mirror of
				https://github.com/containers/podman.git
				synced 2025-10-26 02:35:43 +08:00 
			
		
		
		
	We should not be mounting /run as noexec when run with --systemd
The system defaults /run to "exec" mode, and we default --read-only mounts on /run to "exec", so --systemd should follow suit. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
		| @ -563,7 +563,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { | |||||||
| // systemd expects to have /run, /run/lock and /tmp on tmpfs | // systemd expects to have /run, /run/lock and /tmp on tmpfs | ||||||
| // It also expects to be able to write to /sys/fs/cgroup/systemd and /var/log/journal | // It also expects to be able to write to /sys/fs/cgroup/systemd and /var/log/journal | ||||||
| func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) error { | func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) error { | ||||||
| 	options := []string{"rw", "rprivate", "noexec", "nosuid", "nodev"} | 	options := []string{"rw", "rprivate", "nosuid", "nodev"} | ||||||
| 	for _, dest := range []string{"/run", "/run/lock"} { | 	for _, dest := range []string{"/run", "/run/lock"} { | ||||||
| 		if MountExists(mounts, dest) { | 		if MountExists(mounts, dest) { | ||||||
| 			continue | 			continue | ||||||
| @ -627,7 +627,7 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro | |||||||
| 			Destination: "/sys/fs/cgroup/systemd", | 			Destination: "/sys/fs/cgroup/systemd", | ||||||
| 			Type:        "bind", | 			Type:        "bind", | ||||||
| 			Source:      "/sys/fs/cgroup/systemd", | 			Source:      "/sys/fs/cgroup/systemd", | ||||||
| 			Options:     []string{"bind", "nodev", "noexec", "nosuid", "rprivate"}, | 			Options:     []string{"bind", "nodev", "nosuid", "rprivate"}, | ||||||
| 		} | 		} | ||||||
| 		g.AddMount(systemdMnt) | 		g.AddMount(systemdMnt) | ||||||
| 		g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent") | 		g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent") | ||||||
|  | |||||||
| @ -919,6 +919,14 @@ USER mail` | |||||||
| 		Expect(session.OutputToString()).To(Not(ContainSubstring("/dev/shm type tmpfs (ro,"))) | 		Expect(session.OutputToString()).To(Not(ContainSubstring("/dev/shm type tmpfs (ro,"))) | ||||||
| 	}) | 	}) | ||||||
|  |  | ||||||
|  | 	It("podman run readonly container should NOT mount /run noexec", func() { | ||||||
|  | 		session := podmanTest.Podman([]string{"run", "--read-only", ALPINE, "sh", "-c", "mount  | grep \"/run \""}) | ||||||
|  | 		session.WaitWithDefaultTimeout() | ||||||
|  | 		Expect(session.ExitCode()).To(Equal(0)) | ||||||
|  |  | ||||||
|  | 		Expect(session.OutputToString()).To(Not(ContainSubstring("noexec"))) | ||||||
|  | 	}) | ||||||
|  |  | ||||||
| 	It("podman run with bad healthcheck retries", func() { | 	It("podman run with bad healthcheck retries", func() { | ||||||
| 		session := podmanTest.Podman([]string{"run", "-dt", "--health-cmd", "[\"foo\"]", "--health-retries", "0", ALPINE, "top"}) | 		session := podmanTest.Podman([]string{"run", "-dt", "--health-cmd", "[\"foo\"]", "--health-retries", "0", ALPINE, "top"}) | ||||||
| 		session.Wait() | 		session.Wait() | ||||||
|  | |||||||
| @ -146,4 +146,12 @@ WantedBy=multi-user.target | |||||||
| 		Expect(len(conData)).To(Equal(1)) | 		Expect(len(conData)).To(Equal(1)) | ||||||
| 		Expect(conData[0].Config.SystemdMode).To(BeTrue()) | 		Expect(conData[0].Config.SystemdMode).To(BeTrue()) | ||||||
| 	}) | 	}) | ||||||
|  |  | ||||||
|  | 	It("podman run --systemd container should NOT mount /run noexec", func() { | ||||||
|  | 		session := podmanTest.Podman([]string{"run", "--systemd", "always", ALPINE, "sh", "-c", "mount  | grep \"/run \""}) | ||||||
|  | 		session.WaitWithDefaultTimeout() | ||||||
|  | 		Expect(session.ExitCode()).To(Equal(0)) | ||||||
|  |  | ||||||
|  | 		Expect(session.OutputToString()).To(Not(ContainSubstring("noexec"))) | ||||||
|  | 	}) | ||||||
| }) | }) | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user
	 Daniel J Walsh
					Daniel J Walsh