feat(layers.tmp): helper to add a /tmp dir

@moduon MT-1075

README.md

@@ -298,6 +298,11 @@ Function arguments:
     groups to create in the image and add to the user. Valid keys are `gid`
     (optional) and `gname`.
 
+### `nix2container.layers.tmp`
+
+This prebuilt layer will help you to add a working `/tmp` dir to your image.
+[Usage example here](./examples/tmp.nix).
+
 ## Isolate dependencies in dedicated layers
 
 It is possible to isolate application dependencies in a dedicated

default.nix

@@ -1,4 +1,4 @@
-{ pkgs ? import <nixpkgs> { }, system }:
+{ pkgs ? import <nixpkgs> { }, system ? pkgs.system }:
 let
   l = pkgs.lib // builtins;
 
@@ -556,6 +556,20 @@ let
       copyToRoot = shadowSetup;
       perms = l.forEach allUsers userPerms;
     };
+
+  layers.tmp = buildLayer {
+    copyToRoot = pkgs.runCommand "tmp-dir" {
+      outputHash = "sha256-AVwrjJdGCmzJ8JlT6x69JkHlFlRvOJ4hcqNt10YNoAU=";
+      outputHashAlgo = "sha256";
+      outputHashMode = "recursive";
+      preferLocalBuild = true;
+    } ''
+      mkdir -p $out/tmp
+    '';
+    perms = [
+      { path = "/tmp"; regex = ".*"; mode = "a=rwxt"; }
+    ];
+  };
 in {
   inherit nix2container-bin skopeo-nix2container;
   nix2container = {
@@ -564,7 +578,7 @@ in {
       buildLayer
       pullImage
       pullImageFromManifest
-      layers.shadow
+      layers
       ;
   };
 }

examples/default.nix

@@ -14,5 +14,5 @@
   nix = pkgs.callPackage ./nix.nix { inherit nix2container; };
   nix-user = pkgs.callPackage ./nix-user.nix { inherit nix2container; };
   ownership = pkgs.callPackage ./ownership.nix { inherit nix2container; };
-  shadow = pkgs.callPackage ./shadow.nix { inherit nix2container; };
+  shadow-tmp = pkgs.callPackage ./shadow-tmp.nix { inherit nix2container; };
 }

examples/shadow.nix → examples/shadow-tmp.nix

@@ -3,11 +3,12 @@
   nix2container,
 }:
 nix2container.buildImage {
-  name = "shadow";
+  name = "shadow-tmp";
   tag = "latest";
 
   layers = [
     (nix2container.layers.shadow {includeRoot = true;})
+    nix2container.layers.tmp
   ];
 
   copyToRoot = [pkgs.coreutils];

tests/default.nix

@@ -88,16 +88,26 @@ let
       pattern = "(?s)\[PASS].*\[PASS].*\[PASS].*drwxr-xr-x \\d+ user user 4096 Jan  1  1970 store";
     };
     shadow-somebody = testScript {
-      image = examples.shadow;
+      image = examples.shadow-tmp;
       command = "id";
       pattern = "uid=1000(somebody) gid=1000(somebody) groups=1000(somebody)";
     };
     shadow-root = testScript {
-      image = examples.shadow;
+      image = examples.shadow-tmp;
       runFlags = "-u root";
       command = "id";
       pattern = "uid=0(root) gid=0(root) groups=0(root)";
     };
+    tmp-stat = testScript {
+      image = examples.shadow-tmp;
+      command = "stat -c %a /tmp";
+      pattern = "1777";
+    };
+    tmp-mktemp = testScript {
+      image = examples.shadow-tmp;
+      command = "mktemp";
+      pattern = "/tmp/tmp.";
+    };
     # Ensure the Nix database is correctly initialized by querying the
     # closure of the Nix binary.
     # The store path is in a dedicated layer
@@ -171,4 +181,3 @@ let
       ${scripts}
     '';
 in tests // { inherit all; }
-