Add containers.conf read-only flag support

[rhatdan]

If you are running temporary containers within podman play kube
we should really be running these in read-only mode. For automotive
they plan on running all of their containers in read-only temporal
mode. Adding this option guarantees that the container image is not
being modified during the running of the container.

The containers can only write to tmpfs mounted directories.

Signed-off-by: Daniel J Walsh dwalsh@redhat.com

[rhatdan]

@alexlarsson @ygalblum PTAL
@containers/podman-maintainers PTAL

[TomSweeneyRedHat]

Suggest "those commands."

[rhatdan]

These are auto-generated.

[Luap99]

@rhatdan Can you squash these PR comment commits please into your actual one, they increase the commit count for no reason and if I browse the commit log they provide no clue about the change.

[Luap99]

Should we just use

securityContext:
      readOnlyRootFilesystem: true

https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/
in the yaml instead of adding this as flag?

[rhatdan]

I think we might want to use both. The goal is to allow automotive to force Pods to be read-only, potentially similar in quadlet.
It looks like that option does not currently work in containers either.

[rhatdan]

Actually my code breaks this use case.

[alexlarsson]

Since we already have an yaml options for this, I think we should use that, and then add support for changing its default value. Then quadlet can e.g. do --default-container=securityContext.readOnlyRootFilesystem=true or something like that. This seems more flexible than adding a bunch of options with unclear semantics in cases where e.g. some containers in the pod specify the field and some don't.

[alexlarsson]

Similarly, we could have --default-annotation=

[ygalblum]

As @Luap99 and @alexlarsson wrote, since there is a field for it in the K8S schema, podman kube play should use it and not add another flag for it. Having said that, as @alexlarsson wrote, we would like to be able to set a different default value for when the value is not set.
As for the suggestion regarding --default-container since container is a structure, maybe the argument should be a JSON. This way the user does not have to repeat the parameter if she wished to set more than one default value. Moreover, if it's a JSON, we should consider allowing it to be passed as a path to a file (maybe with the a prefix of @ like in Ansible)

[rhatdan]

To me that is a bit of a contradiction to have the ability to override just in quadlet but not from the command line. But I am not wed to having this option. Most of the framework of this PR is still required to allow quadlet to set that default.

[ygalblum]

Maybe I wasn't clear. I didn't mean for these flags to be quadlet specific, nor do I see how it can be done. I think these should be podman kube play flags that callers can use. One such caller is quadlet but any user can pass them.

[vrothberg]

Suggested change

	flags.BoolVar(&playOptions.ReadOnlyCLI, "read-only", false, "Make all containers root filesystem read-only")
	flags.BoolVar(&playOptions.ReadOnlyCLI, "read-only", false, "Make all containers' root filesystems read-only")

[vrothberg]

This change should be broken out into another commit. It's causing a lot of noise.

[vrothberg]

I don't see plumbing for it on the server side.

[ygalblum]

Considering the fact that the Pod manifest already has a field (at the container level) to control the "read-only" attribute, do we still want to add this flag?
If we add the flag, do we disregard the value in the manifest? If we also look at the manifest, what takes precedence?

[rhatdan]

The manifest is primary, but if the user overrides the flag, then the flag takes precedence.

podman kube play foobar.yaml # Yaml wins
podman kube play --readonly foobar.yaml # Read Only
podman kube play --readonly=false foobar.yaml # Read Write

[vrothberg]

Minor nits. Some code comments may help resolve my confusion.

[rhatdan]

@containers/podman-maintainers PTAL
@vrothberg PTAL

[vrothberg]

One question but LGTM

[rhatdan]

@giuseppe @alexlarsson @ygalblum @flouthoc PTAL

[ygalblum]

From the last line of the outer loop, I can see that the dest field is also used as the key in the mounts map. If so, can you replace this loop with checking if dest exists in the map?

[rhatdan]

Nice catch.

[ygalblum]

Typo in the json name, should be read_write_tmpfs

[rhatdan]

Yikes.

[ygalblum]

This comment is based on the assumption that ReadWriteTmpFS's default is true. But, the default value is defined somewhere else (in cmd). If for some reason, the default is changed, no one will know to change this comment and it will left with wrong information. Maybe it's better to leave the user out of this commnet

[rhatdan]

I want future maintainers to understand what this logic is doing, so I attempted to improve the comment.

[vrothberg]

pkg/specgenutil/specgen.go:595:58: contianer is a misspelling of container (misspell)

Happens to me all the time as well.

[ygalblum]

• You have container is twice
• Shouldn't this be ReadWrite tmpfs is not disabled?

[rhatdan]

Yup, hopefully no more typos...

[vrothberg]

LGTM
@giuseppe PTAL

[rhatdan]

@flouthoc PTAL
@ygalblum PTAL

[ygalblum]

LGTM

[flouthoc]

LGTM

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: flouthoc, rhatdan, vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [flouthoc,rhatdan,vrothberg]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment