Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Podman should respect ReadOnly flag in API calls. #12419

Closed
xatier opened this issue Nov 26, 2021 · 1 comment · Fixed by #12433
Closed

Podman should respect ReadOnly flag in API calls. #12419

xatier opened this issue Nov 26, 2021 · 1 comment · Fixed by #12433
Labels
HTTP API Bug is in RESTful API kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@xatier
Copy link
Contributor

xatier commented Nov 26, 2021

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

In the /container/create API [1], one should be able to specify HostConfig.Mounts[].ReadOnly flag to indicate if the mount point is read-only or read-write. This flag is default to false, i.e., the mount point should be rw by default.

[1] https://docs.podman.io/en/latest/_static/api.html#operation/ContainerCreate

I found this issue via nektos/act#303

Steps to reproduce the issue:

  1. run the following script
set -x

ID=$(curl -Ss -H 'Content-Type: application/json' \
    --unix-socket /run/user/1000/podman/podman.sock \
    -X POST \
    -d '
{
  "Entrypoint": [
    "/usr/bin/tail",
    "-f",
    "/dev/null"
  ],
  "HostConfig": {
    "Mounts": [
      {
        "Source": "act-CI-build-env",
        "Target": "/var/run/act",
        "Type": "volume",
        "ReadOnly": false
      }
    ]
  },
  "Image": "catthehacker/ubuntu:act-latest"
}' \
    'http://localhost/v1.40/containers/create?name=act-CI-build' \
    | jq -r .Id)

curl -Ss -H 'Content-Type: application/json' \
    --unix-socket /run/user/1000/podman/podman.sock \
    -X POST \
    "http://localhost/v1.40/containers/$ID/start"

podman inspect act-CI-build | jq .[0].HostConfig.Binds

podman exec -it act-CI-build touch /var/run/act/foo

Describe the results you received:

$ ./test.sh 
+++ curl -Ss -H 'Content-Type: application/json' --unix-socket /run/user/1000/podman/podman.sock -X POST -d '
{
  "Entrypoint": [
    "/usr/bin/tail",
    "-f",
    "/dev/null"
  ],
  "HostConfig": {
    "Mounts": [
      {
        "Source": "act-CI-build-env",
        "Target": "/var/run/act",
        "Type": "volume",
        "ReadOnly": false
      }
    ]
  },
  "Image": "catthehacker/ubuntu:act-latest"
+++ jq -r .Id
}' 'http://localhost/v1.40/containers/create?name=act-CI-build'
++ ID=65dd03469cf3b7d8fa5a85918fefee03ba8cffcf1de0309ba423bf8df017f750
++ curl -Ss -H 'Content-Type: application/json' --unix-socket /run/user/1000/podman/podman.sock -X POST http://localhost/v1.40/containers/65dd03469cf3b7d8fa5a85918fefee03ba8cffcf1de0309ba423bf8df017f750/start
++ podman inspect act-CI-build
++ jq '.[0].HostConfig.Binds'
[
  "act-CI-build-env:/var/run/act:ro,rprivate,nosuid,nodev,rbind"
]
++ podman exec -it act-CI-build touch /var/run/act/foo
touch: cannot touch '/var/run/act/foo': Read-only file system

Describe the results you expected:

I would expect the mount point should be created as rw, since ReadOnly flag is false.

act-CI-build-env:/var/run/act:rw,rprivate,nosuid,nodev,rbind

touch command should be able to write to the system.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

$ podman version
Version:      3.4.2
API Version:  3.4.2
Go Version:   go1.17.3
Git Commit:   2ad1fd3555de12de34e20898cc2ef901f08fe5ed
Built:        Fri Nov 12 15:41:08 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.0.30-1
    path: /usr/bin/conmon
    version: 'conmon version 2.0.30, commit: 2792c16f4436f1887a7070d9ad99d9c29742f38a'
  cpus: 16
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  hostname: walla
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.14.16-arch1-1
  linkmode: dynamic
  logDriver: journald
  memFree: 16000831488
  memTotal: 135006003200
  ociRuntime:
    name: crun
    package: /usr/bin/crun is owned by crun 1.2-1
    path: /usr/bin/crun
    version: |-
      crun version 1.2
      commit: 4f6c8e0583c679bfee6a899c05ac6b916022561b
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.1.12-1
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 0
  swapTotal: 0
  uptime: 385h 58m 56.29s (Approximately 16.04 days)
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  configFile: /home/xatier/.config/containers/storage.conf
  containerStore:
    number: 9
    paused: 0
    running: 6
    stopped: 3
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: /usr/bin/fuse-overlayfs is owned by fuse-overlayfs 1.7.1-1
      Version: |-
        fusermount3 version: 3.10.5
        fuse-overlayfs: version 1.7.1
        FUSE library version 3.10.5
        using FUSE kernel interface version 7.31
  graphRoot: /home/xatier/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 46
  runRoot: /run/user/1000/containers
  volumePath: /home/xatier/.local/share/containers/storage/volumes
version:
  APIVersion: 3.4.2
  Built: 1636753268
  BuiltTime: Fri Nov 12 15:41:08 2021
  GitCommit: 2ad1fd3555de12de34e20898cc2ef901f08fe5ed
  GoVersion: go1.17.3
  OsArch: linux/amd64
  Version: 3.4.2

Package info (e.g. output of rpm -q podman or apt list podman):

Name            : podman
Version         : 3.4.2-1
Description     : Tool and library for running OCI-based containers in pods
Architecture    : x86_64
URL             : https://github.com/containers/podman
Licenses        : Apache
Groups          : None
Provides        : None
Depends On      : cni-plugins  conmon  containers-common  crun  fuse-overlayfs  iptables  libdevmapper.so=1.02-64  libgpgme.so=11-64  libseccomp.so=2-64  slirp4netns
Optional Deps   : apparmor: for AppArmor support
                  btrfs-progs: support btrfs backend devices [installed]
                  catatonit: --init flag support
                  podman-docker: for Docker-compatible CLI [installed]
Required By     : podman-docker
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 72.73 MiB
Packager        : Morten Linderud <[email protected]>
Build Date      : Fri 12 Nov 2021 03:41:08 PM CST
Install Date    : Thu 25 Nov 2021 08:31:51 PM CST
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Ye

Additional environment details (AWS, VirtualBox, physical, etc.):

$ uname -a
Linux walla 5.14.16-arch1-1 #1 SMP PREEMPT Tue, 02 Nov 2021 22:22:59 +0000 x86_64 GNU/Linux
@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Nov 26, 2021
@xatier
Copy link
Contributor Author

xatier commented Nov 26, 2021

@rhatdan please take a look 🙏

@xatier xatier mentioned this issue Nov 26, 2021
Closed
@matejvasek matejvasek mentioned this issue Nov 28, 2021
Merged
@mheon mheon added the HTTP API Bug is in RESTful API label Nov 29, 2021
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
HTTP API Bug is in RESTful API kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: parsing of HostConfig.Mounts for container create matejvasek/podman
2 participants
@xatier @mheon