podman/read-only-tmpfs.md at 346f9cb4ed7cd6c6047680fc5f5223765539946d - podman - Gitea: Git with a cup of tea

opensource/podman

mirror of https://github.com/containers/podman.git synced 2025-06-03 12:17:13 +08:00

Files

Daniel J Walsh 22a8b68866 make /dev & /dev/shm read/only when --read-only --read-only-tmpfs=false

The intention of --read-only-tmpfs=fals when in --read-only mode was to
not allow any processes inside of the container to write content
anywhere, unless the caller also specified a volume or a tmpfs. Having
/dev and /dev/shm writable breaks this assumption.

Fixes: https://github.com/containers/podman/issues/12937

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

2023-07-30 06:09:30 -04:00

8 lines

334 B

Markdown

Raw Blame History

 ####> This option file is used in:
 ####>   podman create, run
 ####> If file is edited, make sure the changes
 ####> are applicable to all of those.
 #### **--read-only-tmpfs**
 If container is running in **--read-only** mode, then mount a read-write tmpfs on _/dev_, _/dev/shm_, _/run_, _/tmp_, and _/var/tmp_. The default is **true**.