Add exec option to tmpfs

[adshmh]

This PR adds the ability to handle exec option on tmpfs mounts.

• fixes Swarm mode, mount tmpfs, how to remove noexec? #32131
• fixes [feat] Add --mount tmpfs with exec support for vscode devcontainer #45385

Notes:

This is the first draft. As discussed here: #32131 (comment), I have included the changes on docker/swarmkit types that will need vendoring. I will submit PR(s) on docker/swarmkit and docker/cli once if this PR is approved.

- What I did
Feature: allow specifying exec option for tmpfs mounts

- How I did it
Added the required code and tests to pkg/mount, volume, api/types, and daemon.

- How to verify it
I have added an integration test for verification.

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

[adshmh]

I think the integration test in integration/container/mounts_linux_test.go would read better using assertions, but followed the existing style on the file.

I can add a commit to use assertions for all the tests in integration/container/mounts_linux_test.go if that is a better option.

[justincormack]

needs a rebase

[cpuguy83]

Is changing tmpfs to use noexec by default breaking?

[kolyshkin]

I concur @thaJeztah idea to have a more generic way to pass options to tmpfs rather than implementing a specific option for exec. The options specified should be validated against a whitelist.

We have to figure which options to allow but let's at least include exec and noexec, but maybe others that are valid for tmpfs (see man 8 mount and the comment in

moby/api/types/mount/mount.go

Line 112 in 8bb5a28

// TODO(stevvooe): There are several more tmpfs flags, specified in the

).

We can add nr_inodes and mpol to the whitelist.

Options such as uid and gid might not work well in a cluster environment so they should probably not be added at this time.

Options nr_blocks and size should not be added, as they are already handled.

@adshmh would you wish to work on that?

[adshmh]

@kolyshkin Sure, I can update the PR.

Is the following correct regarding the requirements?

• Allow a more generic way of passing options to tmpfs (perhaps a string)
• A white list for the allowed options
• Currently allow: exec, noexec, nr_inodes and mpol

[thaJeztah]

Allow a more generic way of passing options to tmpfs (perhaps a string)

From a CLI /UX perspective, this could use the same as docker volume create --opt foo=bar --opt bar=baz

A white list for the allowed options

Yes; we discussed this, and generally it's easier to add more options later than removing an option (as that would be a breaking change), so for that reason, we prefer a whitelist.

nr_inodes and mpol

I'm not against adding them, just wondering how common they are (i.e. should we add those now, or add them once we see a need); @kolyshkin ?

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@5c152ea). Click here to learn what that means.
The diff coverage is 86.66%.

@@            Coverage Diff            @@
##             master   #36720   +/-   ##
=========================================
  Coverage          ?   36.61%           
=========================================
  Files             ?      608           
  Lines             ?    45055           
  Branches          ?        0           
=========================================
  Hits              ?    16496           
  Misses            ?    26279           
  Partials          ?     2280

[thaJeztah]

Wondering if we should store/pass these options as a plain string, or if we should split and use a map or array

[kolyshkin]

Maybe we can just name this Options, this is in-line with the language used around mounts?

[thaJeztah]

Discussing in the maintainers meeting with @kolyshkin @cpuguy83, and having these options as a string should be ok for now; no reason to make it more complicated. Moving this to code review

[thaJeztah]

This also needs a PR in swarmkit to make the required changes there

[adshmh]

Thank you for the review. I will submit PRs on swarmkit and docker/cli.

[olljanat]

@adshmh this one needs to be rebased

[adshmh]

@olljanat thanks for the reminder. I will rebase the PR.

[olljanat]

reserved for my derek commands)

[thaJeztah]

Can you add this to the Swagger.yml as well, and to the API history https://github.com/moby/moby/blob/b4842cfe88b39af42416429396aee10d1fe7c3d6/docs/api/version-history.md#v140-api-changes?

moby/api/swagger.yaml

Lines 297 to 307 in b4842cf

	TmpfsOptions:
	description: "Optional configuration for the `tmpfs` type."
	type: "object"
	properties:
	SizeBytes:
	description: "The size for the tmpfs mount in bytes."
	type: "integer"
	format: "int64"
	Mode:
	description: "The permission mode for the tmpfs mount in an integer."
	type: "integer"

@kolyshkin did we want this to be a []string or map[string]string ?

[adshmh]

Thank you for the review. I updated the swagger.yaml and the version-history.md files, assuming string for the Options field as I recall from previous discussions. If a map[string]string is to be used instead, please let me know.

[cpuguy83]

What's the status on this?

[hmh]

Using docker for CI/CD that requires lots of unpacking, build, throw-away is about 10 times faster with proper use of tmpfs, and this almost always requires a tmpfs mounted with -o exec.

What is needed to get this thing out of the door? I mean, it has been what, two years that this is languishing ?

[AkihiroSuda]

At least this needs to be rebased

[AkihiroSuda]

Needs another rebase.
LGTM if CI green

[brunoais]

@adshmh Any updates?