opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-22 18:08:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

Quadlet - explicit support for read-only-tmpfs

Browse Source 
Add Quadlet key and disconnect relationship withr read-only
Update and add tests
Update man with new key

Remove the reference to VolatileTmpfs in the man page to reduce its
usage, since the same functionality can be achieved using the Tmpfs key
while keeping its support to maintain backward compatibility

Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
This commit is contained in:
Ygal Blum
2023-10-25 09:28:16 +03:00
parent 242d223196
commit 76cca08f8a
8 changed files with 37 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
docs/source/markdown/podman-systemd.unit.5.md
View File

@ -185,6 +185,7 @@ Valid options for `[Container]` are listed below:
| PublishPort=50-59 | --publish 50-59 |
| Pull=never | --pull=never |
| ReadOnly=true | --read-only |
| ReadOnlyTmpfs=true | --read-only-tmpfs |
| RunInit=true | --init |
| SeccompProfile=/tmp/s.json | --security-opt seccomp=/tmp/s.json |
| SecurityLabelDisable=true | --security-opt label=disable |
@ -199,7 +200,6 @@ Valid options for `[Container]` are listed below:
| Ulimit=nofile:1000:10000 | --ulimit nofile:1000:10000 |
| User=bin | --user bin |
| UserNS=keep-id:uid=200,gid=210 | --userns keep-id:uid=200,gid=210 |
| VolatileTmp=true | --tmpfs /tmp |
| Volume=/source:/dest | --volume /source:/dest |
| WorkingDir=$HOME | --workdir $HOME |
@ -521,6 +521,10 @@ This is equivalent to the Podman `--pull` option
If enabled, makes the image read-only.
### `ReadOnlyTmpfs=` (defaults to `yes`)
If ReadOnly is set to `yes`, mount a read-write tmpfs on /dev, /dev/shm, /run, /tmp, and /var/tmp.
### `RunInit=` (default to `no`)
If enabled, the container has a minimal init process inside the
@ -598,12 +602,6 @@ which can be modified with `UserNS`, but if that is not specified, this UID is a
Set the user namespace mode for the container. This is equivalent to the Podman `--userns` option and
generally has the form `MODE[:OPTIONS,...]`.
### `VolatileTmp=` (defaults to `no`)
If enabled, the container has a fresh tmpfs mounted on `/tmp`.
**NOTE:** Podman automatically copies any content from the image onto the tmpfs
### `Volume=`
Mount a volume in the container. This is equivalent to the Podman `--volume` option, and

16
pkg/systemd/quadlet/quadlet.go
View File

@ -116,6 +116,7 @@ const (
KeyPublishPort = "PublishPort"
KeyPull = "Pull"
KeyReadOnly = "ReadOnly"
KeyReadOnlyTmpfs = "ReadOnlyTmpfs"
KeyRemapGID = "RemapGid"
KeyRemapUID = "RemapUid"
KeyRemapUIDSize = "RemapUidSize"
@ -197,6 +198,7 @@ var (
KeyPublishPort: true,
KeyPull: true,
KeyReadOnly: true,
KeyReadOnlyTmpfs: true,
KeyRemapGID: true,
KeyRemapUID: true,
KeyRemapUIDSize: true,
@ -606,15 +608,13 @@ func ConvertContainer(container *parser.UnitFile, names map[string]string, isUse
podman.addBool("--read-only", readOnly)
}
if readOnlyTmpfs, ok := container.LookupBoolean(ContainerGroup, KeyReadOnlyTmpfs); ok {
podman.addBool("--read-only-tmpfs", readOnlyTmpfs)
}
volatileTmp := container.LookupBooleanWithDefault(ContainerGroup, KeyVolatileTmp, false)
if volatileTmp {
/* Read only mode already has a tmpfs by default */
if !readOnly {
podman.add("--tmpfs", "/tmp:rw,size=512M,mode=1777")
}
} else if readOnly {
/* !volatileTmp, disable the default tmpfs from --read-only */
podman.add("--read-only-tmpfs=false")
if volatileTmp && !readOnly {
podman.add("--tmpfs", "/tmp:rw,size=512M,mode=1777")
}
if err := handleUser(container, ContainerGroup, podman); err != nil {

2
test/e2e/quadlet/readonly-notmpfs.container
View File

@ -4,4 +4,4 @@
[Container]
Image=localhost/imagename
ReadOnly=yes
VolatileTmp=no
ReadOnlyTmpfs=no

7
test/e2e/quadlet/readonly-tmpfs.container Normal file
View File

@ -0,0 +1,7 @@
## assert-podman-args "--read-only-tmpfs"
## assert-podman-args "--read-only"
[Container]
Image=localhost/imagename
ReadOnly=yes
ReadOnlyTmpfs=yes

6
test/e2e/quadlet/readonly.container Normal file
View File

@ -0,0 +1,6 @@
## !assert-podman-args "--read-only-tmpfs"
## assert-podman-args "--read-only"
[Container]
Image=localhost/imagename
ReadOnly=yes

6
test/e2e/quadlet/volatiletmp-readonly.container Normal file
View File

@ -0,0 +1,6 @@
## !assert-podman-args "--tmpfs" "/tmp:rw,size=512M,mode=1777"
[Container]
Image=localhost/imagename
VolatileTmp=yes
ReadOnly=yes

3
test/e2e/quadlet/readwrite.container → test/e2e/quadlet/volatiletmp-readwrite.container
View File

@ -1,8 +1,5 @@
## !assert-podman-args "--read-only"
## assert-podman-args "--read-only=false"
## assert-podman-args "--tmpfs" "/tmp:rw,size=512M,mode=1777"
[Container]
Image=localhost/imagename
VolatileTmp=yes
ReadOnly=no

5
test/e2e/quadlet_test.go
View File

@ -709,9 +709,12 @@ BOGUS=foo
Entry("ports.container", "ports.container", 0, ""),
Entry("ports_ipv6.container", "ports_ipv6.container", 0, ""),
Entry("pull.container", "pull.container", 0, ""),
Entry("readonly.container", "readonly.container", 0, ""),
Entry("readonly-tmpfs.container", "readonly-tmpfs.container", 0, ""),
Entry("readonly-notmpfs.container", "readonly-notmpfs.container", 0, ""),
Entry("readwrite-notmpfs.container", "readwrite-notmpfs.container", 0, ""),
Entry("readwrite.container", "readwrite.container", 0, ""),
Entry("volatiletmp-readwrite.container", "volatiletmp-readwrite.container", 0, ""),
Entry("volatiletmp-readonly.container", "volatiletmp-readonly.container", 0, ""),
Entry("remap-auto.container", "remap-auto.container", 0, ""),
Entry("remap-auto2.container", "remap-auto2.container", 0, ""),
Entry("remap-keep-id.container", "remap-keep-id.container", 0, ""),