mirror of
https://github.com/containers/podman.git
synced 2025-06-21 09:28:09 +08:00
Merge pull request #20235 from rhatdan/read-only
Fix handling of --read-only-tmpfs flag
This commit is contained in:
@ -386,7 +386,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
|
||||
createFlags.BoolVar(
|
||||
&cf.ReadWriteTmpFS,
|
||||
"read-only-tmpfs", cf.ReadWriteTmpFS,
|
||||
"When running containers in read-only mode mount a read-write tmpfs on /run, /tmp and /var/tmp",
|
||||
"When running --read-only containers mount read-write tmpfs on /dev, /dev/shm, /run, /tmp and /var/tmp",
|
||||
)
|
||||
requiresFlagName := "requires"
|
||||
createFlags.StringSliceVar(
|
||||
|
@ -4,4 +4,23 @@
|
||||
####> are applicable to all of those.
|
||||
#### **--read-only-tmpfs**
|
||||
|
||||
If container is running in **--read-only** mode, then mount a read-write tmpfs on _/dev_, _/dev/shm_, _/run_, _/tmp_, and _/var/tmp_. The default is **true**.
|
||||
When running --read-only containers, mount a read-write tmpfs on _/dev_, _/dev/shm_, _/run_, _/tmp_, and _/var/tmp_. The default is **true**.
|
||||
|
||||
| --read-only | --read-only-tmpfs | / | /run, /tmp, /var/tmp|
|
||||
| ----------- | ----------------- | ---- | ----------------------------------- |
|
||||
| true | true | r/o | r/w |
|
||||
| true | false | r/o | r/o |
|
||||
| false | false | r/w | r/w |
|
||||
| false | true | r/w | r/w |
|
||||
|
||||
When **--read-only=true** and **--read-only-tmpfs=true** additional tmpfs are mounted on
|
||||
the /tmp, /run, and /var/tmp directories.
|
||||
|
||||
When **--read-only=true** and **--read-only-tmpfs=false** /dev and /dev/shm are marked
|
||||
Read/Only and no tmpfs are mounted on /tmp, /run and /var/tmp. The directories
|
||||
are exposed from the underlying image, meaning they are read-only by default.
|
||||
This makes the container totally read-only. No writable directories exist within
|
||||
the container. In this mode writable directories need to be added via external
|
||||
volumes or mounts.
|
||||
|
||||
By default, when **--read-only=false**, the /dev and /dev/shm are read/write, and the /tmp, /run, and /var/tmp are read/write directories from the container image.
|
||||
|
@ -1120,10 +1120,13 @@ EOF
|
||||
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false $IMAGE touch /testrw
|
||||
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm $IMAGE touch /tmp/testrw
|
||||
for dir in /tmp /var/tmp /dev /dev/shm /run; do
|
||||
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm $IMAGE touch $dir/testro
|
||||
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false $IMAGE touch $dir/testro
|
||||
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false --read-only-tmpfs=true $IMAGE touch $dir/testro
|
||||
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only-tmpfs=true $IMAGE touch $dir/testro
|
||||
|
||||
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman 1 run --rm --read-only-tmpfs=false $IMAGE touch $dir/testro
|
||||
assert "$output" =~ "touch: $dir/testro: Read-only file system"
|
||||
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only-tmpfs=true $IMAGE touch $dir/testro
|
||||
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false $IMAGE touch $dir/testro
|
||||
done
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user