Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix handling of --read-only-tmpfs flag #20235

Merged
merged 1 commit into from
Oct 16, 2023
Merged

Fix handling of --read-only-tmpfs flag #20235

merged 1 commit into from
Oct 16, 2023

Conversation

rhatdan
Copy link
Member

@rhatdan rhatdan commented Oct 2, 2023

Fixes: #20225

Does this PR introduce a user-facing change?

podman run --read-only-tmpfs=true|false handled correctly when run with --read-only flag

@openshift-ci openshift-ci bot added release-note approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Oct 2, 2023
edsantiago
edsantiago reviewed Oct 2, 2023
View reviewed changes
test/system/030-run.bats
@@ -1120,10 +1120,12 @@ EOF
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false $IMAGE touch /testrw
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm $IMAGE touch /tmp/testrw
for dir in /tmp /var/tmp /dev /dev/shm /run; do
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman 1 run --rm --read-only-tmpfs=false $IMAGE touch $dir/testro
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are such confusing options. I don't have the brainpower to review right now, so just two quick points:

  • for those who care, this is a breaking change
  • for completeness, should we check all permutations of --read-only with --read-only-tmpfs?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The breaking change would have been to change the --read-only-tmpfs to --read-write-tmpf, which it is called internally. The issue is that if the user actually sets the constant it does it backwards, While if the user never sets it the default is to have read-write-tmpfs.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bottom line is the bug --read-only-tmpfs=false Was turning on read-only-tmpfs while --read-only-tmfs=true was turning off read-only-tmpfs.

flouthoc
flouthoc reviewed Oct 3, 2023
View reviewed changes
Copy link
Collaborator

@flouthoc flouthoc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think man page must mention relation between these two flags.

giuseppe
giuseppe approved these changes Oct 3, 2023
View reviewed changes
Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 3, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

edsantiago
edsantiago reviewed Oct 3, 2023
View reviewed changes
Copy link
Member

@edsantiago edsantiago left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even with fresh morning brain, this is still way too confusing for me, so I'm not blocking but can you please check my comments?

Also, what @flouthoc said. The man page, IMO, only makes things worse as it is.

cmd/podman/common/create.go Outdated
@@ -383,8 +383,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
"read-only", podmanConfig.ContainersConfDefaultsRO.Containers.ReadOnly,
"Make containers root filesystem read-only",
)
createFlags.BoolVar(
&cf.ReadWriteTmpFS,
createFlags.Bool(
"read-only-tmpfs", cf.ReadWriteTmpFS,
"When running containers in read-only mode mount a read-write tmpfs on /run, /tmp and /var/tmp",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realize this is not part of your PR, but this description seems absolutely wrong and misleading. It seems to apply to the variable name, not the option name. (Also, missing comma between "mode" and "mount").

test/system/030-run.bats
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false $IMAGE touch $dir/testro
CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm --read-only=false --read-only-tmpfs=true $IMAGE touch $dir/testro
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems wrong to me? If I ask for read-only-tmpfs, I want a read-only tmpfs.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the table to the docs. --read-only=true is required in order to add the --read-only-tmpfs=true.

@mheon
Copy link
Member

mheon commented Oct 3, 2023

Code LGTM, but I'll refrain from merging until Ed's comments are answered

@rhatdan rhatdan force-pushed the read-only branch 5 times, most recently from 72a128d to baaf5af Compare October 3, 2023 19:20
Luap99
Luap99 requested changes Oct 4, 2023
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is straight up breaking as it inverts the meaning of that option, as confusing as the name might be the doc is clear the setting --read-only-tmpfs mounts rw.
We cannot just break every user of that option just because the name is confusing.

@rubiksdot
Copy link

My understanding of how this works from past behaviour of podman (pre-4.7) and the names of the flags is:

--read-only --tmpfs-read-only result for fs/tmpfs
true true ro/ro
true false ro/rw
false true rw/rw
false false rw/rw

The current 4.7 behaviour the results of the first two lines are swapped.

The description of the --tmpfs-read-only is confusing. Something like this may be clearer:

"Given --read-only being true should default tmpfs mounts (/tmp, /run, /dev, etc) also be read-only? (default: false)"

Currently all my ansible is broken under 4.7 as it relied on previous behaviour.

(from memory the default pre-4.7 was to make the default tmpfs mounts r/w)

@Luap99
Copy link
Member

Luap99 commented Oct 5, 2023

My understanding of how this works from past behaviour of podman (pre-4.7) and the names of the flags is:
--read-only --tmpfs-read-only result for fs/tmpfs
true true ro/ro
true false ro/rw
false true rw/rw
false false rw/rw

The current 4.7 behaviour the results of the first two lines are swapped.

The description of the --tmpfs-read-only is confusing. Something like this may be clearer:

"Given --read-only being true should default tmpfs mounts (/tmp, /run, /dev, etc) also be read-only? (default: false)"

Currently all my ansible is broken under 4.7 as it relied on previous behaviour.

(from memory the default pre-4.7 was to make the default tmpfs mounts r/w)

There is no --tmpfs-read-only it is called --read-only-tmpfs.

I see no difference between main, 4.7.0 or 4.6.2 or 4.3.1 (prior to 338b283) when checking /tmp mount points.

Your problem seems to be special to the /dev mount
Prior /dev was always mounted rw, regardless of --read-only-tmpfs true or false, now it uses the options which seems to changed intentionally by 22a8b68. So as far as I can tell that change is your problem.

As confusing as the current name might be we should not break the behaviour as this will just break every users of this option so this PR is incorrect IMO.

@rhatdan
Copy link
Member Author

rhatdan commented Oct 5, 2023

Ok the current code looks correct.

podman run --help | grep read-only-tmpfs
      --read-only-tmpfs                          When running containers in read-only mode mount a read-write tmpfs on /run, /tmp and /var/tmp (default true)
tmp $ podman run --read-only alpine touch /tmp/dan
tmp $ podman run --read-only --read-only-tmpfs=true alpine touch /tmp/dan
tmp $ podman run --read-only --read-only-tmpfs=false alpine touch /tmp/dan
touch: /tmp/dan: Read-only file system

The table should be:

--read-only --tmpfs-read-only result for fs/tmpfs
true true ro/rw
true false ro/ro
false true rw/IMAGE
false false rw/IMAGE

In True|True additional tmpfs are mounted on /tmp, /run, and /var/tmp
In True|False /dev and /dev/shm are marked Read/Only and no tmpfs are mounted on /tmp/run and /var/tmp, meaning they are read-only by default.

In all other cases, the /dev and /dev/shm are read/write and the /tmp, /run, and /var/tmp are not modified.

@rhatdan rhatdan force-pushed the read-only branch 4 times, most recently from 8e2b8f7 to b5f4d9b Compare October 11, 2023 20:13
@packit-as-a-service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

@packit-as-a-service
Copy link

Cockpit tests failed for commit b5f4d9bb623d61df9ea713eb219c7190ab724761. @martinpitt, @jelly, @mvollmer please check.

@rhatdan
Copy link
Member Author

rhatdan commented Oct 12, 2023

@Luap99 @edsantiago @vrothberg I think this is fixed now PTAL.

Luap99
Luap99 reviewed Oct 12, 2023
View reviewed changes
cmd/podman/containers/create.go Outdated
Comment on lines 120 to 125
if cmd.Flags().Changed("read-only-tmpfs") {
cliVals.ReadWriteTmpFS, err = flags.GetBool("read-only-tmpfs")
if err != nil {
return err
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change seems unnecessary, you can just keep the flag definition as BoolVar().

docs/source/markdown/options/read-only-tmpfs.md Outdated
Comment on lines 16 to 23
When --read-only=True and --read-only-tmpfs=True additional tmpfs are mounted on
the /tmp, /run, and /var/tmp directories.

When --read-only=True and --read-only-tmpfs=False /dev and /dev/shm are marked
Read/Only and no tmpfs are mounted on /tmp, /run and /var/tmp. The directories
are exposed from the underlying image, meaning they are read-only by default.

In all other cases where --read-only=false the /dev and /dev/shm are read/write and the /tmp, /run, and /var/tmp are not mounted over by default.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems to be common style to put command and flags into bold blocks in all man pages, i.e. **--read-only**
I also find it weird to use the upper case True/False, I think we generally stick to the lowercase versions everywhere.

And lastly the last sentence doesn't look right grammatically to me. I am not a native speaker of course but without extra context I don't think I am able to understand this.

@packit-as-a-service
Copy link

Cockpit tests failed for commit 0b09cf8862a2d8c0c4969ab2f77913d58e34fe10. @martinpitt, @jelly, @mvollmer please check.

@packit-as-a-service
Copy link

Cockpit tests failed for commit 0cdc2f867bf570e60e521566a69a03db6a345b92. @martinpitt, @jelly, @mvollmer please check.

@rhatdan
Copy link
Member Author

rhatdan commented Oct 13, 2023

@TomSweeneyRedHat @Luap99 PTAL

@Luap99
Copy link
Member

Luap99 commented Oct 16, 2023

Can you please squash the second commit.

@rhatdan rhatdan added the lgtm Indicates that a PR is ready to be merged. label Oct 16, 2023
@openshift-ci openshift-ci bot merged commit acc7a94 into containers:main Oct 16, 2023
98 checks passed
@TomSweeneyRedHat
Copy link
Member

Post merge, but LGTM

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Jan 16, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Luap99 Luap99 Luap99 requested changes

@TomSweeneyRedHat TomSweeneyRedHat TomSweeneyRedHat left review comments

@flouthoc flouthoc flouthoc left review comments

@edsantiago edsantiago edsantiago left review comments

@giuseppe giuseppe giuseppe approved these changes

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. release-note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

--read-only-tmpfs logic appears inversed
8 participants
@rhatdan @mheon @rubiksdot @Luap99 @TomSweeneyRedHat @giuseppe @edsantiago @flouthoc