From c8604081e8f4ddf6e91db6dd252534936a9539a2 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 2 Oct 2023 16:50:32 -0400 Subject: [PATCH] Fix handling of --read-only-tmpfs flag Fixes: https://github.com/containers/podman/issues/20225 Signed-off-by: Daniel J Walsh --- cmd/podman/common/create.go | 2 +- .../markdown/options/read-only-tmpfs.md | 21 ++++++++++++++++++- test/system/030-run.bats | 7 +++++-- 3 files changed, 26 insertions(+), 4 deletions(-) diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go index 8082bc8f87..96c67010ca 100644 --- a/cmd/podman/common/create.go +++ b/cmd/podman/common/create.go @@ -386,7 +386,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions, createFlags.BoolVar( &cf.ReadWriteTmpFS, "read-only-tmpfs", cf.ReadWriteTmpFS, - "When running containers in read-only mode mount a read-write tmpfs on /run, /tmp and /var/tmp", + "When running --read-only containers mount read-write tmpfs on /dev, /dev/shm, /run, /tmp and /var/tmp", ) requiresFlagName := "requires" createFlags.StringSliceVar( diff --git a/docs/source/markdown/options/read-only-tmpfs.md b/docs/source/markdown/options/read-only-tmpfs.md index 190cc7598f..246dff0d87 100644 --- a/docs/source/markdown/options/read-only-tmpfs.md +++ b/docs/source/markdown/options/read-only-tmpfs.md @@ -4,4 +4,23 @@ ####> are applicable to all of those. #### **--read-only-tmpfs** -If container is running in **--read-only** mode, then mount a read-write tmpfs on _/dev_, _/dev/shm_, _/run_, _/tmp_, and _/var/tmp_. The default is **true**. +When running --read-only containers, mount a read-write tmpfs on _/dev_, _/dev/shm_, _/run_, _/tmp_, and _/var/tmp_. The default is **true**. + +| --read-only | --read-only-tmpfs | / | /run, /tmp, /var/tmp| +| ----------- | ----------------- | ---- | ----------------------------------- | +| true | true | r/o | r/w | +| true | false | r/o | r/o | +| false | false | r/w | r/w | +| false | true | r/w | r/w | + +When **--read-only=true** and **--read-only-tmpfs=true** additional tmpfs are mounted on +the /tmp, /run, and /var/tmp directories. + +When **--read-only=true** and **--read-only-tmpfs=false** /dev and /dev/shm are marked +Read/Only and no tmpfs are mounted on /tmp, /run and /var/tmp. The directories +are exposed from the underlying image, meaning they are read-only by default. +This makes the container totally read-only. No writable directories exist within +the container. In this mode writable directories need to be added via external +volumes or mounts. + +By default, when **--read-only=false**, the /dev and /dev/shm are read/write, and the /tmp, /run, and /var/tmp are read/write directories from the container image. diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 5c6751d35c..0f7952adb6 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -1120,10 +1120,13 @@ EOF CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false $IMAGE touch /testrw CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm $IMAGE touch /tmp/testrw for dir in /tmp /var/tmp /dev /dev/shm /run; do + CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm $IMAGE touch $dir/testro + CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false $IMAGE touch $dir/testro + CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false --read-only-tmpfs=true $IMAGE touch $dir/testro + CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only-tmpfs=true $IMAGE touch $dir/testro + CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman 1 run --rm --read-only-tmpfs=false $IMAGE touch $dir/testro assert "$output" =~ "touch: $dir/testro: Read-only file system" - CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only-tmpfs=true $IMAGE touch $dir/testro - CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false $IMAGE touch $dir/testro done }