Commit 6c16bc93 authored by Samuel GAIST's avatar Samuel GAIST

[dock] Add minimal rw tmpfs for /tmp and /run

At least in production, some issues happened that required
to have /tmp writable. To preserve the read-only state
of the container, use a small tmpfs that is enough for
the container to run. /run is another that might be needed
so make it part of the defaults used.
parent a651c536
Pipeline #41572 passed with stage
in 25 minutes and 33 seconds
......@@ -558,6 +558,9 @@ class Host(object):
# Mount the volumes
cmd.extend(container.volumes)
# Add tmpfs entries
cmd.extend(container.temporary_filesystems)
# Expose the ports
cmd.extend(container.ports)
......@@ -792,6 +795,7 @@ class Container:
self._name = None
self._workdir = None
self._entrypoint = None
self._temporary_filesystems = {"/tmp": "500k", "/run": "500k"} # nosec
def set_name(self, name):
""" Set the name to be used by the container in place of the docker
......@@ -822,6 +826,16 @@ class Container:
self._volumes[path] = {"bind": mount_path, "mode": "ro" if read_only else "rw"}
def add_tmpfs(self, path, size):
"""Add a tmpfs to be mounted on the container
Parameters:
:param str path: Target path for the tmpfs
:param str size: Size of the tmps. Unlimited if empty
"""
self._temporary_filesystems[path] = size
def add_port(self, container_port, host_port, host_address=None):
"""Add a port binding
......@@ -901,6 +915,17 @@ class Container:
volumes.append("--volume=%s:%s:%s" % (k, v["bind"], v["mode"]))
return volumes
@property
def temporary_filesystems(self):
tempfs_list = []
for path, size in self._temporary_filesystems.items():
tmpfs_string = "--tmpfs={}:rw,noexec,nosuid".format(path)
if size:
tmpfs_string += ",size={}".format(size)
tempfs_list.append(tmpfs_string)
return tempfs_list
@property
def ports(self):
"""Returns the ports of this container in a suitable form to build
......
......@@ -188,6 +188,62 @@ class EntrypointTest(NoDiscoveryTests):
self.assertEqual(logs, "42\n")
class TmpfsTest(NoDiscoveryTests):
def test_tmpfs(self):
"""Test that the tmpfs are properly mounted and usable.
"""
container = self.host.create_container(
"debian:8.4", ["touch", "/dummy/test.txt"]
)
tmpfs_list = container.temporary_filesystems
self.assertEqual(len(tmpfs_list), 2)
container.add_tmpfs("/dummy", "1M")
tmpfs_list = container.temporary_filesystems
self.assertEqual(len(tmpfs_list), 3)
self.host.start(container)
status = self.host.wait(container)
logs = self.host.logs(container)
if status != 0:
print(logs)
self.assertEqual(status, 0)
self.assertEqual(logs, "")
def test_tmpfs_size(self):
"""Test that the tmpfs are respected.
"""
container = self.host.create_container(
"debian:8.4", ["dd", "if=/dev/zero", "of=/dummy/test.txt"]
)
tmpfs_list = container.temporary_filesystems
self.assertEqual(len(tmpfs_list), 2)
container.add_tmpfs("/dummy", "1M")
tmpfs_list = container.temporary_filesystems
self.assertEqual(len(tmpfs_list), 3)
self.host.start(container)
status = self.host.wait(container)
logs = self.host.logs(container)
if status != 0:
print(logs)
self.assertEqual(status, 1)
self.assertTrue("No space left" in logs)
class AsyncTest(NoDiscoveryTests):
@slow
def test_echo(self):
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment