Add a warning if tmpdir/rundir are not on tmpfs#22141
Add a warning if tmpdir/rundir are not on tmpfs#22141mheon wants to merge 1 commit intocontainers:v5.0from
Conversation
d4ec473 to
811ecc3
Compare
I thought Podman still supported installations with a traditional |
Luap99
left a comment
There was a problem hiding this comment.
small comments, all I can say is we should have done this much sooner given the amount of problems we had with this
libpod/runtime_linux.go
Outdated
libpod/runtime_linux.go
Outdated
There was a problem hiding this comment.
I think there also the less common ramfs so I think we should check that here to.
We do, but that doesn't change the fact that we depend on tmpfs or some other util to remove these paths on boot. |
|
Cockpit tests failed for commit d4ec4737e083c84efecc531ce5bed4c088bbc03e. @martinpitt, @jelly, @mvollmer please check. |
|
Cockpit tests failed for commit 811ecc38dc3dca830b4ff3d86c53418c9f103a25. @martinpitt, @jelly, @mvollmer please check. |
811ecc3 to
eac2675
Compare
|
@edsantiago The system tests don't use put the test directory on tmpfs, right? If so we can test this on tmpfs |
|
LGTM, do any docs need updates or should have clarification? |
@mheon I've been struggling to understand this. The best answer I can give is, (for the most part) system tests just invoke |
|
could we instead write a file to the tmpdir/rundir and with the value of |
libpod/runtime_linux.go
Outdated
There was a problem hiding this comment.
I think we need to avoid the warning also when running in a container (the container env is set)
|
@giuseppe That'd work for generic reboot protection, but it wouldn't help clear files afterwards - this PR was motivated by the IPAM DB not being removed on reboot leading to us running out of IP addresses to allocate. We could theoretically build that entirely into Podman as well, have a list of files which must be removed if reboot is detected, but that seems overly complex when we can just make sure a tmpfs is in use? |
|
@edsantiago Yeah that should be fine, thanks. Needed to make sure that we're using standard paths and not throwing everything on a tmpfs for performance or similar. |
I was thinking about raising an error and terminating the Podman process if the content of EDIT: would that be enough to protect from the IPAM DB not being cleaned up? |
|
Hm. I like the idea, but I'd also like to backport this patch, and I don't know if introducing a new error in existing releases is a good idea. Maybe I should target this at 5.0 only, and we make it an error in main? |
sure, that works for me |
eac2675 to
dddefdd
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mheon The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Retargeted at 5.0 branch. Will add a test this morning. |
0cff2b9 to
504208f
Compare
|
Update: None of our VMs actually use tmpfs /tmp so this breaks absolutely everything. |
504208f to
a0e1466
Compare
|
Passed the ignore-warning environment variable through to all Cirrus tasks. Good news is that it makes the test easier; just unset that environment variable and run Podman. |
|
containers/automation_images#340 will make |
|
The PR against main will probably be completely different, and not need the environment variable at all. |
test/system/005-info.bats
Outdated
There was a problem hiding this comment.
Might I also suggest
tmpfs_tmp=$(mktemp -d /dev/shm)
run_podman --tmpdir=$tmpfs_tmp/tmp --runroot=$tmpfs_tmp/runroot --root=$tmpfs_tmp/root info
assert "$output" !~ "are not on a tmpfs"There was a problem hiding this comment.
Any reason to not just mktemp and then mount a tmpfs over that directory?
There was a problem hiding this comment.
Laziness? And, will that work rootless? I've never seen a system without /dev/shm (at least not in the last 20 years)
a0e1466 to
44ba4de
Compare
|
Ephemeral COPR build failed. @containers/packit-build please check. |
44ba4de to
3467c29
Compare
|
@edsantiago Does the test logic seem OK to you? It's acting like the environment variable is still defined. |
|
Maybe because I don't see tmpdir, though. Maybe that's in XDG? I still think it's better to test with explicit |
e0d54f3 to
c9d9e12
Compare
|
Why is this targeted against the 5.0 branch? I don't think it is a good idea to backport such a big warning in a patch release. |
|
We decided on an alternate implementation for Main - we'll be outright refusing to run if we detect an unhandled reboot in 5.1. This was lower-impact so I thought it would still be useful in 5.0.1. I'm OK with leaving it out until we discuss further when you get back, though. |
Podman requires several directories to be on tmpfs so we can properly detect (and clean up after) reboots: the tmpdir (for Libpod files) and runroot (for c/storage files). We have not done any validation that they are actual on tmpfs filesystems in the past, which leads to no end of people wondering why Podman is broken on their system (where, perhaps, /tmp is not a tmpfs, which the FHS allows because sanity cannot exist in this world, and there is no systemd session so /run/user/$UID does not exist). This adds an actual warning on launching Podman with such an unsupported configuration. There's an environment variable if the user is certain they want to run Podman like this (perhaps having used systemd-tmpfiles to automatically clean the relevant dir on reboot), but otherwise we warn every time a command is run with runroot/tmpdir on a non-tmpfs filesystem. Signed-off-by: Matt Heon <mheon@redhat.com>
Podman *really* needs /tmp to be tmpfs, to detect and handle reboots. Although there are (at this time) no reboots involved in CI testing, it's still important for CI hosts to reflect something close to a real-world environment. And, there is work underway to check /tmp: containers/podman#22141 This PR removes special-case Fedora code that was disabling a tmpfs /tmp mount. History dates back to PR containers#30 back in 2020. Some of the image-build code in this repo performs reboots and relies on persistent tmp files, so you'll note a flurry of /tmp -> /var/tmp changes. And, as a drive-by, document the Windows Chocolatey install command. Link to Best Practices, and explain why we disregard some of those. Signed-off-by: Ed Santiago <santiago@redhat.com>
|
Note I feel rather strongly about not adding such big warnings in a patch release, we lived long enough with the status quo so waiting few more weeks shouldn't be that big of a deal. And if we plan to fix this in a different way on main anyway then I think we should just do that and not introduce two different fixes in two different versions which will likely cause some differences in behavior and thus confusion. |
|
I'll go ahead and close, then. We can fix properly in 5.1. |
Podman *really* needs /tmp to be tmpfs, to detect and handle reboots. Although there are (at this time) no reboots involved in CI testing, it's still important for CI hosts to reflect something close to a real-world environment. And, there is work underway to check /tmp: containers/podman#22141 This PR removes special-case Fedora code that was disabling a tmpfs /tmp mount. History dates back to PR containers#30 back in 2020. Some of the image-build code in this repo performs reboots and relies on persistent tmp files, so you'll note a flurry of /tmp -> /var/tmp changes. And, as a drive-by, document the Windows Chocolatey install command. Link to Best Practices, and explain why we disregard some of those. Signed-off-by: Ed Santiago <santiago@redhat.com>
Podman *really* needs /tmp to be tmpfs, to detect and handle reboots. Although there are (at this time) no reboots involved in CI testing, it's still important for CI hosts to reflect something close to a real-world environment. And, there is work underway to check /tmp: containers/podman#22141 This PR removes special-case Fedora code that was disabling a tmpfs /tmp mount. History dates back to PR containers#30 back in 2020. Some of the image-build code in this repo performs reboots and relies on persistent tmp files, so you'll note a flurry of /tmp -> /var/tmp changes. Signed-off-by: Ed Santiago <santiago@redhat.com>
Podman *really* needs /tmp to be tmpfs, to detect and handle reboots. Although there are (at this time) no reboots involved in CI testing, it's still important for CI hosts to reflect something close to a real-world environment. And, there is work underway to check /tmp: containers/podman#22141 This PR removes special-case Fedora code that was disabling a tmpfs /tmp mount. History dates back to PR containers#30 back in 2020. Some of the image-build code in this repo performs reboots and relies on persistent tmp files, so you'll note a flurry of /tmp -> /var/tmp changes. Signed-off-by: Ed Santiago <santiago@redhat.com>
Podman requires several directories to be on tmpfs so we can properly detect (and clean up after) reboots: the tmpdir (for Libpod files) and runroot (for c/storage files). We have not done any validation that they are actual on tmpfs filesystems in the past, which leads to no end of people wondering why Podman is broken on their system (where, perhaps, /tmp is not a tmpfs, which the FHS allows because sanity cannot exist in this world, and there is no systemd session so /run/user/$UID does not exist).
This adds an actual warning on launching Podman with such an unsupported configuration. There's an environment variable if the user is certain they want to run Podman like this (perhaps having used systemd-tmpfiles to automatically clean the relevant dir on reboot), but otherwise we warn every time a command is run with runroot/tmpdir on a non-tmpfs filesystem.
Does this PR introduce a user-facing change?