diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md index 22cfbd4617..d4667c0f36 100644 --- a/docs/source/markdown/podman-systemd.unit.5.md +++ b/docs/source/markdown/podman-systemd.unit.5.md @@ -136,7 +136,7 @@ By default, the container runs with no capabilities (due to DropCapabilities='al caps are needed, then add them with this key. For example using `AddCapability=CAP_DAC_OVERRIDE`. This can be listed multiple times. -#### `ReadOnly=` (defaults to `no`) +#### `ReadOnly=` (defaults to `yes`) If enabled, makes image read-only, with /var/tmp, /tmp and /run a tmpfs (unless disabled by `VolatileTmp=no`). diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go index b1869cca23..e962c719ca 100644 --- a/pkg/systemd/quadlet/quadlet.go +++ b/pkg/systemd/quadlet/quadlet.go @@ -412,7 +412,7 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile podman.addf("--cap-add=%s", strings.ToLower(caps)) } - readOnly := container.LookupBoolean(ContainerGroup, KeyReadOnly, false) + readOnly := container.LookupBoolean(ContainerGroup, KeyReadOnly, true) if readOnly { podman.add("--read-only") } diff --git a/test/e2e/quadlet/basepodman.container b/test/e2e/quadlet/basepodman.container index aa97351438..8204a293b9 100644 --- a/test/e2e/quadlet/basepodman.container +++ b/test/e2e/quadlet/basepodman.container @@ -1,10 +1,10 @@ -## assert-podman-final-args run --name=systemd-%N --cidfile=%t/%N.cid --replace --rm -d --log-driver journald --pull=never --runtime /usr/bin/crun --cgroups=split --sdnotify=conmon imagename +## assert-podman-final-args run --name=systemd-%N --cidfile=%t/%N.cid --replace --rm -d --log-driver passthrough --pull=never --runtime /usr/bin/crun --cgroups=split --sdnotify=conmon imagename [Container] Image=imagename # Disable all default features to get as empty podman run command as we can -RemapUsers=no +ReadOnly=no NoNewPrivileges=no DropCapability= RunInit=no diff --git a/test/e2e/quadlet/basic.container b/test/e2e/quadlet/basic.container index ab770b10c7..f86084cd4c 100644 --- a/test/e2e/quadlet/basic.container +++ b/test/e2e/quadlet/basic.container @@ -12,7 +12,8 @@ ## assert-podman-args "--sdnotify=conmon" ## assert-podman-args "--security-opt=no-new-privileges" ## assert-podman-args "--cap-drop=all" -## assert-podman-args "--tmpfs" "/tmp:rw,size=512M,mode=1777" +## assert-podman-args "--read-only" +## !assert-podman-args "--read-only-tmpfs=false" ## assert-key-is "Unit" "RequiresMountsFor" "%t/containers" ## assert-key-is "Service" "KillMode" "mixed" ## assert-key-is "Service" "Delegate" "yes" diff --git a/test/e2e/quadlet/readonly-notmpfs.container b/test/e2e/quadlet/readonly-notmpfs.container new file mode 100644 index 0000000000..cddc7b7142 --- /dev/null +++ b/test/e2e/quadlet/readonly-notmpfs.container @@ -0,0 +1,6 @@ +## assert-podman-args "--read-only-tmpfs=false" +## assert-podman-args "--read-only" + +[Container] +Image=localhost/imagename +VolatileTmp=no diff --git a/test/e2e/quadlet/readwrite-notmpfs.container b/test/e2e/quadlet/readwrite-notmpfs.container new file mode 100644 index 0000000000..c7349a8ce0 --- /dev/null +++ b/test/e2e/quadlet/readwrite-notmpfs.container @@ -0,0 +1,7 @@ +## !assert-podman-args "--read-only" +## !assert-podman-args "--tmpfs" "/tmp:rw,size=512M,mode=1777" + +[Container] +Image=localhost/imagename +VolatileTmp=no +ReadOnly=no diff --git a/test/e2e/quadlet/readwrite.container b/test/e2e/quadlet/readwrite.container new file mode 100644 index 0000000000..61905c0e6d --- /dev/null +++ b/test/e2e/quadlet/readwrite.container @@ -0,0 +1,6 @@ +## !assert-podman-args "--read-only" +## assert-podman-args "--tmpfs" "/tmp:rw,size=512M,mode=1777" + +[Container] +Image=localhost/imagename +ReadOnly=no diff --git a/test/e2e/quadlet_test.go b/test/e2e/quadlet_test.go index 76b98efdbb..7b86308d0f 100644 --- a/test/e2e/quadlet_test.go +++ b/test/e2e/quadlet_test.go @@ -284,6 +284,9 @@ var _ = Describe("quadlet system generator", func() { Entry("podmanargs.container", "podmanargs.container"), Entry("ports.container", "ports.container"), Entry("ports_ipv6.container", "ports_ipv6.container"), + Entry("readonly-notmpfs.container", "readonly-notmpfs.container"), + Entry("readwrite.container", "readwrite.container"), + Entry("readwrite-notmpfs.container", "readwrite-notmpfs.container"), Entry("socketactivated.container", "socketactivated.container"), Entry("timezone.container", "timezone.container"), Entry("user.container", "user.container"),