Fix /tmp not writable (#3)

* ci: specify bullseye for golang image * fix(runj/execute): mount /tmp as tmpfs This will make programs that need to write to temporary files happy. * fix(runj/execute): make mount /tmp more secure
darkyzhou · Aug 17, 2023 · f66b65c · f66b65c
1 parent f128c21
commit f66b65c
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
 ARG GIT_SHA
 ARG GIT_NAME
 
-FROM golang:1.19 AS runj
+FROM golang:1.19-bullseye AS runj
 WORKDIR /usr/src/app/
 COPY runj/go.mod runj/go.sum ./
 RUN go mod download && go mod verify

diff --git a/Dockerfile.dev b/Dockerfile.dev
@@ -1,4 +1,4 @@
-FROM golang:1.19 AS runj
+FROM golang:1.19-bullseye AS runj
 WORKDIR /usr/src/app/
 COPY runj/go.mod runj/go.sum ./
 RUN go mod download && go mod verify

diff --git a/runj/cmd/runj/execute/spec.go b/runj/cmd/runj/execute/spec.go
@@ -46,6 +46,12 @@ var defaultMountPoints = []specs.Mount{
 		Source:      "sysfs",
 		Options:     []string{"nosuid", "noexec", "nodev", "ro"},
 	},
+	{
+		Destination: "/tmp",
+		Type:        "tmpfs",
+		Source:      "tmpfs",
+		Options:     []string{"nosuid", "noexec", "nodev", "size=128m", "nr_inodes=4k"},
+	},
 }
 
 func makeContainerSpec(config *entities.RunjConfig, uidMappings []specs.LinuxIDMapping, gidMappings []specs.LinuxIDMapping) (*specs.Spec, error) {