New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add tmpfs as a valid volume source command. #13587
Conversation
This doesn't look like the correct UI. |
@cpuguy83 HOw would I specify the equivalent of docker run -ti -v tmpfs:/tmp -v tmpfs:/run --read-only fedora /bin/sh |
@rhatdan |
The |
Well I think that stinks, for several reasons,
|
how does this interact with |
just curious if this is any different than the one @crosbymichael had open :) |
sorry, I didn't mean to close this. Fat fingers |
@jfrazelle I only saw the --tmpfs /tmp one by @crosbymichael, did he do another? |
I understand that this is very useful in many cases and necessary in the case of systemd, but the implementation is far from ideal. Leaving the discussion about how to set the driver name aside (I know it's a problem and I'm looking forward to find a good solution), I feel like adding more conditionals to that loop, in order to support more options in the mounting operation, is not the right solution. The mount points or the exec driver mount configurations should be able to generate a valid That loop should be reduced to something like this: for _, m := range c.Mounts {
container.Mounts = append(container.Mounts, m.Config())
} Yes, there might be more lines of code to touch but it will be easier to maintain in the long term. |
@calavera Is the updated patch what you had in mind? |
Any movement on this? @jfrazelle @crosbymichael @tianon @calavera |
@rhatdan are you sure you updated the patch? It looks like the latest commit is from before my latest comment. |
@calavera I guess I had a separate tag, tmpfs. Sorry, replaced this package with updated tmpfs patch. |
tarFile := fmt.Sprintf("%s/%s.tar", tmpDir, strings.Replace(dest, "/", "_", -1)) | ||
if _, err := os.Stat(fullDest); err == nil { | ||
premount = append(premount, configs.Command{ | ||
Path: "/usr/bin/tar", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think this should not be absolute path, and should just be tar
so exec.Cmd can do the lookup itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I go back and forth on this, since I always worry about path confusion. The Security background in me, says relying on $PATH for privileged operations i often a bad idea.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why aren't we using the Go library implementation of tar
? Granted, you'd need to exploit the system through another method to modify /usr/bin/tar
, but that shouldn't mean you can now get arbitrary command execution for free. As for the /usr/bin/tar
vs tar
thing, AFAICS you can't modify the PATH
of the docker
daemon after it has started to run (/proc/self/environ
doesn't modify the state of memory of the process), so you'd need to modify the init scripts and restart it (which already requires root
and so you'd be able to execute things at the same privilege as docker
anyway).
I'm still not sold on the idea of making I agree with @dqminh that it should not use an absolute path either. We already shell out to other commands using path lookup, why this should be different. I'm also thinking that having an absolute path is not going to work very well with other platforms, even shelling out to tar might not work very well 😸 |
Right, tmpfs is just a special type of mount, not really a volume (i.e., actual directory on the host ). But the problem is that volume is the only public interface in docker right now to specify mounts hence the overloading part of tmpfs as Source. There's also #9586 which adds |
See that #9586 has several LGTM, I would expect the same approval if we reintroduce the flag here. I also think that having a |
I would be fine with the --tmpfs proposal, or any proposal that would allow me to specify a tmpfs into a container. We are hearing a lot from customers that want IMMUTABLE containers, where we could run --read-only with /tmp and /run as tmpfs. We just need to standardize on the CLI. The beauty of this patch is that it is very small and I believe most users see volumes as a mechanism to mount something into a container. So using it for tmpfs and potentially other future file system types into the container feels natural. |
I think mount properties would be the best interface. Because really, |
This adds support for the Tmpfs option introduced in Docker 1.10. See: moby/moby#13587 Signed-off-by: Jan Losinski <losinski@wh2.tu-dresden.de>
This adds support for the Tmpfs option introduced in Docker 1.10. See: moby/moby#13587 Signed-off-by: Jan Losinski <losinski@wh2.tu-dresden.de>
This adds support for the Tmpfs option introduced in Docker 1.10. See: moby/moby#13587 Signed-off-by: Jan Losinski <losinski@wh2.tu-dresden.de>
any idea how/if this maps to docker-compose? |
It's undocumented but the API supports it. Check out https://github.com/nfnty/dockerfiles/blob/master/containers.yaml to see how I'm using it. |
File gave me quite some insights, but " But ur file is different entirely.. so yaml vs .yml etc... |
@Mirabis looks like @nfnty is not using Docker Compose, but a custom Python script; https://github.com/nfnty/dockerfiles/blob/master/scripts/containers.py. I suggest to search for existing issues, or open a new one in the Docker Compose issue tracker; https://github.com/docker/compose/issues |
This adds support for the Tmpfs option introduced in Docker 1.10. See: moby/moby#13587 Signed-off-by: Jan Losinski <losinski@wh2.tu-dresden.de>
Are there any plans for adding support for tmpfs at build time? |
What would be your use case? |
Use case 1: Storing secrets temporarily without them ending up in intermediate image (This IMHO hasn't really made progress in over a year of discussion):
Use case 2: Copying files from context temporarily that otherwise bloat the image (This problem has been raised many times with various different suggestions and no real solution so far):
|
Would copying to /dev/shm solve your problem if that exists in a build container? |
I guess so, if it is mounted as a tmpfs and therfore does not get commited to one of the intermediate images. The question is how large it can get. For the "storing credentials temporarily" use case the size should not be a limit, but for the use case of copying large files (temporarily) from the context, a fixed size-limit could be a problem. |
I think they default it to 65k |
Ok, that would be enough for some simple credentials, but not for any serious file-copying. Could /dev/shm be enabled for build containers easily? |
I think it is, I am not able to use docker right now, but try to copy something to /dev/shm and it should work and not show up in the container image |
I just checked, it is there (mount reports |
We have added support for docker build -v /SOURCE:/Dest to our patches for projectatomic/docker. Sadly docker upstream refuses this patch. 👎 We added it because out customers wanted it for precisely the issue you are looking at. |
This patch set will allow users to setup tmpfs mounts on top of
any directory. One of the big benefits of this would be
to allow --read-only to work when an application needs to write to /run or /tmp.
Docker-DCO-1.1-Signed-off-by: Dan Walsh dwalsh@redhat.com (github: rhatdan)