Read-only access to container storage (formerly 'Mount docker.sock')

[heyakyra]

/kind feature

Description

Many containers require read-only access to the docker socket (for example https://github.com/nginx-proxy/nginx-proxy and https://github.com/nginx-proxy/acme-companion) in order to e.g. trigger actions when containers are started with certain properties, so users have been requesting the ability to mount /run/podman/podman.sock as a volume in their containers. This would be very dangerous with write capabilities, but the ability to read container storage should be a possible setup if the user is aware of the implications.

Steps to reproduce the issue:

1. Try nginx-proxy with something like podman run --name=nginx-proxy -p=80:80 -p 443:443 -v /etc/nginx/certs:/etc/nginx/certs -v /etc/nginx/vhost.d:/etc/nginx/vhost.d -v /etc/nginx/html:/usr/share/nginx/html -v /var/run/podman/podman.sock:/tmp/docker.sock:ro docker.io/jwilder/nginx-proxy:latest

Describe the results you received:

See some error like:

Jan 05 05:04:01 vps-32b23b52.vps.ovh.us conmon[2675]: Error: you need to share your Docker host socket with a volume at /var/run/docker.sock
Jan 05 05:04:01 vps-32b23b52.vps.ovh.us conmon[2675]: Typically you should run your container with: '-v /var/run/docker.sock:/var/run/docker.sock:ro'

Describe the results you expected:

Read only access succeeds!

Additional information you deem important (e.g. issue happens only occasionally):

Previous ticket here: #6015 (comment)

Version Details

**Output of `podman version`:**

$ podman version
Version:      3.4.2
API Version:  3.4.2
Go Version:   go1.16.8
Built:        Fri Nov 12 20:25:37 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

$ podman info --debug
host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.30-2.fc35.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.30, commit: '
  cpus: 4
  distribution:
    distribution: fedora
    variant: coreos
    version: "35"
  eventLogger: journald
  hostname: vps-32b23b52.vps.ovh.us
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
  kernel: 5.15.6-200.fc35.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 7191359488
  memTotal: 8125849600
  ociRuntime:
    name: crun
    package: crun-1.3-1.fc35.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.3
      commit: 8e5757a4e68590326dafe8a8b1b4a584b10a1370
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1001/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.12-2.fc35.x86_64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 0
  swapTotal: 0
  uptime: 34h 8m 37.19s (Approximately 1.42 days)
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /var/home/kyra/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 0
    stopped: 2
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/kyra/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 4
  runRoot: /run/user/1001/containers
  volumePath: /var/home/kyra/.local/share/containers/storage/volumes
version:
  APIVersion: 3.4.2
  Built: 1636748737
  BuiltTime: Fri Nov 12 20:25:37 2021
  GitCommit: ""
  GoVersion: go1.16.8
  OsArch: linux/amd64
  Version: 3.4.2

Package info (e.g. output of rpm -q podman or apt list podman):

$ rpm -q podman
podman-3.4.2-1.fc35.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

Fedora CoreOS 35

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

Read/only access to the socket, is probably not going to get what you want.

You need to write to the socket to be able to tell it what you want.

There is currenly no way on either docker.sock or podman.sock to differentiate read/write from read/only.

Theoretically you could read only the events happening on the system, but then you would need access to the events log or journald.

[rhatdan]

We can continue the discussion if you are still interested.