From a00821083339652f7ff780d276b05be43f60305c Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Fri, 13 May 2022 06:42:12 -0400
Subject: [PATCH] Support setting image_volume_mode in containers.conf

Begins to fix https://github.com/containers/podman/issues/14230

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 docs/containers.conf.5.md                   |  8 ++++++++
 pkg/config/config.go                        | 21 +++++++++++++++++++++
 pkg/config/config_test.go                   | 11 +++++++++++
 pkg/config/containers.conf                  | 10 ++++++++++
 pkg/config/default.go                       |  4 ++++
 pkg/config/testdata/containers_default.conf |  2 ++
 6 files changed, 56 insertions(+)

diff --git a/docs/containers.conf.5.md b/docs/containers.conf.5.md
index 27f696b1a..0c3d74172 100644
--- a/docs/containers.conf.5.md
+++ b/docs/containers.conf.5.md
@@ -487,6 +487,14 @@ Default transport method for pulling and pushing images.
 Maximum number of image layers to be copied (pulled/pushed) simultaneously.
 Not setting this field will fall back to containers/image defaults. (6)
 
+**image_volume_mode**="bind"
+
+Tells container engines how to handle the builtin image volumes.
+
+* bind: An anonymous named volume will be  created  and  mounted into the container.
+* tmpfs:  The  volume  is mounted onto the container as a tmpfs, which allows the users to create content that disappears  when the container is stopped.
+* ignore: All volumes are just ignored and no action is taken.
+
 **infra_command**="/pause"
 
 Infra (pause) container image command for pod infra containers. When running a
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 25572968f..047e3f0a7 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -13,6 +13,7 @@ import (
 	"github.com/BurntSushi/toml"
 	"github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/pkg/capabilities"
+	"github.com/containers/common/pkg/util"
 	"github.com/containers/storage/pkg/unshare"
 	units "github.com/docker/go-units"
 	selinux "github.com/opencontainers/selinux/go-selinux"
@@ -46,6 +47,8 @@ const (
 	BoltDBStateStore RuntimeStateStore = iota
 )
 
+var validImageVolumeModes = []string{"bind", "tmpfs", "ignore"}
+
 // ProxyEnv is a list of Proxy Environment variables
 var ProxyEnv = []string{
 	"http_proxy",
@@ -294,6 +297,10 @@ type EngineConfig struct {
 	// Building/committing defaults to OCI.
 	ImageDefaultFormat string `toml:"image_default_format,omitempty"`
 
+	// ImageVolumeMode Tells container engines how to handle the builtin
+	// image volumes. Values bind, tmpfs, ignore
+	ImageVolumeMode string `toml:"image_volume_mode,omitempty"`
+
 	// InfraCommand is the command run to start up a pod infra container.
 	InfraCommand string `toml:"infra_command,omitempty"`
 
@@ -821,6 +828,9 @@ func (c *EngineConfig) Validate() error {
 		return err
 	}
 
+	if err := ValidateImageVolumeMode(c.ImageVolumeMode); err != nil {
+		return err
+	}
 	// Check if the pullPolicy from containers.conf is valid
 	// if it is invalid returns the error
 	pullPolicy := strings.ToLower(c.PullPolicy)
@@ -1305,3 +1315,14 @@ func (e eventsLogMaxSize) MarshalText() ([]byte, error) {
 	}
 	return []byte(fmt.Sprintf("%d", e)), nil
 }
+
+func ValidateImageVolumeMode(mode string) error {
+	if mode == "" {
+		return nil
+	}
+	if util.StringInSlice(mode, validImageVolumeModes) {
+		return nil
+	}
+
+	return fmt.Errorf("invalid image volume mode %q required value: %s", mode, strings.Join(validImageVolumeModes, ", "))
+}
diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
index 2eb49ea9a..df64584f3 100644
--- a/pkg/config/config_test.go
+++ b/pkg/config/config_test.go
@@ -33,6 +33,7 @@ var _ = Describe("Config", func() {
 			gomega.Expect(defaultConfig.NetNS()).To(gomega.BeEquivalentTo("private"))
 			gomega.Expect(defaultConfig.IPCNS()).To(gomega.BeEquivalentTo("shareable"))
 			gomega.Expect(defaultConfig.Engine.InfraImage).To(gomega.BeEquivalentTo(""))
+			gomega.Expect(defaultConfig.Engine.ImageVolumeMode).To(gomega.BeEquivalentTo("bind"))
 			path, err := defaultConfig.ImageCopyTmpDir()
 			gomega.Expect(err).To(gomega.BeNil())
 			gomega.Expect(path).To(gomega.BeEquivalentTo("/var/tmp"))
@@ -378,6 +379,7 @@ image_copy_tmp_dir="storage"`
 			gomega.Expect(config.Containers.PidsLimit).To(gomega.BeEquivalentTo(2048))
 			gomega.Expect(config.Containers.BaseHostsFile).To(gomega.BeEquivalentTo("/etc/hosts2"))
 			gomega.Expect(config.Containers.HostContainersInternalIP).To(gomega.BeEquivalentTo("1.2.3.4"))
+			gomega.Expect(config.Engine.ImageVolumeMode).To(gomega.BeEquivalentTo("tmpfs"))
 		})
 
 		It("contents of passed-in file should override others", func() {
@@ -812,4 +814,13 @@ env=["foo=bar"]`
 		gomega.Expect(string(b)).To(gomega.
 			Equal("[containers]\n\n[engine]\n\n[machine]\n\n[network]\n\n[secrets]\n\n[configmaps]\n"))
 	})
+
+	It("validate ImageVolumeMode", func() {
+		for _, mode := range append(validImageVolumeModes, "") {
+			err := ValidateImageVolumeMode(mode)
+			gomega.Expect(err).ToNot(gomega.HaveOccurred())
+		}
+		err := ValidateImageVolumeMode("bogus")
+		gomega.Expect(err).To(gomega.HaveOccurred())
+	})
 })
diff --git a/pkg/config/containers.conf b/pkg/config/containers.conf
index a4e755a66..72eb83447 100644
--- a/pkg/config/containers.conf
+++ b/pkg/config/containers.conf
@@ -434,6 +434,16 @@ default_sysctls = [
 #
 #image_parallel_copies = 0
 
+# Tells container engines how to handle the builtin image volumes.
+#   * bind: An anonymous named volume will be  created  and  mounted
+#     into the container.
+#   * tmpfs:  The  volume  is mounted onto the container as a tmpfs,
+#     which allows the users to create content that disappears  when
+#     the container is stopped.
+#   * ignore: All volumes are just ignored and no action is taken.
+#
+#image_volume_mode = ""
+
 # Default command to run the infra container
 #
 #infra_command = "/pause"
diff --git a/pkg/config/default.go b/pkg/config/default.go
index d988d3b1c..ab35f6289 100644
--- a/pkg/config/default.go
+++ b/pkg/config/default.go
@@ -43,6 +43,9 @@ const (
 	// _defaultTransport is a prefix that we apply to an image name to check
 	// docker hub first for the image.
 	_defaultTransport = "docker://"
+
+	// _defaultImageVolumeMode is a mode to handle buildint image volumes
+	_defaultImageVolumeMode = "bind"
 )
 
 var (
@@ -294,6 +297,7 @@ func defaultConfigFromMemory() (*EngineConfig, error) {
 	}
 	c.HooksDir = DefaultHooksDirs
 	c.ImageDefaultTransport = _defaultTransport
+	c.ImageVolumeMode = _defaultImageVolumeMode
 	c.StateType = BoltDBStateStore
 
 	c.ImageBuildFormat = "oci"
diff --git a/pkg/config/testdata/containers_default.conf b/pkg/config/testdata/containers_default.conf
index ca4948c2f..ec453dc58 100644
--- a/pkg/config/testdata/containers_default.conf
+++ b/pkg/config/testdata/containers_default.conf
@@ -124,6 +124,8 @@ conmon_env_vars = [
 
 image_copy_tmp_dir="storage"
 
+image_volume_mode = "tmpfs"
+
 
 # Paths to look for the Conmon container manager binary
 conmon_path = [