Docker-compose: Mounting a tmpfs usable by non-root user

Question

I'm creating docker images that will later be used on a Kubernetes with tight settings:

1. read-only file system
2. non-root USER

For test purposes I can emulate 1) with a read_only: true in the docker-compose config. I then have to add some directories for places with write activity, such as /run and /var. But if I try to use a tmpfs as shown here the directory is owned by root:

drwxr-xr-x 2 root root 40 Nov 27 11:05 /var

Is there a secret option to make it drwxrwxrwx? Is there an alternative (besides plain disk directories)?

Running:

• Docker version 18.06.0-ce
• docker-compose version 1.8.0
• Ubuntu 16.04

Answer 1

You can specify a tmpfs mode:

docker run -d \
  -it \
  --name tmptest \
  --mount type=tmpfs,destination=/app,tmpfs-mode=1770 \
  nginx:latest

https://docs.docker.com/storage/tmpfs/#specify-tmpfs-options

---

With the older 2.x compose file syntax, you can specify it like:

version: "2.4"
services:
  my_app:
    image: my_app
    read_only: true
    restart: always
    tmpfs:
      - /run:mode=770,size=1k,uid=200,gid=10000

https://github.com/docker/cli/issues/698#issuecomment-429688027

---

For the 3.x syntax, with the long format volume definition, you'll want to follow this issue:

https://github.com/docker/cli/issues/1285