Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix handling of .containenv on tmpfs #18535

Merged
merged 1 commit into from
May 14, 2023
Merged

Fix handling of .containenv on tmpfs #18535

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/source/markdown/podman-run.1.md.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ file is created in each container to indicate to programs they are running in a
container. This file is located at _/run/.containerenv_. When using the
--privileged flag the .containerenv contains name/value pairs indicating the
container engine version, whether the engine is running in rootless mode, the
container name and ID, as well as the image name and ID that the container is based on.
container name and ID, as well as the image name and ID that the container is based on. Note: _/run/.containerenv_ will not be created when a volume is mounted on /run.

When running from a user defined network namespace, the _/etc/netns/NSNAME/resolv.conf_
will be used if it exists, otherwise _/etc/resolv.conf_ will be used.
Expand Down
9 changes: 7 additions & 2 deletions libpod/container_internal_common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1938,11 +1938,16 @@ func (c *Container) makeBindMounts() error {

_, hasRunContainerenv := c.state.BindMounts["/run/.containerenv"]
if !hasRunContainerenv {
Loop:
// check in the spec mounts
for _, m := range c.config.Spec.Mounts {
if m.Destination == "/run/.containerenv" || m.Destination == "/run" {
switch {
case m.Destination == "/run/.containerenv":
hasRunContainerenv = true
break
break Loop
case m.Destination == "/run" && m.Source != "tmpfs":
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this check for type tmpfs? The source could be anything when tmpfs is used.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was not addressed, please fix it!#

hasRunContainerenv = true
break Loop
}
}
}
Expand Down
9 changes: 7 additions & 2 deletions test/system/030-run.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -568,8 +568,13 @@ json-file | f

@test "Verify /run/.containerenv exist" {
# Nonprivileged container: file exists, but must be empty
run_podman run --rm $IMAGE stat -c '%s' /run/.containerenv
is "$output" "0" "file size of /run/.containerenv, nonprivileged"
for opt in "" "--tmpfs=/run" "--tmpfs=/run --init" "--read-only" "--systemd=always"; do
run_podman run --rm $opt $IMAGE stat -c '%s' /run/.containerenv
is "$output" "0" "/run/.containerenv exists and is empty: podman run ${opt}"
done

run_podman 1 run --rm -v ${PODMAN_TMPDIR}:/run:Z $IMAGE stat -c '%s' /run/.containerenv
is "$output" "stat: can't stat '/run/.containerenv': No such file or directory" "do not create .containerenv on bind mounts"

# Prep work: get ID of image; make a cont. name; determine if we're rootless
run_podman inspect --format '{{.ID}}' $IMAGE
Expand Down