RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1755119 - Read-only podman run errors when one of the volumes it by default mounts as tmpfs are also defined as VOLUME
Summary: Read-only podman run errors when one of the volumes it by default mounts as t...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: podman
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.2
Assignee: Jindrich Novy
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 1734579
TreeView+ depends on / blocked
 
Reported: 2019-09-24 19:37 UTC by Jan Pazdziora
Modified: 2023-03-31 12:25 UTC (History)
8 users (show)

Fixed In Version: podman-1.6.4-2.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 15:47:35 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-37629 0 None None None 2023-03-31 12:25:34 UTC
Red Hat Product Errata RHSA-2020:1650 0 None None None 2020-04-28 15:48:20 UTC

Description Jan Pazdziora 2019-09-24 19:37:18 UTC 
Description of problem:

For quite some time with docker, the reasonable way to make writable / temporary volumes present in the container based on the container image, without a need for separate docker run options, was to define the mountpoints as VOLUME:

# docker run --rm --read-only registry.access.redhat.com/ubi8 touch /run/a
touch: cannot touch '/run/a': Read-only file system

# cat Dockerfile
FROM registry.access.redhat.com/ubi8
VOLUME [ "/run" ]

# docker build -t test-volume .

# docker run --rm --read-only test-volume touch /run/a

# echo $?
0

Even if the systemd OCI hook got invoked like with Dockerfile like

FROM registry.access.redhat.com/ubi8
RUN ln -s /bin/bash /usr/local/bin/init
ENTRYPOINT [ "/usr/local/bin/init", "-c" ]

which automounted /run and made invocation like

# docker run --rm --read-only test-volume "touch /run/a"

possible without the VOLUME parameter, having the VOLUME parameter was still possible:

FROM registry.access.redhat.com/ubi8
RUN ln -s /bin/bash /usr/local/bin/init
ENTRYPOINT [ "/usr/local/bin/init", "-c" ]
VOLUME [ "/run" ]

# docker build -t test-volume .
# docker run --rm --read-only test-volume "touch /run/a"

That way it was possible to have the temporary volumes defined in the container image and made the use of the image in read-only containers easy.

This got broken with podman.

Version-Release number of selected component (if applicable):

podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have Dockerfile which defines for example /run as VOLUME:

FROM registry.access.redhat.com/ubi8
VOLUME [ "/run" ]

2. Build image: podman build -t test-volume .
3. Run the container:  podman run --rm --read-only test-volume touch /run/a

Actual results:

Error: conflict at mount destination /run: duplicate mount destination

Expected results:

No error, behaviour similar to docker which did not choke on the extra VOLUME declaration.

Additional info:

The man podman-run(1) says that podman mounts /run (and /tmp and /var/tmp) by default:

       --read-only-tmpfs=true|false

       If container is running in --read-only mode, then mount a read-write
       tmpfs on /run, /tmp, and /var/tmp.  The default is true

But podman should be able to reconcile its idea of automounted tmpfs volumes with the VOLUME declaration in the container image. There is nothing duplicate about those mount destinations, really.

It is possible to avoid the error by explicitly specifying the volume with --tmpfs option:

# podman run --tmpfs /run --rm --read-only test-volume touch /run/a

But that in turn makes the container startup unnecessarily verbose, taking away the benefit of having as much as possible information about the container stored in the container image.
Comment 1 Matthew Heon 2019-09-24 19:46:26 UTC 
Confirmed on Podman master
Comment 2 Matthew Heon 2019-09-24 19:54:06 UTC 
Not specific to image volumes, this is any named volume.
Trivial reproducer:
`podman run -v testvolume:/run --read-only -t -i --rm alpine touch /run/a`
Comment 3 Matthew Heon 2019-09-24 20:00:06 UTC 
https://github.com/containers/libpod/pull/4103 will fix upstream
Comment 4 Daniel Walsh 2019-09-27 12:47:20 UTC 
Fixed in podman-1.6.0
Comment 5 Tom Sweeney 2020-01-22 16:18:53 UTC 
Assigning to Jindrich to validate packaging has been completed.
Comment 12 errata-xmlrpc 2020-04-28 15:47:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1650
Note You need to log in before you can comment on or make changes to this bug.