qm.container mounts /var/tmp as tmpfs

[alexlarsson]

qm.container has ReadOnly=true, which maps to podman run --read-only.
This tells podman to mount the container image read-only, and then mount a tmpfs on top of /tmp, /run and /var/tmp.

However, in QM, /var/tmp is generally on top of the /var volume (which comes from /var/qm on the host), and we don't want this part to be a tmpfs, because that limits the size of /var/tmp files in the qm partition, and this is not expected (e.g. it is different than on what normally happens in rhel, where /tmp is ram and /var/tmp is disk based).

I think we need to pass some extra argument to manually configure /tmp and /run as tmpfs, with not special options for /var/tmp (so its just picked up from the volume).

I think what we want is
ReadOnly=true
ReadOnlyTmpfs=false
Mount=type=tmpfs,tmpfs-size=512M,destination=/tmp
Mount=type=tmpfs,tmpfs-size=512M,destination=/run

[alexlarsson]

@rhatdan does this make sense to you?

[rhatdan]

Yes.

Since /var is already a r/w mount point, this will leave the directory writeable.

Does this work with a file system rootfs? I did not know that we implemented a read/only --rootfs feature.

[dougsland]

@rhatdan @alexlarsson I asked QE to test this. cc @pengshanyu

[dougsland]

See-Also: #722

[pengshanyu]

I verified that the following configuration works:

ReadOnly=true
ReadOnlyTmpfs=false
Mount=type=tmpfs,tmpfs-size=512M,destination=/tmp
Mount=type=tmpfs,tmpfs-size=512M,destination=/run
Mount=type=tmpfs,destination=/dev/shm