19

I'm creating docker images that will later be used on a Kubernetes with tight settings:

  1. read-only file system
  2. non-root USER

For test purposes I can emulate 1) with a read_only: true in the docker-compose config. I then have to add some directories for places with write activity, such as /run and /var. But if I try to use a tmpfs as shown here the directory is owned by root:

drwxr-xr-x 2 root root 40 Nov 27 11:05 /var

Is there a secret option to make it drwxrwxrwx? Is there an alternative (besides plain disk directories)?

Running:

  • Docker version 18.06.0-ce
  • docker-compose version 1.8.0
  • Ubuntu 16.04
Improve this question

2 Answers 2

Reset to default
22

You can specify a tmpfs mode:

docker run -d \ -it \ --name tmptest \ --mount type=tmpfs,destination=/app,tmpfs-mode=1770 \ nginx:latest

https://docs.docker.com/storage/tmpfs/#specify-tmpfs-options

With the older 2.x compose file syntax, you can specify it like:

version: "2.4" services: my_app: image: my_app read_only: true restart: always tmpfs: - /run:mode=770,size=1k,uid=200,gid=10000

https://github.com/docker/cli/issues/698#issuecomment-429688027

For the 3.x syntax, with the long format volume definition, you'll want to follow this issue:

https://github.com/docker/cli/issues/1285

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

The mode parm seems ignored, but the uid one works so I can get the thing going. The strange thing is that the flags aren't the same on the two tmpfs I create: drwxr-xr-x for /var/httpd and drwxrwx--- for /run/httpd.
@xenoid my personal solution to problems like this is usually to start an entrypoint as root inside the container, fix any file permissions and uid's, and then do an exec gosu to drop from root to a user. The container is then effectively running as the user, but not every security team accepts that option.
Plot twist: mode= works this morning, after I removed a RUN chown ... in the Dockerfile...
As of 2022, tmpfs-mode "Defaults to 1777 or world-writable" and yet I'm getting EACCESS errors, so I think the problem is likely more complicated than this.
Could it be a bug? I am running into a similar issue, the mountpoint is 755 even with mode set explicitly
|
12

This works for the current master-branch spec:

services: my_app: image: my_app volumes: - type: tmpfs target: /app/tmp tmpfs: mode: 0o01777

The leading 0 is significant, do not remove. mode is the octal representation of Unix permissions. Some yaml interpreters will automatically drop leading zeros from regular integers (e.g. 01777). Therefore, we can specify that this is an octal by prepending it with 0o.

Ensure the directory does not exist beforehand, otherwise it would ignore the permissions. The place to do it is in your Dockerfile:

RUN rm -rf /app/tmp

Do not bother with uid or gid: as of 2023-05 they are not implemented. Link to the current source: https://github.com/moby/moby/blob/master/api/types/mount/mount.go#L103-L135 (permalink)

Improve this answer

5 Comments

Excellent! You saved the day! A shame that it is so poorly implemented and undocumented :(
2024 and this is still an issue. This solution worked for me. I wonder why you have to remove the tmpfs manually in the Dockerfile?
@sleepystar96 "Ensure the directory does not exist beforehand, otherwise it would ignore the permissions." That is, if you own the Dockerfile and are able to mkdir/chmod from there, cool, more power to you.
I'm not really sure what you mean. I did try to chmod in the Dockerfile directly but it did not work. However, following your instructions exactly (adding 01777 in docker-compose file, and adding RUN rm -rf /app/tmp to Dockerfile) worked.
Wow, this is absurd. I was pulling my hair out trying to figure out why I could configure a tmpfs mount with a non-root user with no issues, but then when the container restarted I'd get permissions errors for the file being created by the running application within the container inside that directory. This solution resolved that problem.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.