Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tmpfs noswap support #19659

Closed
bplaxco opened this issue Aug 17, 2023 · 1 comment · Fixed by #19663
Closed

tmpfs noswap support #19659

bplaxco opened this issue Aug 17, 2023 · 1 comment · Fixed by #19663
Assignees
@rhatdan
Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@bplaxco
Copy link

bplaxco commented Aug 17, 2023

Feature request description

Would like the ability to create noswap tmpfs mounts through --mount so that I can ensure sensitive variable runtime data is never written to disk.

(Also this might be a potentially useful tweak/option to add to the secret feature in podman, but I haven't dug into that as much since that appears to be for static secrets. I still wanted to mention that here since I read something that indicated those are also stored on tmpfs volumes and didn't see matches for noswap in any of the repos here.)

Suggest potential solution

Support a tmpfs-noswap flag that would be similar to passing -o noswap to mount for a tmpfs.

Have you considered any alternatives?

I have considered doing something like:

$ podman run -it --rm --cap-add=sys_admin registry.redhat.io/ubi8:latest
mkdir foo && mount -t ramfs -o size=10M ramfs ./foo

But id rather not add extra caps in. I also considered doing a noswap tmpfs on the host and mounting that into the container.

Additional context

This isn't urgent at all, and I figured I'd call this and the potential use case out in the secret feature here in case it's useful for other folks as well.

Thanks for all the great work folks! ^_^
@bplaxco bplaxco added the kind/feature Categorizes issue or PR as related to a new feature. label Aug 17, 2023
rhatdan added a commit to rhatdan/podman that referenced this issue Aug 17, 2023
@rhatdan
Add support for ramfs as well as tmpfs in volume mounts
5d80c34 
Fixes: containers#19659

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
@rhatdan rhatdan mentioned this issue Aug 17, 2023
Merged
rhatdan added a commit to rhatdan/podman that referenced this issue Aug 17, 2023
@rhatdan
Add support for ramfs as well as tmpfs in volume mounts
316586d 
Fixes: containers#19659

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
rhatdan added a commit to rhatdan/podman that referenced this issue Aug 17, 2023
@rhatdan
Add support for ramfs as well as tmpfs in volume mounts
535678c 
Fixes: containers#19659

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
rhatdan added a commit to rhatdan/podman that referenced this issue Aug 21, 2023
@rhatdan
Add support for ramfs as well as tmpfs in volume mounts
8901962 
Users want to mount a tmpfs file system with secrets, and make
sure the secret is never saved into swap. They can do this either
by using a ramfs tmpfs mount or by passing `noswap` option to
a tmpfs mount.

Fixes: containers#19659

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
rhatdan added a commit to rhatdan/podman that referenced this issue Aug 21, 2023
@rhatdan
Add support for ramfs as well as tmpfs in volume mounts
45ce483 
Users want to mount a tmpfs file system with secrets, and make
sure the secret is never saved into swap. They can do this either
by using a ramfs tmpfs mount or by passing `noswap` option to
a tmpfs mount.

Fixes: containers#19659

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
@bplaxco
Copy link
Author

bplaxco commented Aug 27, 2023

@rhatdan thanks for the quick response on that! I appreciate it ^_^

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Nov 26, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rhatdan rhatdan

Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for ramfs as well as tmpfs in volume mounts rhatdan/podman
2 participants
@rhatdan @bplaxco