--read-write-tmpfs=false should set /dev/* tmpfs to readonly

[rhatdan]

Change the --read-only-tmpfs option to --read-write-tmpfs since
this makes sense and the old name was doing the exact opposite.

Fixes: #12937

Signed-off-by: Daniel J Walsh dwalsh@redhat.com

[rhatdan]

@giuseppe When I do this I attempt to make /dev, /dev/tty, /dev/shm, /dev/mqueue as read-only but crun blows up with

./bin/podman run -ti --read-only --read-only-tmpfs=false alpine sh
Error: OCI runtime error: crun: opening file /dev/console for writing: Read-only file system

[giuseppe]

/dev is still used by the OCI runtime after setting the mounts.

I've fixed an issue in crun so it works when --tty is not used, but for a read-only /dev also in the tty case, we'd need to set the ro flag later. I'll take a look at it.

I've tried with runc and it fails as well, so I think it should be optional to set /dev read-only. Could we extend --read-only-tmpfs to accept a string and have something like --read-only-tmpfs=all?

[giuseppe]

this seems to help with your PR: containers/crun#859

[rhatdan]

@kolyshkin WDYT?

[rhatdan]

I think if we leave any tmpfs writable, we don't solve the problem.

[rhatdan]

Fixes: #12937

[kolyshkin]

As @giuseppe mentioned earlier, runc can't work with ro /dev, but this fix is easy opencontainers/runc#3345 (and very similar to containers/crun#857).

One other thing, @rhatdan, I also find it very confusing how --read-only-tmpfs=false results in read-only /dev mounts. Maybe a separate option (--read-only-dev) or something else entirely?

[rhatdan]

@kolyshkin I am not crazy about adding another function, Since I believe the original goal of --read-only-tmpfs (A badly named option, which we should probably change) was to make the entire container read-only. (At least the way I think about it).

[rhatdan]

Changed the option to read-write-tmpfs.

[rhatdan]

This PR is waiting for an updated released version of runc, which will allow it to work with /dev set to read/only mode.
@kolyshkin @AkihiroSuda Any idea when that will be?

[kolyshkin]

This PR is waiting for an updated released version of runc, which will allow it to work with /dev set to read/only mode.
@kolyshkin @AkihiroSuda Any idea when that will be?

Depending on how soon you need it.

We can certainly release runc 1.1.1, either now (= soon) with this change alone, or a bit later, waiting for a few more fixes to pile up.

[kolyshkin]

This PR is waiting for an updated released version of runc,

Backport PR: opencontainers/runc#3355

[rhatdan]

Well since this is a post 4.0 feature, it is not needed immediately, but soon.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vrothberg]

Friendly ping. @rhatdan, are you on it?

[rhatdan]

I look at it once in a while and restart it hoping for a miracle. But I have no idea why this does not work on Ubuntu.

[cevich]

Hrmmm, you're using recent VM images too 😕 I see this, which is probably telling:

runc: runc create failed: unable to start container process: unable to setup user: fchown fd 0: read-only file system: OCI runtime error

Have you tried running any of those tests or failing commands manually under hack/get_ci_vm.sh? Might help get to the bottom of why/how the filesystems are going/set read-only.

[rhatdan]

Nope, Have thought about it, but never have time. Others can take if over and drive to conclusion...

[kolyshkin]

runc: runc create failed: unable to start container process: unable to setup user: fchown fd 0: read-only file system: OCI runtime error

This was fixed in opencontainers/runc#3345 which was backported to runc 1.1 in opencontainers/runc#3355, and the fix made its way to runc 1.1.1.

What runc version is used in the test?

[rhatdan]

@cevich would know for sure, but I think it is using the current released versions of runc in Ubuntu.

[cevich]

One of the failing Ubuntu 22.04 tasks reports:

Ubuntu 22.04 LTS \n \l
Kernel:  5.15.0-1013-gcp
Cgroups:  tmpfs
dpkg-query: warning: parsing file '/var/lib/dpkg/status' near line 1430 package 'containers-common':
 missing 'Maintainer' field
dpkg-query: no packages found matching golang
dpkg-query: no packages found matching cri-o-runc
conmon-2:2.1.2-0ubuntu22.04+obs5.1-amd64
containernetworking-plugins-0.9.1+ds1-1-amd64
containers-common-4:1-0ubuntu22.04+obs13.1-amd64
criu-3.17.1-1-amd64
crun-1.5-0ubuntu22.04+obs34.1-amd64
libseccomp2-2.5.3-2ubuntu2-amd64
podman-3:4.2.0~rc1-0ubuntu22.04+obs28.1-amd64
runc-1.1.0-0ubuntu1-amd64
skopeo-2:1.8.0-0ubuntu22.04+obs16.1-amd64
slirp4netns-1.2.0-0ubuntu22.04+obs4.1-amd64

Checking if there's an update available...There are 28 package updates available, none of them are runc. We have an option to bring in a custom-built version, but generally the distro-provided packages would be preferred. Is there a way we can tell if runc-1.1.0-0ubuntu1-amd64 is the package with the needed backport?

cc: @lsm5 FYI for now.

[edsantiago]

This is my fault, #16240. Can you run make docs, then git add the changed file and git commit --amend?

[edsantiago]

Lots of little nits, sorry for not catching them earlier.

[edsantiago]

When false, Podman the entire container

Does not parse. I think Podman is the part that needs to go, but I'm not sure what the intention was.

Did you deliberately un-underscore the directory names? Our guidelines say:

Strings of characters or numbers can be highlighted with backticks. Paths of any kind must be highlighted.

(which suggests that backticks are preferred, underscores are ok, but leaving them unadorned is not).

[edsantiago]

Inconsistent indentation: some of these are tabs, some are eight spaces.

[edsantiago]

I have a find-obsolete-skips script that I run periodically. Could you add "FIXME:" to this and the above skip/Skips ? That will bring these to my attention when I run the script next time.

[edsantiago]

leftover from copy/paste (hence misleading, because it's never used). Please remove.

[edsantiago]

I think this would be clearer as "...is only valid if", or "...is only meaningful when..."

[edsantiago]

(commenting on code that github does not show by default, so please click the uparrow-on-bar to see lines 473-475). Those lines read:

The best way to handle this is to mount tmpfs directories on /run and /tmp.

This looks like a holdover from a previous age: the implication is that /run and /tmp are also read-only. I haven't taken the time to go through history, but is it possible that the read-only-tmpfs option (the one that is being renamed here) was added after this was written, and that this used to be true but no longer is? Can you re-review lines 473-475 and see if they should be rewritten, maybe something like

Read-only containers still mount /run, /tmp, /var/tmp, /dev, and /dev/shm as read-write tmpfs. Use --read-write-tmpfs=false to protect even tmpfs directories, and --tmpfs=PATH to explicitly limit the read-write tmpfs filesystems.

(Idea only. That reads horribly. My documentation-writing brain is not fully engaged yet).

[edsantiago]

I find this hard to parse, and am really confused by the discrepancies between the first list of "these are tmpfs" and the second. I'm just going to hope that @TomSweeneyRedHat will offer his always-helpful input. Otherwise my (much less refined) thinking goes something like:

Only valid in combination with **--read-only**.  Default: **true**.

Normally a container run with **read-only** will mount the following `tmpfs` filesystems read/write:
   [ complete enumeration of those filesystems, possibly with a reference to where in the code that list is found ]
With **--read-write-tmpfs=false**, even those filesystems are mounted read-only.

[rhatdan]

Replaced by #16545