Merge pull request #20235 from rhatdan/read-only

Fix handling of --read-only-tmpfs flag

cmd/podman/common/create.go

@@ -386,7 +386,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		createFlags.BoolVar(
 			&cf.ReadWriteTmpFS,
 			"read-only-tmpfs", cf.ReadWriteTmpFS,
-			"When running containers in read-only mode mount a read-write tmpfs on /run, /tmp and /var/tmp",
+			"When running --read-only containers mount read-write tmpfs on /dev, /dev/shm, /run, /tmp and /var/tmp",
 		)
 		requiresFlagName := "requires"
 		createFlags.StringSliceVar(

docs/source/markdown/options/read-only-tmpfs.md

@@ -4,4 +4,23 @@
 ####> are applicable to all of those.
 #### **--read-only-tmpfs**
 
-If container is running in **--read-only** mode, then mount a read-write tmpfs on _/dev_, _/dev/shm_, _/run_, _/tmp_, and _/var/tmp_. The default is **true**.
+When running --read-only containers, mount a read-write tmpfs on _/dev_, _/dev/shm_, _/run_, _/tmp_, and _/var/tmp_. The default is **true**.
+
+| --read-only | --read-only-tmpfs |  /   | /run, /tmp, /var/tmp|
+| ----------- | ----------------- | ---- | ----------------------------------- |
+| true        |  true             | r/o  | r/w                                 |
+| true        |  false            | r/o  | r/o                                 |
+| false       |  false            | r/w  | r/w                                 |
+| false       |  true             | r/w  | r/w                                 |
+
+When **--read-only=true** and **--read-only-tmpfs=true** additional tmpfs are mounted on
+the /tmp, /run, and /var/tmp directories.
+
+When **--read-only=true** and **--read-only-tmpfs=false** /dev and /dev/shm are marked
+Read/Only and no tmpfs are mounted on /tmp, /run and /var/tmp. The directories
+are exposed from the underlying image, meaning they are read-only by default.
+This makes the container totally read-only. No writable directories exist within
+the container. In this mode writable directories need to be added via external
+volumes or mounts.
+
+By default, when **--read-only=false**, the /dev and /dev/shm are read/write, and the /tmp, /run, and /var/tmp are read/write directories from the container image.

test/system/030-run.bats

@@ -1120,10 +1120,13 @@ EOF
     CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false $IMAGE touch /testrw
     CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm $IMAGE touch /tmp/testrw
     for dir in /tmp /var/tmp /dev /dev/shm /run; do
+        CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm $IMAGE touch $dir/testro
+        CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false $IMAGE touch $dir/testro
+        CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false --read-only-tmpfs=true $IMAGE touch $dir/testro
+        CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only-tmpfs=true $IMAGE touch $dir/testro
+
         CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman 1 run --rm --read-only-tmpfs=false $IMAGE touch $dir/testro
         assert "$output" =~ "touch: $dir/testro: Read-only file system"
-        CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only-tmpfs=true $IMAGE touch $dir/testro
-        CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false $IMAGE touch $dir/testro
     done
 }