Building a Docker image with a world writable /tmp - Nix

Welcome to the Functional Programming Zulip Chat Archive. You can join the chat here.

Magnus Therning

I’m trying to put together a Docker image using dockerTools.buildImage but I’m stuck on creating a /tmp that all users can use.

  • I need to run xvfb-run in the container, and it needs write access /tmp (it creates a folder /tmp/xvfb-run.XXXXXX for its temporary files).
  • The program run “inside” xvfb-run does not like being run as root.

I’m failing to combine these two things.

The derivation I’m trying to use is

  theImage = dockerTools.buildImage {
    name = "foo";
    tag = "latest";
    created = "now";

    contents = [thePkg
                xvfb_run
                bash
                coreutils
                (runCommand "tmp-dir" {} ''mkdir -p $out/tmp; chmod 1777 $out/tmp'')
               ];

    config = {
      Cmd = ["/bin/xvfb-run" "-d" "/bin/foo"];
      WorkingDir = "/bin";
      User = "1000:1000";
      ExposedPorts = {
        "3000" = {};
      };
    };
  };

After creating the image I can start it and observe that /tmp isn’t the desired 1777 but rather 555 and the non-root user can’t create dirs there.

bash-4.4$ stat /tmp
  File: /tmp
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 3bh/59d Inode: 26217699    Links: 2
Access: (0555/dr-xr-xr-x)  Uid: (    0/ UNKNOWN)   Gid: (    0/ UNKNOWN)
Access: 2020-01-08 14:20:57.163131295 +0000
Modify: 1970-01-01 00:00:01.000000000 +0000
Change: 2020-01-08 14:20:56.943131297 +0000

How do I create a /tmp with the desired mode?

Mats Rauhala

By adding the runContents to the contents you are only providing the script within the docker image, it's not executed

Mats Rauhala

Note that runAsRoot is only available in buildImage and not on buildLayeredImage(IIRC)

Magnus Therning

Actually, the runCommand is a derivation and I _do_ end up with a /tmp within the image, not a script. Without the runCommand there is no /tmp at all in the image. However, the mode of /tmp isn't what I expect.

The runAsRoot parameter is what I was looking for indeed. Thanks!