Add containers.conf read-only flag support #16545
Conversation
github-actions
bot
added
the
kind/api-change
|
@alexlarsson @ygalblum PTAL |
| @@ -1,11 +1,11 @@ | |||
| ####> This option file is used in: | |||
| ####> podman create, run | |||
| ####> podman create, kube play, run | |||
| ####> If you edit this file, make sure your changes | |||
| ####> are applicable to all of those. | |||
There was a problem hiding this comment.
Suggest "those commands."
There was a problem hiding this comment.
These are auto-generated.
openshift-ci
bot
added
the
approved
|
@rhatdan Can you squash these PR comment commits please into your actual one, they increase the commit count for no reason and if I browse the commit log they provide no clue about the change. |
There was a problem hiding this comment.
Should we just use
securityContext:
readOnlyRootFilesystem: true
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/
in the yaml instead of adding this as flag?
|
I think we might want to use both. The goal is to allow automotive to force Pods to be read-only, potentially similar in quadlet. |
|
Actually my code breaks this use case. |
|
Since we already have an yaml options for this, I think we should use that, and then add support for changing its default value. Then quadlet can e.g. do |
|
Similarly, we could have |
|
As @Luap99 and @alexlarsson wrote, since there is a field for it in the K8S schema, |
|
To me that is a bit of a contradiction to have the ability to override just in quadlet but not from the command line. But I am not wed to having this option. Most of the framework of this PR is still required to allow quadlet to set that default. |
|
Maybe I wasn't clear. I didn't mean for these flags to be |
rhatdan
force-pushed
the
read-only
branch
2 times, most recently
from
40eb724 to
7d8f1e3
Compare
cmd/podman/kube/play.go
Outdated
| @@ -137,6 +138,7 @@ func playFlags(cmd *cobra.Command) { | |||
| flags.BoolVar(&playOptions.NoHosts, "no-hosts", false, "Do not create /etc/hosts within the pod's containers, instead use the version from the image") | |||
| flags.BoolVarP(&playOptions.Quiet, "quiet", "q", false, "Suppress output information when pulling images") | |||
| flags.BoolVar(&playOptions.TLSVerifyCLI, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") | |||
| flags.BoolVar(&playOptions.ReadOnlyCLI, "read-only", false, "Make all containers root filesystem read-only") | |||
There was a problem hiding this comment.
| flags.BoolVar(&playOptions.ReadOnlyCLI, "read-only", false, "Make all containers root filesystem read-only") | |
| flags.BoolVar(&playOptions.ReadOnlyCLI, "read-only", false, "Make all containers' root filesystems read-only") |
| @@ -1,7 +1,7 @@ | |||
| ####> This option file is used in: | |||
| ####> podman build, create, pod create, run | |||
| ####> If you edit this file, make sure your changes | |||
| ####> are applicable to all of those. | |||
| ####> are applicable to all of those files. | |||
There was a problem hiding this comment.
This change should be broken out into another commit. It's causing a lot of noise.
pkg/domain/infra/tunnel/kube.go
Outdated
| @@ -66,6 +66,9 @@ func (ic *ContainerEngine) PlayKube(ctx context.Context, body io.Reader, opts en | |||
| options.WithAnnotations(opts.Annotations) | |||
| } | |||
| options.WithNoHosts(opts.NoHosts).WithUserns(opts.Userns) | |||
| if ro := opts.ReadOnly; ro != types.OptionalBoolUndefined { | |||
| options.WithReadOnly(ro == types.OptionalBoolTrue) | |||
There was a problem hiding this comment.
I don't see plumbing for it on the server side.
rhatdan
force-pushed
the
read-only
branch
4 times, most recently
from
6c28ffc to
1a9bb58
Compare
|
Considering the fact that the Pod manifest already has a field (at the container level) to control the "read-only" attribute, do we still want to add this flag? |
|
The manifest is primary, but if the user overrides the flag, then the flag takes precedence. podman kube play foobar.yaml # Yaml wins |
rhatdan
force-pushed
the
read-only
branch
2 times, most recently
from
b819fc0 to
c9df82e
Compare
github-actions
bot
added
the
kind/api-change
rhatdan
force-pushed
the
read-only
branch
2 times, most recently
from
8082c44 to
ebedf12
Compare
|
@containers/podman-maintainers PTAL |
pkg/specgen/generate/storage.go
Outdated
| readonlyTmpfs := []string{"/tmp", "/var/tmp", "/run"} | ||
| options := []string{"rw", "rprivate", "nosuid", "nodev", "tmpcopyup"} | ||
| for _, dest := range readonlyTmpfs { | ||
| for _, m := range mounts { |
There was a problem hiding this comment.
From the last line of the outer loop, I can see that the dest field is also used as the key in the mounts map. If so, can you replace this loop with checking if dest exists in the map?
pkg/specgen/specgen.go
Outdated
| @@ -384,6 +384,10 @@ type ContainerSecurityConfig struct { | |||
| // ReadOnlyFilesystem indicates that everything will be mounted | |||
| // as read-only | |||
| ReadOnlyFilesystem bool `json:"read_only_filesystem,omitempty"` | |||
| // ReadWriteTmpfs indicates that when running with a ReadOnlyFilesystem | |||
| // mount temporary file systems | |||
| ReadWriteTmpfs bool `json:"read_wrie_tmpfs,omitempty"` | |||
There was a problem hiding this comment.
Typo in the json name, should be read_write_tmpfs
pkg/specgenutil/specgen.go
Outdated
| // defaults to true, check spec/storage | ||
| // s.readonly = c.ReadOnlyTmpFS | ||
| // Only add ReadWrite tmpfs mounts iff the container is ReadOnly and | ||
| // the user did not disable the --read-only-tmpfs flag. |
There was a problem hiding this comment.
This comment is based on the assumption that ReadWriteTmpFS's default is true. But, the default value is defined somewhere else (in cmd). If for some reason, the default is changed, no one will know to change this comment and it will left with wrong information. Maybe it's better to leave the user out of this commnet
There was a problem hiding this comment.
I want future maintainers to understand what this logic is doing, so I attempted to improve the comment.
rhatdan
force-pushed
the
read-only
branch
2 times, most recently
from
32d92c5 to
018f8cb
Compare
Happens to me all the time as well. |
pkg/specgenutil/specgen.go
Outdated
| // defaults to true, check spec/storage | ||
| // s.readonly = c.ReadOnlyTmpFS | ||
| // Only add ReadWrite tmpfs mounts iff the container is container is | ||
| // being run ReadOnly and ReadWrite tmpfs are disabled, |
There was a problem hiding this comment.
- You have
container istwice - Shouldn't this be
ReadWrite tmpfs is not disabled?
There was a problem hiding this comment.
Yup, hopefully no more typos...
If you are running temporary containers within podman play kube we should really be running these in read-only mode. For automotive they plan on running all of their containers in read-only temporal mode. Adding this option guarantees that the container image is not being modified during the running of the container. The containers can only write to tmpfs mounted directories. Signed-off-by: Daniel J Walsh <[email protected]>
|
LGTM |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: flouthoc, rhatdan, vrothberg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
github-actions
bot
added
the
locked - please file new issue/PR
If you are running temporary containers within podman play kube
we should really be running these in read-only mode. For automotive
they plan on running all of their containers in read-only temporal
mode. Adding this option guarantees that the container image is not
being modified during the running of the container.
The containers can only write to tmpfs mounted directories.
Signed-off-by: Daniel J Walsh [email protected]