Bug 1755119
| Summary: | Read-only podman run errors when one of the volumes it by default mounts as tmpfs are also defined as VOLUME | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Jan Pazdziora (Red Hat) <jpazdziora> |
| Component: | podman | Assignee: | Jindrich Novy <jnovy> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.1 | CC: | dornelas, dwalsh, jligon, jnovy, lsm5, mheon, tsweeney, weshen |
| Target Milestone: | rc | ||
| Target Release: | 8.2 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | podman-1.6.4-2.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-28 15:47:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1734579 | ||
Confirmed on Podman master Not specific to image volumes, this is any named volume. Trivial reproducer: `podman run -v testvolume:/run --read-only -t -i --rm alpine touch /run/a` https://github.com/containers/libpod/pull/4103 will fix upstream Fixed in podman-1.6.0 Assigning to Jindrich to validate packaging has been completed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1650 |
Description of problem: For quite some time with docker, the reasonable way to make writable / temporary volumes present in the container based on the container image, without a need for separate docker run options, was to define the mountpoints as VOLUME: # docker run --rm --read-only registry.access.redhat.com/ubi8 touch /run/a touch: cannot touch '/run/a': Read-only file system # cat Dockerfile FROM registry.access.redhat.com/ubi8 VOLUME [ "/run" ] # docker build -t test-volume . # docker run --rm --read-only test-volume touch /run/a # echo $? 0 Even if the systemd OCI hook got invoked like with Dockerfile like FROM registry.access.redhat.com/ubi8 RUN ln -s /bin/bash /usr/local/bin/init ENTRYPOINT [ "/usr/local/bin/init", "-c" ] which automounted /run and made invocation like # docker run --rm --read-only test-volume "touch /run/a" possible without the VOLUME parameter, having the VOLUME parameter was still possible: FROM registry.access.redhat.com/ubi8 RUN ln -s /bin/bash /usr/local/bin/init ENTRYPOINT [ "/usr/local/bin/init", "-c" ] VOLUME [ "/run" ] # docker build -t test-volume . # docker run --rm --read-only test-volume "touch /run/a" That way it was possible to have the temporary volumes defined in the container image and made the use of the image in read-only containers easy. This got broken with podman. Version-Release number of selected component (if applicable): podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. Have Dockerfile which defines for example /run as VOLUME: FROM registry.access.redhat.com/ubi8 VOLUME [ "/run" ] 2. Build image: podman build -t test-volume . 3. Run the container: podman run --rm --read-only test-volume touch /run/a Actual results: Error: conflict at mount destination /run: duplicate mount destination Expected results: No error, behaviour similar to docker which did not choke on the extra VOLUME declaration. Additional info: The man podman-run(1) says that podman mounts /run (and /tmp and /var/tmp) by default: --read-only-tmpfs=true|false If container is running in --read-only mode, then mount a read-write tmpfs on /run, /tmp, and /var/tmp. The default is true But podman should be able to reconcile its idea of automounted tmpfs volumes with the VOLUME declaration in the container image. There is nothing duplicate about those mount destinations, really. It is possible to avoid the error by explicitly specifying the volume with --tmpfs option: # podman run --tmpfs /run --rm --read-only test-volume touch /run/a But that in turn makes the container startup unnecessarily verbose, taking away the benefit of having as much as possible information about the container stored in the container image.