podman: Allow mounting -v /run:/run without leaking .containerenv file to the host
/kind feature
Description
Not sure if this is a bug or RFE, i guess it depends on the point of view š .
Some of our containers are tightly coupled to the host, and they mount -v /run:/run. This results in creation of /run/.containerenv on the host machine, which makes programs running on the host machine (not in a container) think that they are running in a container.
I understand that ādonāt mount /runā is one way to solve this, but it may not be workable for all our containers. So iād like us to have some option to mount -v /run:/run without breaking the host. Possible solutions that come to my mind are:
-
Make podman bind mount the
/run/.containerenvfile into the container, rather than creating it via a mechanic liketouch /run/.containerenv. (I donāt know how Podman creates the file, but given that the file exists on the host after container exits, i preseume Podman creates the file on filesystem inside the container, rather than bind mounting the file into the container namespace?) -
Allow us to explicitly disable the creation of containerenv file for a given container. I guess that would mean adding something like
--no-containerenvoption topodman createandpodman runcommands.
Steps to reproduce the issue:
[root@dendrit ~]# systemd-detect-virt
none
[root@dendrit ~]# ls /run/.containerenv
ls: cannot access '/run/.containerenv': No such file or directory
[root@dendrit ~]# podman run -v /run:/run quay.io/fedora/fedora:35-x86_64 true
[root@dendrit ~]# systemd-detect-virt
podman
[root@dendrit ~]# ls /run/.containerenv
/run/.containerenv
Output of podman version:
Tested on 2 systems, one with:
podman version 4.1.0
and another with:
podman version 3.4.7
(I donāt think the other debug info from the template is helpful here, but can provide it on request.)
Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)
Yes
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 17 (9 by maintainers)
Commits related to this issue
- container: do not create .containerenv with -v SRC:/run if /run is on a volume do not create the file /run/.containerenv as it would leak outside of the container. Closes: https://github.com/contain... — committed to giuseppe/libpod by giuseppe 2 years ago
- container: do not create .containerenv with -v SRC:/run if /run is on a volume do not create the file /run/.containerenv as it would leak outside of the container. Closes: https://github.com/contain... — committed to gbraad-redhat/podman by giuseppe 2 years ago
- [v4.0-rhel] container: do not create .containerenv with -v SRC:/run if /run is on a volume do not create the file /run/.containerenv as it would leak outside of the container. Closes: https://github... — committed to TomSweeneyRedHat/podman by giuseppe 2 years ago
- [v4.0-rhel] container: do not create .containerenv with -v SRC:/run if /run is on a volume do not create the file /run/.containerenv as it would leak outside of the container. Closes: https://github... — committed to TomSweeneyRedHat/podman by giuseppe 2 years ago
in any case, I think we should not create the file when
/runis a volume, Iāve opened a PR: https://github.com/containers/podman/pull/14582