quadlet: Change ReadOnly to default to enabled

This makees much more sense for typical service loads, and can
easily be reverted by `ReadOnly=no`.

Also updates and adds various tests for this.

Signed-off-by: Alexander Larsson <alexl@redhat.com>

docs/source/markdown/podman-systemd.unit.5.md

@@ -136,7 +136,7 @@ By default, the container runs with no capabilities (due to DropCapabilities='al
 caps are needed, then add them with this key. For example using `AddCapability=CAP_DAC_OVERRIDE`.
 This can be listed multiple times.
 
-#### `ReadOnly=` (defaults to `no`)
+#### `ReadOnly=` (defaults to `yes`)
 
 If enabled, makes image read-only, with /var/tmp, /tmp and /run a tmpfs (unless disabled by `VolatileTmp=no`).
 

pkg/systemd/quadlet/quadlet.go

@@ -412,7 +412,7 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
 		podman.addf("--cap-add=%s", strings.ToLower(caps))
 	}
 
-	readOnly := container.LookupBoolean(ContainerGroup, KeyReadOnly, false)
+	readOnly := container.LookupBoolean(ContainerGroup, KeyReadOnly, true)
 	if readOnly {
 		podman.add("--read-only")
 	}

test/e2e/quadlet/basepodman.container

@@ -1,10 +1,10 @@
-## assert-podman-final-args run --name=systemd-%N --cidfile=%t/%N.cid --replace --rm -d --log-driver journald --pull=never --runtime /usr/bin/crun --cgroups=split --sdnotify=conmon imagename
+## assert-podman-final-args run --name=systemd-%N --cidfile=%t/%N.cid --replace --rm -d --log-driver passthrough --pull=never --runtime /usr/bin/crun --cgroups=split --sdnotify=conmon imagename
 
 [Container]
 Image=imagename
 
 # Disable all default features to get as empty podman run command as we can
-RemapUsers=no
+ReadOnly=no
 NoNewPrivileges=no
 DropCapability=
 RunInit=no

test/e2e/quadlet/basic.container

@@ -12,7 +12,8 @@
 ## assert-podman-args "--sdnotify=conmon"
 ## assert-podman-args "--security-opt=no-new-privileges"
 ## assert-podman-args "--cap-drop=all"
-## assert-podman-args "--tmpfs" "/tmp:rw,size=512M,mode=1777"
+## assert-podman-args "--read-only"
+## !assert-podman-args "--read-only-tmpfs=false"
 ## assert-key-is "Unit" "RequiresMountsFor" "%t/containers"
 ## assert-key-is "Service" "KillMode" "mixed"
 ## assert-key-is "Service" "Delegate" "yes"

test/e2e/quadlet/readonly-notmpfs.container

@@ -0,0 +1,6 @@
+## assert-podman-args "--read-only-tmpfs=false"
+## assert-podman-args "--read-only"
+
+[Container]
+Image=localhost/imagename
+VolatileTmp=no

test/e2e/quadlet/readwrite-notmpfs.container

@@ -0,0 +1,7 @@
+## !assert-podman-args "--read-only"
+## !assert-podman-args "--tmpfs" "/tmp:rw,size=512M,mode=1777"
+
+[Container]
+Image=localhost/imagename
+VolatileTmp=no
+ReadOnly=no

test/e2e/quadlet/readwrite.container

@@ -0,0 +1,6 @@
+## !assert-podman-args "--read-only"
+## assert-podman-args "--tmpfs" "/tmp:rw,size=512M,mode=1777"
+
+[Container]
+Image=localhost/imagename
+ReadOnly=no

test/e2e/quadlet_test.go

@@ -284,6 +284,9 @@ var _ = Describe("quadlet system generator", func() {
 		Entry("podmanargs.container", "podmanargs.container"),
 		Entry("ports.container", "ports.container"),
 		Entry("ports_ipv6.container", "ports_ipv6.container"),
+		Entry("readonly-notmpfs.container", "readonly-notmpfs.container"),
+		Entry("readwrite.container", "readwrite.container"),
+		Entry("readwrite-notmpfs.container", "readwrite-notmpfs.container"),
 		Entry("socketactivated.container", "socketactivated.container"),
 		Entry("timezone.container", "timezone.container"),
 		Entry("user.container", "user.container"),