Merge pull request #17993 from xduugu/quadlet-tmpfs

quadlet: implement `Tmpfs` option
2025-06-26 21:07:02 +08:00 · 2023-04-04 06:35:18 -04:00
parent b36bc21e21 443f8d89c9
commit ab06fb234e
3 changed files with 44 additions and 0 deletions
--- a/docs/source/markdown/podman-systemd.unit.5.md
+++ b/docs/source/markdown/podman-systemd.unit.5.md
@ -121,6 +121,7 @@ Valid options for `[Container]` are listed below:
 | SecurityLabelLevel=s0:c1,c2      | --security-opt label=level:s0:c1,c2    |
 | SecurityLabelType=spc_t          | --security-opt label=type:spc_t        |
 | Timezone=local                   | --tz local                             |
+| Tmpfs=/work                      | --tmpfs /work                          |
 | User=bin                         | --user bin                             |
 | VolatileTmp=true                 | --tmpfs /tmp                           |
 | Volume=/source:/dest             | --volume /source:/dest                 |
@ -450,6 +451,13 @@ Set the label process type for the container processes.
 Use a Podman secret in the container either as a file or an environment variable.
 This is equivalent to the Podman `--secret` option and generally has the form `secret[,opt=opt ...]`

+### `Tmpfs=`
+
+Mount a tmpfs in the container. This is equivalent to the Podman `--tmpfs` option, and
+generally has the form `CONTAINER-DIR[:OPTIONS]`.
+
+This key can be listed multiple times.
+
 ### `Timezone=` (if unset uses system-configured default)

 The timezone to run the container in.
--- a/pkg/systemd/quadlet/quadlet.go
+++ b/pkg/systemd/quadlet/quadlet.go
@ -94,6 +94,7 @@ const (
 	KeySecurityLabelType     = "SecurityLabelType"
 	KeySecret                = "Secret"
 	KeyTimezone              = "Timezone"
+	KeyTmpfs                 = "Tmpfs"
 	KeyType                  = "Type"
 	KeyUser                  = "User"
 	KeyVolatileTmp           = "VolatileTmp"
@ -152,6 +153,7 @@ var (
 		KeySecurityLabelLevel:    true,
 		KeySecurityLabelType:     true,
 		KeySecret:                true,
+		KeyTmpfs:                 true,
 		KeyTimezone:              true,
 		KeyUser:                  true,
 		KeyVolatileTmp:           true,
@ -474,6 +476,15 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
 		return nil, err
 	}

+	tmpfsValues := container.LookupAll(ContainerGroup, KeyTmpfs)
+	for _, tmpfs := range tmpfsValues {
+		if strings.Count(tmpfs, ":") > 1 {
+			return nil, fmt.Errorf("invalid tmpfs format '%s'", tmpfs)
+		}
+
+		podman.add("--tmpfs", tmpfs)
+	}
+
 	volumes := container.LookupAll(ContainerGroup, KeyVolume)
 	for _, volume := range volumes {
 		parts := strings.SplitN(volume, ":", 3)
--- a/test/system/252-quadlet.bats
+++ b/test/system/252-quadlet.bats
@ -582,4 +582,29 @@ EOF
    rm -rf $tmp_path
 }

+@test "quadlet - tmpfs" {
+    local quadlet_file=$PODMAN_TMPDIR/basic_$(random_string).container
+    cat > $quadlet_file <<EOF
+[Container]
+Image=$IMAGE
+Exec=top
+Tmpfs=/tmpfs1
+Tmpfs=/tmpfs2:ro
+EOF
+
+    run_quadlet "$quadlet_file"
+    service_setup $QUADLET_SERVICE_NAME
+
+    run_podman container inspect  --format '{{index .HostConfig.Tmpfs "/tmpfs1"}}' $QUADLET_CONTAINER_NAME
+    is "$output" "rw,rprivate,nosuid,nodev,tmpcopyup" "regular tmpfs mount"
+
+    run_podman container inspect  --format '{{index .HostConfig.Tmpfs "/tmpfs2"}}' $QUADLET_CONTAINER_NAME
+    is "$output" "ro,rprivate,nosuid,nodev,tmpcopyup" "read-only tmpfs mount"
+
+    run_podman container inspect  --format '{{index .HostConfig.Tmpfs "/tmpfs3"}}' $QUADLET_CONTAINER_NAME
+    is "$output" "" "nonexistent tmpfs mount"
+
+    service_cleanup $QUADLET_SERVICE_NAME failed
+}
+
 # vim: filetype=sh