podman: use overlayfs for temporary files if rootless

[tobwen]

/kind feature
Description
When being rootless, all the PID and other stuff gets stored in /tmp/ (EDIT, removed: and is readable from any user on the system). Wouldn't it be possible to use fuse-overlayfs to write it on the current user's space only where available? Since tmpfs is used, it might be compatible?

[rhatdan]

The pid and other stuff should be written to /run not to /tmp.

[mheon]

@rhatdan I think we fall back to /tmp if /run/user doesn't exist, then further to making a dir in the user's home directory if we can't used /tmp

[rhatdan]

Well the directory we create in /tmp should have permissions 0700

[tobwen]

@rhatdan As a normal user, you can neither write to /run/user/ nor to /var/run/user/

That also confuses me when reading the man page:

Storage state directory where all state information is stored (default: "/var/run/containers/storage" for UID 0, "/var/run/user/$UID/run" for
       other users).  Default state dir is configured in /etc/containers/storage.conf.

Actually, that won't work.

[mheon]

@tobwen /run/user/$UID should be created by systemd as a per-user temporary directory on login, with the guarantee that it's destroyed on user logout, which is desirable for cleaning some of our temporary files. On systems without systemd, we can fall back to just making a directory in /tmp.

[tobwen]

@mheon Maybe Debian hasn't this systemd-feature enabled (like many others). My /run/user/$UID is empty (Debian Stable). Let me check what happened on Ubuntu.

Edit: Update for Ubuntu 16.0.4 LTS: has /run/user/0 only (I've got serveral users, like one for podman). Also, like on Debian, all of those are root & read only.

Addition: I think, you can't use the user's home directory, since tmpfs is needed for some actions.

[giuseppe]

we use /tmp as a fallback when /run/user/$UID is not usable and the directory is created with mode 0700.

If the /tmp fallback is not usable for any reason (e.g. the directory is owned by another user), then we try with the home directory.

We prefer /run and /tmp as they are not persistent.

Are you sure that another user can really read what is stored under /tmp?

[tobwen]

@giuseppe I've just rechecked it, you're right. I cannot access it from another user. Sorry, maybe I had a sudo included in my previous tests.

So all we have to do is to update the manfile like this:
/run/user/$UID i > /tmp > $home

Thanks for your explanation. Shall I close this feature request?

[giuseppe]

yes let's close it :-)

Thanks for checking it out

[rhatdan]

Excellent @giuseppe Glad to see we are secure by default.

[rhatdan]

@tobwen Where are you getting podman for Debian? Is it available in the default installer?
Which version of podman are you getting?

[tobwen]

@rhatdan I'm building it for myself in Debian 9 from GIT. Complete rootless process, only building and installation of fuse3 needs root (I've backported it from Debian 10 without a problem). But you don't need OverlayFS to run podman,