Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

--read-only-tmpfs logic appears inversed #20225

Closed
rubiksdot opened this issue Oct 1, 2023 · 1 comment · Fixed by #20235
Closed

--read-only-tmpfs logic appears inversed #20225

rubiksdot opened this issue Oct 1, 2023 · 1 comment · Fixed by #20235
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@rubiksdot
Copy link

rubiksdot commented Oct 1, 2023

Issue Description

I have --read-only=True and --read-only-tmpfs=False set (via ansible) but /dev came out read-only.

The description for the option seems... topsey-turvey, also:

      --read-only-tmpfs                          When running containers in read-only mode mount a read-write tmpfs on /run, /tmp and /var/tmp (default true)

The description seems to be opposite to what the name implies and the way this functioned until now.

Steps to reproduce the issue

Steps to reproduce the issue

  1. run on host: podman container run --read-only=True --read-only-tmpfs=True -ti my_container bash --login
  2. run in container: grep ' /dev ' /proc/mounts

Describe the results you received

The line for /dev was set 'ro'.

Describe the results you expected

The line for /dev should've been 'rw'.

podman info output

host:
  arch: amd64
  buildahVersion: 1.32.0
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon_2.1.6+ds1-1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.6, commit: unknown'
  cpuUtilization:
    idlePercent: 65.08
    systemPercent: 12.98
    userPercent: 21.94
  cpus: 1
  databaseBackend: boltdb
  distribution:
    codename: bookworm
    distribution: debian
    version: "12"
  eventLogger: file
  freeLocks: 2025
  hostname: my_host
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.1.0-12-amd64
  linkmode: dynamic
  logDriver: journald
  memFree: 108855296
  memTotal: 1007288320
  networkBackend: cni
  networkBackendInfo:
    backend: cni
    dns: {}
    package: 'containernetworking-plugins, containernetworking: /usr/libexec/cni'
    path: /usr/libexec/cni
  ociRuntime:
    name: runc
    package: cri-o-runc_100:1.1.9-1_amd64
    path: /usr/lib/cri-o-runc/sbin/runc
    version: |-
      runc version unknown
      spec: 1.0.2-dev
      go: go1.21.1
      libseccomp: 2.5.4
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: true
    capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 415232000
  swapTotal: 536866816
  uptime: 0h 57m 25.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 23
    paused: 0
    running: 3
    stopped: 20
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 25812455424
  graphRootUsed: 8705409024
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 152
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.7.0
  Built: 0
  BuiltTime: Thu Jan  1 10:00:00 1970
  GitCommit: ""
  GoVersion: go1.21.1
  Os: linux
  OsArch: linux/amd64
  Version: 4.7.0

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Some testing:

$ podman container run --read-only=True --read-only-tmpfs=False -ti my_container bash --login
0 [ 1/10 15:28:45] root@76a16a1c7dc7:/root>> grep /dev /proc/mounts 
tmpfs /dev tmpfs ro,nosuid,size=65536k,mode=755,inode64 0 0
podman container run --read-only=True --read-only-tmpfs=True -ti my_container bash --login
0 [ 1/10 15:29:01] root@0be187c72ea4:/root>> grep /dev /proc/mounts 
tmpfs /dev tmpfs rw,nosuid,size=65536k,mode=755,inode64 0 0
podman container run --read-only=False --read-only-tmpfs=True -ti my_container bash --login
0 [ 1/10 15:36:33] root@1aba9af5c9c8:/root>> grep ' /dev ' /proc/mounts
tmpfs /dev tmpfs rw,nosuid,size=65536k,mode=755,inode64 0 0
podman container run --read-only=False --read-only-tmpfs=False -ti my_container bash --login
0 [ 1/10 15:36:50] root@18a871e62549:/root>> grep ' /dev ' /proc/mounts
tmpfs /dev tmpfs rw,nosuid,size=65536k,mode=755,inode64 0 0
@rubiksdot rubiksdot added the kind/bug Categorizes issue or PR as related to a bug. label Oct 1, 2023
@rhatdan
Copy link
Member

rhatdan commented Oct 2, 2023

Yes this seems backwards.

rhatdan added a commit to rhatdan/podman that referenced this issue Oct 16, 2023
Fixes: containers#20225

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Jan 15, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants