlet_test.go
@@ -709,9 +709,12 @@ BOGUS=foo
 		Entry("ports.container", "ports.container", 0, ""),
 		Entry("ports_ipv6.container", "ports_ipv6.container", 0, ""),
 		Entry("pull.container", "pull.container", 0, ""),
+		Entry("readonly.container", "readonly.container", 0, ""),
+		Entry("readonly-tmpfs.container", "readonly-tmpfs.container", 0, ""),
 		Entry("readonly-notmpfs.container", "readonly-notmpfs.container", 0, ""),
 		Entry("readwrite-notmpfs.container", "readwrite-notmpfs.container", 0, ""),
-		Entry("readwrite.container", "readwrite.container", 0, ""),
+		Entry("volatiletmp-readwrite.container", "volatiletmp-readwrite.container", 0, ""),
+		Entry("volatiletmp-readonly.container", "volatiletmp-readonly.container", 0, ""),
 		Entry("remap-auto.container", "remap-auto.container", 0, ""),
 		Entry("remap-auto2.container", "remap-auto2.container", 0, ""),
 		Entry("remap-keep-id.container", "remap-keep-id.container", 0, ""),