Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it possible to have execute permissions on /tmp for kube play created pods? #19886

Closed
rhatdan opened this issue Sep 7, 2023 Discussed in #19859 · 0 comments · Fixed by #19887
Closed

Is it possible to have execute permissions on /tmp for kube play created pods? #19886

rhatdan opened this issue Sep 7, 2023 Discussed in #19859 · 0 comments · Fixed by #19887
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@rhatdan
Copy link
Member

rhatdan commented Sep 7, 2023

Discussed in #19859

Originally posted by frenetic00 September 5, 2023
Is it possible to give /tmp execute permissions when running as a pod under systemd?

I've used Kubernetes yaml to build a pod of several containers to run Nextcloud.
One of the Nextcloud apps is failing to run correctly because it relies on having execute permissions in /tmp

My Kubernetes yaml is executed as a non-root user using a systemd service.

ExecStart=/usr/bin/podman kube play --network=ns:/var/run/netns/%U --replace --service-container=true %I

Inside the container, I can see that /tmp has been mounted with noexec

tmpfs /tmp tmpfs rw,nosuid,nodev,noexec,relatime,uid=1003,gid=1003,inode64 0 0

I'm new to go and namespaces, but I'm trying to get an understanding of what's going on while trying to solve my issue.

I can see in the docs that there is a systemd option for other podman commands that will mount several tmpfs file systems when systemd mode is enabled. Does the --service-container option ensure that that the container will be configured with systemd? I've seen some reference to it here.

I can also see that permissions for /tmp are being set here and here but I'm still not sure how /tmp gets configured with the noexec option. Can anyone point me in the right direction? Thanks
rhatdan added a commit to rhatdan/podman that referenced this issue Sep 7, 2023
@rhatdan
Tmpfs should not be mounted noexec
2d7d8d1 
The logic here makes little sense, basically the /tmp and /var/tmp are
always set noexec, while /run is not.  I don't see a reason to set any
of the three noexec by default.

Fixes: containers#19886

Signed-off-by: Daniel J Walsh <[email protected]>
@rhatdan rhatdan mentioned this issue Sep 7, 2023
Merged
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Dec 7, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Tmpfs should not be mounted noexec rhatdan/podman
1 participant
@rhatdan