Is it possible to have execute permissions on /tmp for kube play created pods?

[frenetic00]

Is it possible to give /tmp execute permissions when running as a pod under systemd?

I've used Kubernetes yaml to build a pod of several containers to run Nextcloud.
One of the Nextcloud apps is failing to run correctly because it relies on having execute permissions in /tmp

My Kubernetes yaml is executed as a non-root user using a systemd service.

ExecStart=/usr/bin/podman kube play --network=ns:/var/run/netns/%U --replace --service-container=true %I

Inside the container, I can see that /tmp has been mounted with noexec

tmpfs /tmp tmpfs rw,nosuid,nodev,noexec,relatime,uid=1003,gid=1003,inode64 0 0

I'm new to go and namespaces, but I'm trying to get an understanding of what's going on while trying to solve my issue.

I can see in the docs that there is a systemd option for other podman commands that will mount several tmpfs file systems when systemd mode is enabled. Does the --service-container option ensure that that the container will be configured with systemd? I've seen some reference to it here.

I can also see that permissions for /tmp are being set here and here but I'm still not sure how /tmp gets configured with the noexec option. Can anyone point me in the right direction? Thanks

[rhatdan]

Do you have a simple reproducer kube.yaml file?

[frenetic00]

Here's the kube.yaml that'll get everything up and running on localhost:8080

apiVersion: v1
kind: Deployment
metadata:
  name: nextcloud
  labels:
    app: nextcloud
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nextcloud
  template:
    metadata:
      labels:
        app: nextcloud
    spec:
      containers:
        - name: mariadb
          image: docker.io/mariadb:lts
          volumeMounts:
            - name: mariadb_mysql
              mountPath: /var/lib/mysql
          env:
            - name: MARIADB_ROOT_PASSWORD
              value: test
            - name: MARIADB_DATABASE
              value: test
            - name: MARIADB_USER
              value: test
            - name: MARIADB_PASSWORD
              value: test
        - name: redis
          image: docker.io/redis:7.0.11
        - name: nextcloud_cron
          image: nextcloud:27-fpm-alpine
          command : ["/cron.sh"]
          volumeMounts:
            - name: nextcloud_html
              mountPath: /var/www/html
          entrypoint: "/cron.sh"
        - name: nginx
          image: docker.io/nginx:1.25.1
          volumeMounts:
            - name: nginx_config
              mountPath: /etc/nginx/nginx.conf
            - name: nextcloud_html
              mountPath: /var/www/html
          ports:
            - containerPort: 80
              hostPort: 8080
        - name: nextcloud
          image: nextcloud:27-fpm-alpine
          volumeMounts:
            - name: nextcloud_html
              mountPath: /var/www/html
          env:
            - name: MYSQL_HOST
              value: "nextcloud-pod-mariadb"
            - name: MYSQL_DATABASE
              value: test
            - name: MYSQL_USER
              value: test
            - name: MYSQL_PASSWORD
              value: test
            - name: REDIS_HOST
              value: "localhost"
            - name: NEXTCLOUD_ADMIN_USER
              value: test
            - name: NEXTCLOUD_ADMIN_PASSWORD
              value: test
            - name: NEXTCLOUD_TRUSTED_DOMAINS
              value: "127.0.0.1"
            - name: OVERWRITEPROTOCOL
              value: "https"
            - name: NC_DEFAULT_PHONE_REGION
              value: "GB"
      volumes:
        - name: mariadb_mysql
          hostPath:
            type: Directory
            path: ./nextcloud/mariadb/mysql
        - name: nginx_config
          hostPath:
            type: File
            path: ./nextcloud/nginx/nginx.conf
        - name: nextcloud_html
          hostPath:
            type: Directory
            path: ./nextcloud/nextcloud

It needs the following to run

mkdir -p ./nextcloud/{mariadb/mysql,nextcloud,nginx}
curl -o ./nextcloud/nginx/nginx.conf https://raw.githubusercontent.com/nextcloud/docker/master/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf
sed -i 's/app:/localhost:/g' ./nextcloud/nginx/nginx.conf

[frenetic00]

I've had partial success by adding an emptyDir volume and mounting it on /tmp
But this doesn't consistently give me execute permissions on /tmp across restarts.

apiVersion: v1
kind: Deployment
metadata:
  name: nextcloud
  labels:
    app: nextcloud
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nextcloud
  template:
    metadata:
      labels:
        app: nextcloud
    spec:
      containers:
        - name: mariadb
          image: docker.io/mariadb:lts
          volumeMounts:
            - name: mariadb_mysql
              mountPath: /var/lib/mysql
          env:
            - name: MARIADB_ROOT_PASSWORD
              value: test
            - name: MARIADB_DATABASE
              value: test
            - name: MARIADB_USER
              value: test
            - name: MARIADB_PASSWORD
              value: test
        - name: redis
          image: docker.io/redis:7.0.11
        - name: nextcloud_cron
          image: nextcloud:27-fpm-alpine
          command : ["/cron.sh"]
          volumeMounts:
            - name: nextcloud_html
              mountPath: /var/www/html
            - name: nextcloud_temp
              mountPath: /tmp
          entrypoint: "/cron.sh"
        - name: nginx
          image: docker.io/nginx:1.25.1
          volumeMounts:
            - name: nginx_config
              mountPath: /etc/nginx/nginx.conf
            - name: nextcloud_html
              mountPath: /var/www/html
          ports:
            - containerPort: 80
              hostPort: 8080
        - name: nextcloud
          image: nextcloud:27-fpm-alpine
          volumeMounts:
            - name: nextcloud_html
              mountPath: /var/www/html
            - name: nextcloud_temp
              mountPath: /tmp
          env:
            - name: MYSQL_HOST
              value: "nextcloud-pod-mariadb"
            - name: MYSQL_DATABASE
              value: test
            - name: MYSQL_USER
              value: test
            - name: MYSQL_PASSWORD
              value: test
            - name: REDIS_HOST
              value: "localhost"
            - name: NEXTCLOUD_ADMIN_USER
              value: test
            - name: NEXTCLOUD_ADMIN_PASSWORD
              value: test
            - name: NEXTCLOUD_TRUSTED_DOMAINS
              value: "127.0.0.1"
            - name: OVERWRITEPROTOCOL
              value: "https"
            - name: NC_DEFAULT_PHONE_REGION
              value: "GB"
      volumes:
        - name: mariadb_mysql
          hostPath:
            type: Directory
            path: ./nextcloud/mariadb/mysql
        - name: nginx_config
          hostPath:
            type: File
            path: ./nextcloud/nginx/nginx.conf
        - name: nextcloud_html
          hostPath:
            type: Directory
            path: ./nextcloud/nextcloud
        - name: nextcloud_temp
           emptyDir:
             type: Directory

[jose-pr]

Have the same issue with tmpfs being mounted noxec, and failing when running an elasticsearch container. Will be nice if there was a way to tell podman to make a mount exec.

[rhatdan]

Do you know if this is the default for kubernetes, IE the /tmp is noexec or not, we should be matching Kubernetes.

[stellarpower]

I have a simple reproducible example. It seems the upstream image has executable files inside /var/tmp/. Not how I'd do it, but neither here nor there (and I have hit similar problems when using dev containers. General OS packages may require +x on /tmp for building and the like, so I have remounted when on the inside).

apiVersion: v1
kind: Pod
metadata:
    creationTimestamp: "2024-06-07T15:33:43Z"
    labels:
        app: mail-migration
    name: mail-migration


spec:
    containers:
      - name:  imapsync-with-web
        image: docker.io/gilleslamiral/imapsync:latest

        # Start the web interface
        command:
          - /servimapsync

        ports:
          - containerPort: 8443
            hostPort:      4443

This does not happen if you just run podman run --rm -it -p 4443:8443 docker.io/gilleslamiral/imapsync /servimapsync

If you just exec in and try to run ./imapsync it fails, and this is needed by the web server. May be a bad design pattern but would be nice to have an easy workaround within the YAML, as otherwise I expect I will need to change the entrypoint etc.