Created
February 4, 2026 19:19
-
-
Save Jip-Hop/e8291cd4efbe698925194064fdf40855 to your computer and use it in GitHub Desktop.
Create /tmp dir (root owned, 1777 mode with sticky bit) inside FROM scratch image using only Dockerfile. No .tar file hack or running any command as root user during build. This is an elegant workaround as it's not possible to set the 1777 mode with COPY directly and permissions are not preserved when copying the tmp directory directly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM alpine AS builder | |
| # Run as non-root user | |
| USER 64646:64646 | |
| WORKDIR /app | |
| # NOTE: build your app here | |
| # Create a new empty image directory, used as our scratch root dir | |
| # Create the tmp dir with required sticky bit mode as a subdirectory | |
| RUN --network=none mkdir -p image/tmp && chmod 1777 image/tmp | |
| FROM scratch | |
| # Copy the image directory as our image root dir | |
| # Directory will get default 755 mode, but tmp subdir will preserve 1777 mode | |
| # Root owner is applied recursively | |
| COPY --from=builder --chown=0:0 /app/image / | |
| # # Confirm / has mode 755 and /tmp has mode 1777 | |
| # RUN --network=none --mount=from=busybox:musl,src=/bin/busybox,dst=/busybox \ | |
| # ["/busybox", "stat", "/"] | |
| # RUN --network=none --mount=from=busybox:musl,src=/bin/busybox,dst=/busybox \ | |
| # ["/busybox", "stat", "/tmp"] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment