From 13f787842db86d01b7ce03f422952e1a8c9055b1 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 10 May 2023 09:13:00 -0400 Subject: [PATCH] Fix handling of .containenv on tmpfs Fixes: https://github.com/containers/podman/issues/18531 Signed-off-by: Daniel J Walsh --- docs/source/markdown/podman-run.1.md.in | 2 +- libpod/container_internal_common.go | 9 +++++++-- test/system/030-run.bats | 9 +++++++-- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/docs/source/markdown/podman-run.1.md.in b/docs/source/markdown/podman-run.1.md.in index 129cb2e4b1..fa291ee58d 100644 --- a/docs/source/markdown/podman-run.1.md.in +++ b/docs/source/markdown/podman-run.1.md.in @@ -31,7 +31,7 @@ file is created in each container to indicate to programs they are running in a container. This file is located at _/run/.containerenv_. When using the --privileged flag the .containerenv contains name/value pairs indicating the container engine version, whether the engine is running in rootless mode, the -container name and ID, as well as the image name and ID that the container is based on. +container name and ID, as well as the image name and ID that the container is based on. Note: _/run/.containerenv_ will not be created when a volume is mounted on /run. When running from a user defined network namespace, the _/etc/netns/NSNAME/resolv.conf_ will be used if it exists, otherwise _/etc/resolv.conf_ will be used. diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index 3d88719422..b3b141755b 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -1938,11 +1938,16 @@ func (c *Container) makeBindMounts() error { _, hasRunContainerenv := c.state.BindMounts["/run/.containerenv"] if !hasRunContainerenv { + Loop: // check in the spec mounts for _, m := range c.config.Spec.Mounts { - if m.Destination == "/run/.containerenv" || m.Destination == "/run" { + switch { + case m.Destination == "/run/.containerenv": hasRunContainerenv = true - break + break Loop + case m.Destination == "/run" && m.Source != "tmpfs": + hasRunContainerenv = true + break Loop } } } diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 93992d644b..49875b9a1a 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -568,8 +568,13 @@ json-file | f @test "Verify /run/.containerenv exist" { # Nonprivileged container: file exists, but must be empty - run_podman run --rm $IMAGE stat -c '%s' /run/.containerenv - is "$output" "0" "file size of /run/.containerenv, nonprivileged" + for opt in "" "--tmpfs=/run" "--tmpfs=/run --init" "--read-only" "--systemd=always"; do + run_podman run --rm $opt $IMAGE stat -c '%s' /run/.containerenv + is "$output" "0" "/run/.containerenv exists and is empty: podman run ${opt}" + done + + run_podman 1 run --rm -v ${PODMAN_TMPDIR}:/run:Z $IMAGE stat -c '%s' /run/.containerenv + is "$output" "stat: can't stat '/run/.containerenv': No such file or directory" "do not create .containerenv on bind mounts" # Prep work: get ID of image; make a cont. name; determine if we're rootless run_podman inspect --format '{{.ID}}' $IMAGE