Merge pull request #20235 from rhatdan/read-only

Fix handling of --read-only-tmpfs flag
This commit is contained in:
openshift-ci[bot]
2023-10-16 21:22:53 +00:00
committed by GitHub
3 changed files with 26 additions and 4 deletions

View File

@ -386,7 +386,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
createFlags.BoolVar(
&cf.ReadWriteTmpFS,
"read-only-tmpfs", cf.ReadWriteTmpFS,
"When running containers in read-only mode mount a read-write tmpfs on /run, /tmp and /var/tmp",
"When running --read-only containers mount read-write tmpfs on /dev, /dev/shm, /run, /tmp and /var/tmp",
)
requiresFlagName := "requires"
createFlags.StringSliceVar(

View File

@ -4,4 +4,23 @@
####> are applicable to all of those.
#### **--read-only-tmpfs**
If container is running in **--read-only** mode, then mount a read-write tmpfs on _/dev_, _/dev/shm_, _/run_, _/tmp_, and _/var/tmp_. The default is **true**.
When running --read-only containers, mount a read-write tmpfs on _/dev_, _/dev/shm_, _/run_, _/tmp_, and _/var/tmp_. The default is **true**.
| --read-only | --read-only-tmpfs | / | /run, /tmp, /var/tmp|
| ----------- | ----------------- | ---- | ----------------------------------- |
| true | true | r/o | r/w |
| true | false | r/o | r/o |
| false | false | r/w | r/w |
| false | true | r/w | r/w |
When **--read-only=true** and **--read-only-tmpfs=true** additional tmpfs are mounted on
the /tmp, /run, and /var/tmp directories.
When **--read-only=true** and **--read-only-tmpfs=false** /dev and /dev/shm are marked
Read/Only and no tmpfs are mounted on /tmp, /run and /var/tmp. The directories
are exposed from the underlying image, meaning they are read-only by default.
This makes the container totally read-only. No writable directories exist within
the container. In this mode writable directories need to be added via external
volumes or mounts.
By default, when **--read-only=false**, the /dev and /dev/shm are read/write, and the /tmp, /run, and /var/tmp are read/write directories from the container image.

View File

@ -1120,10 +1120,13 @@ EOF
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false $IMAGE touch /testrw
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm $IMAGE touch /tmp/testrw
for dir in /tmp /var/tmp /dev /dev/shm /run; do
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm $IMAGE touch $dir/testro
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false $IMAGE touch $dir/testro
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false --read-only-tmpfs=true $IMAGE touch $dir/testro
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only-tmpfs=true $IMAGE touch $dir/testro
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman 1 run --rm --read-only-tmpfs=false $IMAGE touch $dir/testro
assert "$output" =~ "touch: $dir/testro: Read-only file system"
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only-tmpfs=true $IMAGE touch $dir/testro
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false $IMAGE touch $dir/testro
done
}