Closed xduugu closed 10 months ago
@giuseppe I guess the crun change was intentional? If so we should update the docs.
@Luap99 I think it was intentional. At least in the NEWS file, he points out
- linux: append tmpfs mode if missing for mounts. This is the same behavior of runc.
I am undecided what to do here. On one hand, it sounds right to respect the underlying directory permissions, but on the other hand, I don't see any use-case when you mount a tmpfs into a container and don't want it to be writable at least by the container user. However, I don't have an readhat account, so I cannot check what the issue was that was fixed by this commit.
I just think it's a bit unfortunate that the behavior depends on the used container runtime engine. And what about docker compatibility? Iirc, I never had to adjust the permissions of a mounted tmpfs to be writable by the container user.
By the way, I fixed my issue by using the U
mount option (chown
unfortunately does not work for --tmpfs
). Maybe I should always use U,mode=0700
as mount options for a tmpfs mount to be independent of the actual directory permissions in the image, because U
is not enough if the underlying directory is not writable in the image:
podman run --userns=keep-id --tmpfs /var/empty:U docker.io/library/alpine:latest touch /var/empty/test
I also don't get the rationale behind the runc feature. Still, an issue was reported where a tmpfs directory created with crun has mode 0777 while runc honors the underlying directory so in the end I've decided to follow what runc does so that it doesn't look less safe with crun.
The documentation seems wrong anyway, since that is not the case with runc.
So the correct docs would be Defaults to the permissions of the directory in the underlying image, if it does not exists it uses 1777 as mode
?
that is what runc/crun do, but do we need to capture it in the Podman documentation? It might be different with a different runtime, so if we want to specify it, we need to say this is what happens with runc/crun, but other runtimes can use a different default
I just checked the docker documentation:
|
tmpfs-mode
| File mode of the tmpfs in octal. For instance,700
or0770
. Defaults to1777
or world-writable. |
Does podman need to be compatible to docker in this respect?
I think the correct behaviour is to match the underlying directory. And then allow the users to override it.
Docker seems to perform the same way.
sh-5.2# docker run alpine ls -ld /mnt
drwxr-xr-x 2 root root 4096 Sep 28 11:18 /mnt
sh-5.2# docker run --tmpfs /mnt alpine ls -ld /mnt
drwxr-xr-x 2 root root 40 Nov 25 17:02 /mnt
@rhatdan You already closed the issue. Doesn't the documentation need an update? Maybe removing the part Defaults to 1777 in Linux.
is enough to indicate that podman does not guarantee a specific directory mode.
Interested in opening a PR?
opened a PR: https://github.com/containers/podman/pull/20807
Thanks! @giuseppe
Issue Description
After my fedora coreos device updated itself yesterday from
38.20231027.3.2
to39.20231101.3.0
, one of my containers failed to start. It is a rootless container with a read-only filesystem which runs as a non-root user. The process requires a work directory, which is why I mount a tmpfs at this location. However, after the upgrade, the work directory was not writable anymore for the user in the container.I compared the package list between the two releases and the only podman-relevant package was the upgrade of
crun
:crun-1.10-1.fc38.aarch64 ⟶ 1.11-1.fc39.aarch64
Apparently, crun >= 1.11 uses the permissions of the underlying directory as mode for the tmpfs mount if no mode is specified (https://github.com/containers/crun/commit/3b874c2045a31ee049941947ddbc7114a09fd2c1).
The documentation states:
I guess this was the case for me before the crun update, but now the statement about the default does not apply anymore.
Possible solutions:
mode=1777
to a tmpfs mount, if no other mode is specified.Steps to reproduce the issue
Steps to reproduce the issue
podman run --userns=keep-id --tmpfs /home docker.io/library/alpine:latest touch /home/test
Describe the results you received
The tmpfs mount is not writable for the non-root user.
Describe the results you expected
The tmpfs mount should be writable for the non-root user.
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
Additional environment details
Additional information
Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting