build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run

In C9S there's something leaking files in `/tmp` so let's just
enforce use of tmpfs for `/run` at build time too.

But fix `RUN bootc container lint` to *not* have those mounts
becuase otherwise we don't actually see the leaked content.

Assisted-by: Cursor (Opus 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

Dockerfile

@@ -23,7 +23,7 @@ FROM $base as buildroot
 ARG initramfs=1
 # This installs our buildroot, and we want to cache it independently of the rest.
 # Basically we don't want changing a .rs file to blow out the cache of packages.
-RUN --mount=type=tmpfs,target=/run \
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
     /run/packaging/install-buildroot
 # Now copy the rest of the source
@@ -32,11 +32,11 @@ WORKDIR /src
 # See https://www.reddit.com/r/rust/comments/126xeyx/exploring_the_problem_of_faster_cargo_docker/
 # We aren't using the full recommendations there, just the simple bits.
 # First we download all of our Rust dependencies
-RUN --mount=type=tmpfs,target=/run --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome cargo fetch
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome cargo fetch
 
 FROM buildroot as sdboot-content
 # Writes to /out
-RUN --mount=type=tmpfs,target=/run /src/contrib/packaging/configure-systemdboot download
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp /src/contrib/packaging/configure-systemdboot download
 
 # We always do a "from scratch" build
 # https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/
@@ -49,17 +49,17 @@ RUN --mount=type=tmpfs,target=/run /src/contrib/packaging/configure-systemdboot
 FROM $base as target-base
 # Handle version skew between base image and mirrors for CentOS Stream
 # xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174
-RUN --mount=type=tmpfs,target=/run \
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
     /run/packaging/enable-compose-repos
-RUN --mount=type=tmpfs,target=/run /usr/libexec/bootc-base-imagectl build-rootfs --manifest=standard /target-rootfs
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp /usr/libexec/bootc-base-imagectl build-rootfs --manifest=standard /target-rootfs
 
 FROM scratch as base
 COPY --from=target-base /target-rootfs/ /
 # SKIP_CONFIGS=1 skips LBIs, test kargs, and install configs (for FCOS testing)
 ARG SKIP_CONFIGS
-# Use tmpfs,target=/run with bind mounts inside to avoid leaking mount stubs into the image
-RUN --mount=type=tmpfs,target=/run \
+# Use tmpfs for /run and /tmp with bind mounts inside to avoid leaking mount stubs into the image
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=src,src=/src/hack,target=/run/hack \
     cd /run/hack/ && SKIP_CONFIGS="${SKIP_CONFIGS}" ./provision-derived.sh
 # Note we don't do any customization here yet
@@ -88,12 +88,12 @@ ARG pkgversion
 ARG SOURCE_DATE_EPOCH
 ENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}
 # Build RPM directly from source, using cached target directory
-RUN --network=none --mount=type=tmpfs,target=/run --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome RPM_VERSION="${pkgversion}" /src/contrib/packaging/build-rpm
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome RPM_VERSION="${pkgversion}" /src/contrib/packaging/build-rpm
 
 FROM buildroot as sdboot-signed
 # The secureboot key and cert are passed via Justfile
 # We write the signed binary into /out
-RUN --network=none --mount=type=tmpfs,target=/run \
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=sdboot-content,src=/,target=/run/sdboot-package \
     --mount=type=secret,id=secureboot_key \
     --mount=type=secret,id=secureboot_cert \
@@ -104,22 +104,22 @@ FROM build as units
 # A place that we're more likely to be able to set xattrs
 VOLUME /var/tmp
 ENV TMPDIR=/var/tmp
-RUN --network=none --mount=type=tmpfs,target=/run --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome make install-unit-tests
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome make install-unit-tests
 
 # This just does syntax checking
 FROM buildroot as validate
-RUN --network=none --mount=type=tmpfs,target=/run --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome make validate
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome make validate
 
 # Common base for final images: configures variant, rootfs, and injects extra content
 FROM base as final-common
 ARG variant
-RUN --network=none --mount=type=tmpfs,target=/run \
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
     --mount=type=bind,from=sdboot-content,src=/,target=/run/sdboot-content \
     --mount=type=bind,from=sdboot-signed,src=/,target=/run/sdboot-signed \
     /run/packaging/configure-variant "${variant}"
 ARG rootfs=""
-RUN --network=none --mount=type=tmpfs,target=/run \
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
     /run/packaging/configure-rootfs "${variant}" "${rootfs}"
 COPY --from=packaging /usr-extras/ /usr/
@@ -128,10 +128,14 @@ COPY --from=packaging /usr-extras/ /usr/
 # Use with: podman build --target=final --build-context packages=path/to/packages
 # We use --build-context instead of -v to avoid volume mount stubs leaking into /run.
 FROM final-common as final
-RUN --network=none --mount=type=tmpfs,target=/run \
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
     --mount=type=bind,from=packages,src=/,target=/run/packages \
     /run/packaging/install-rpm-and-setup /run/packages
-# Use tmpfs on /run to hide any content created by podman for DNS resolution
-# (e.g., /run/systemd/resolve/stub-resolv.conf on Ubuntu hosts)
-RUN --network=none --mount=type=tmpfs,target=/run bootc container lint --fatal-warnings
+# lint: allow non-tmpfs
+RUN --network=none <<EORUN
+set -xeuo pipefail
+# workaround for https://github.com/containers/buildah/pull/6233
+rm -vrf /run/systemd
+bootc container lint --fatal-warnings
+EORUN

Dockerfile.cfsuki

@@ -3,8 +3,8 @@ ARG base=localhost/bootc
 FROM $base AS base
 
 FROM base as kernel
-# Use tmpfs on /run to prevent podman's DNS resolver files from being committed
-RUN --mount=type=tmpfs,target=/run <<EORUN
+# Use tmpfs on /run and /tmp to prevent podman's DNS resolver files from being committed
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp <<EORUN
 set -xeuo pipefail
 . /usr/lib/os-release
 case $ID in
@@ -18,7 +18,7 @@ dnf -y install systemd-ukify sbsigntools
 EORUN
 # Must be passed
 ARG COMPOSEFS_FSVERITY
-RUN --network=none --mount=type=tmpfs,target=/run \
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=secret,id=secureboot_key \
     --mount=type=secret,id=secureboot_cert \
     --mount=type=bind,from=base,src=/,target=/target \
@@ -47,7 +47,7 @@ RUN --network=none --mount=type=tmpfs,target=/run \
 EOF
 
 FROM base as final
-RUN --network=none --mount=type=tmpfs,target=/run \
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=kernel,src=/,target=/run/kernel <<EOF
 set -xeuo pipefail
 kver=$(cd /usr/lib/modules && echo *)
@@ -61,8 +61,13 @@ rm -v /usr/lib/modules/${kver}/{vmlinuz,initramfs.img}
 # Symlink into the /usr/lib/modules location
 ln -sr $target /usr/lib/modules/${kver}/$(basename $kver.efi)
 EOF
-# Use tmpfs on /run to ensure lint sees empty /run (hiding any podman-created content)
-RUN --network=none --mount=type=tmpfs,target=/run bootc container lint --fatal-warnings
+# lint: allow non-tmpfs
+RUN --network=none <<EORUN
+set -xeuo pipefail
+# workaround for https://github.com/containers/buildah/pull/6233
+rm -vrf /run/systemd
+bootc container lint --fatal-warnings
+EORUN
 
 FROM base as final-final
 COPY --from=final /boot /boot

crates/xtask/src/buildsys.rs

@@ -13,7 +13,7 @@ const DOCKERFILE_NETWORK_CUTOFF: &str = "external dependency cutoff point";
 ///
 /// - Reproducible builds for the RPM
 /// - Dockerfile network isolation after cutoff point
-/// - Dockerfile tmpfs on /run for all RUN instructions
+/// - Dockerfile tmpfs on /run and /tmp for all RUN instructions
 #[context("Checking build system")]
 pub fn check_buildsys(sh: &Shell, dockerfile_path: &Utf8Path) -> Result<()> {
     check_package_reproducibility(sh)?;
@@ -75,11 +75,16 @@ fn check_dockerfile_rules(dockerfile_path: &Utf8Path) -> Result<()> {
 }
 
 const RUN_NETWORK_NONE: &str = "RUN --network=none";
-const RUN_TMPFS: &str = "--mount=type=tmpfs,target=/run";
+const RUN_TMPFS_RUN: &str = "--mount=type=tmpfs,target=/run";
+const RUN_TMPFS_TMP: &str = "--mount=type=tmpfs,target=/tmp";
+const ALLOW_NON_TMPFS: &str = "# lint: allow non-tmpfs";
 
 /// Verify Dockerfile rules:
-/// - All RUN instructions must include `--mount=type=tmpfs,target=/run` to prevent
-///   podman's DNS resolver files from leaking into the image
+/// - All RUN instructions must include `--mount=type=tmpfs,target=/run` and
+///   `--mount=type=tmpfs,target=/tmp` to prevent podman's DNS resolver files
+///   and temporary files from leaking into the image
+/// - A comment `# lint: allow non-tmpfs` on the preceding line exempts a RUN
+///   instruction from the tmpfs requirement
 /// - After the network cutoff, all RUN instructions must start with `--network=none`
 ///
 /// Returns Ok(()) if all RUN instructions comply, or an error listing violations.
@@ -96,20 +101,38 @@ pub fn verify_dockerfile_rules(dockerfile: &str) -> Result<()> {
         })?;
 
     let mut errors = Vec::new();
+    let mut skip_tmpfs_check = false;
 
     for (idx, line) in dockerfile.lines().enumerate() {
         let line_num = idx + 1; // 1-based line numbers
         let trimmed = line.trim();
 
+        // Check for the allow comment directive
+        if trimmed.starts_with(ALLOW_NON_TMPFS) {
+            skip_tmpfs_check = true;
+            continue;
+        }
+
         // Check if this is a RUN instruction
         if trimmed.starts_with("RUN ") {
-            // All RUN instructions must include tmpfs mount on /run
-            if !trimmed.contains(RUN_TMPFS) {
-                errors.push(format!(
-                    "  line {}: RUN instruction must include `{}`",
-                    line_num, RUN_TMPFS
-                ));
+            if !skip_tmpfs_check {
+                // All RUN instructions must include tmpfs mount on /run
+                if !trimmed.contains(RUN_TMPFS_RUN) {
+                    errors.push(format!(
+                        "  line {}: RUN instruction must include `{}`",
+                        line_num, RUN_TMPFS_RUN
+                    ));
+                }
+
+                // All RUN instructions must include tmpfs mount on /tmp
+                if !trimmed.contains(RUN_TMPFS_TMP) {
+                    errors.push(format!(
+                        "  line {}: RUN instruction must include `{}`",
+                        line_num, RUN_TMPFS_TMP
+                    ));
+                }
             }
+            skip_tmpfs_check = false;
 
             // After cutoff, must start with exactly "RUN --network=none"
             if idx > cutoff_line && !trimmed.starts_with(RUN_NETWORK_NONE) {
@@ -139,35 +162,57 @@ mod tests {
     fn test_dockerfile_rules_valid() {
         let dockerfile = r#"
 FROM base
-RUN --mount=type=tmpfs,target=/run echo "before cutoff, network allowed"
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp echo "before cutoff, network allowed"
 # external dependency cutoff point
-RUN --network=none --mount=type=tmpfs,target=/run echo "good"
-RUN --network=none --mount=type=tmpfs,target=/run --mount=type=bind,from=foo,target=/bar some-command
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp echo "good"
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=bind,from=foo,target=/bar some-command
+# lint: allow non-tmpfs
+RUN --network=none bootc container lint --fatal-warnings
 "#;
         verify_dockerfile_rules(dockerfile).unwrap();
     }
 
     #[test]
-    fn test_dockerfile_rules_missing_tmpfs_before_cutoff() {
+    fn test_dockerfile_rules_missing_tmpfs_run_before_cutoff() {
         let dockerfile = r#"
 FROM base
-RUN echo "bad - missing tmpfs"
+RUN --mount=type=tmpfs,target=/tmp echo "bad - missing /run tmpfs"
 # external dependency cutoff point
-RUN --network=none --mount=type=tmpfs,target=/run echo "good"
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp echo "good"
 "#;
         let err = verify_dockerfile_rules(dockerfile).unwrap_err();
         let msg = err.to_string();
         assert!(msg.contains("line 3"), "error should mention line 3: {msg}");
-        assert!(msg.contains("tmpfs"), "error should mention tmpfs: {msg}");
+        assert!(
+            msg.contains("target=/run"),
+            "error should mention target=/run: {msg}"
+        );
+    }
+
+    #[test]
+    fn test_dockerfile_rules_missing_tmpfs_tmp_before_cutoff() {
+        let dockerfile = r#"
+FROM base
+RUN --mount=type=tmpfs,target=/run echo "bad - missing /tmp tmpfs"
+# external dependency cutoff point
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp echo "good"
+"#;
+        let err = verify_dockerfile_rules(dockerfile).unwrap_err();
+        let msg = err.to_string();
+        assert!(msg.contains("line 3"), "error should mention line 3: {msg}");
+        assert!(
+            msg.contains("target=/tmp"),
+            "error should mention target=/tmp: {msg}"
+        );
     }
 
     #[test]
     fn test_dockerfile_rules_missing_network_flag_after_cutoff() {
         let dockerfile = r#"
 FROM base
-RUN --mount=type=tmpfs,target=/run echo "before cutoff"
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp echo "before cutoff"
 # external dependency cutoff point
-RUN --mount=type=tmpfs,target=/run echo "bad - missing network flag"
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp echo "bad - missing network flag"
 "#;
         let err = verify_dockerfile_rules(dockerfile).unwrap_err();
         let msg = err.to_string();
@@ -182,9 +227,9 @@ RUN --mount=type=tmpfs,target=/run echo "bad - missing network flag"
     fn test_dockerfile_rules_missing_tmpfs_after_cutoff() {
         let dockerfile = r#"
 FROM base
-RUN --mount=type=tmpfs,target=/run echo "before cutoff"
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp echo "before cutoff"
 # external dependency cutoff point
-RUN --network=none echo "bad - missing tmpfs"
+RUN --network=none echo "bad - missing both tmpfs"
 "#;
         let err = verify_dockerfile_rules(dockerfile).unwrap_err();
         let msg = err.to_string();
@@ -197,9 +242,9 @@ RUN --network=none echo "bad - missing tmpfs"
         // --network=none must come immediately after RUN
         let dockerfile = r#"
 FROM base
-RUN --mount=type=tmpfs,target=/run echo "before cutoff"
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp echo "before cutoff"
 # external dependency cutoff point
-RUN --mount=type=tmpfs,target=/run --network=none echo "bad - network flag not first"
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --network=none echo "bad - network flag not first"
 "#;
         let err = verify_dockerfile_rules(dockerfile).unwrap_err();
         let msg = err.to_string();