[Feature]: Set size limit for auto tmpfs mounts in systemd mode

[rahbari]

Feature request description

When starting a container in systemd mode podman mounts tmpfs file systems on some directories like /run, /run/lock with half the host system memory.

is there any way to limit this size like /dev/shm
this actually makes --memory= and --storage-opt size= somehow meaningless because apps inside container can access more memory and disk space while it's running.

[mheon]

Easy enough to do, would just need to figure out good sizes for the extra mounts.

[rahbari]

is it possible to set it now? for now even if it is shared a guest can fill half of the host memory.
It's nice to be configurable with a minimum limit, maybe based on defined --memory

[mheon]

No, but the changes in the code are very easy (just have to add a mount option to https://github.com/containers/podman/blob/main/libpod/container_internal_linux.go#L217 and the option mount structs in that function). Making it configurable would be a bit more complex as it'd need a containers.conf field, but also not particularly difficult.

[rhatdan]

First, they are only able to access 1/2 of the available memory for all TMPFS. not half or system memory, when run with a Memory CGROUP.

Each one does not get half. All tmpfs within the MEmory CGroup can not go over 50%.

[rahbari]

@rhatdan yes i know, but any container can fill that space which is not good. I created a 30gb file in one those directories in a container with 1gb memory and 1gb disk limit and half the memory of the system got filled.

[rhatdan]

So you want --systemd-shm-size? Which would be applied to all tmpfs mounted via systemd flag ignored otherwize?

[rhatdan]

# podman run --systemd=always fedora mount | grep tmpfs.*rw
tmpfs on /dev type tmpfs (rw,nosuid,noexec,context="system_u:object_r:container_file_t:s0:c472,c905",size=65536k,mode=755,inode64)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,context="system_u:object_r:container_file_t:s0:c472,c905",inode64)
tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,context="system_u:object_r:container_file_t:s0:c472,c905",inode64)
tmpfs on /etc/hostname type tmpfs (rw,seclabel,size=13120028k,nr_inodes=819200,mode=755,inode64)
tmpfs on /run/.containerenv type tmpfs (rw,seclabel,size=13120028k,nr_inodes=819200,mode=755,inode64)
tmpfs on /run/secrets type tmpfs (rw,seclabel,size=13120028k,nr_inodes=819200,mode=755,inode64)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,context="system_u:object_r:container_file_t:s0:c472,c905",size=64000k,inode64)
tmpfs on /etc/resolv.conf type tmpfs (rw,seclabel,size=13120028k,nr_inodes=819200,mode=755,inode64)
tmpfs on /etc/hosts type tmpfs (rw,seclabel,size=13120028k,nr_inodes=819200,mode=755,inode64)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,relatime,context="system_u:object_r:container_file_t:s0:c472,c905",inode64)
tmpfs on /var/log/journal type tmpfs (rw,nosuid,nodev,relatime,context="system_u:object_r:container_file_t:s0:c472,c905",inode64)
devtmpfs on /proc/kcore type devtmpfs (rw,seclabel,size=4096k,nr_inodes=1048576,mode=755,inode64)
devtmpfs on /proc/keys type devtmpfs (rw,seclabel,size=4096k,nr_inodes=1048576,mode=755,inode64)
devtmpfs on /proc/latency_stats type devtmpfs (rw,seclabel,size=4096k,nr_inodes=1048576,mode=755,inode64)
devtmpfs on /proc/timer_list type devtmpfs (rw,seclabel,size=4096k,nr_inodes=1048576,mode=755,inode64)

Here is the read/write tmpfs available in --systemd=always mode.

[rahbari]

@rhatdan yes, that would be great.

[danishprakash]

@rhatdan mind If I take a look at this?

[rhatdan]

I love volunteers.