Corepack should have an option to be able to run on a readonly docker container

[marcmillien]

Description

I currently have the following Dockerfile:

FROM node:18-bullseye              
RUN corepack enable yarn

My production environment runs this image in readonly, this way:

docker run --rm -it --read-only --mount 'type=tmpfs,dst=/tmp' IMAGE_BUILT bash

The problem is we can't instruct corepack to not write cache folder leading to the following error running yarn:

root@5cd6509d006b:/# yarn --version
Internal Error: ENOENT: no such file or directory, mkdir '/root/.cache'
Error: ENOENT: no such file or directory, mkdir '/root/.cache'

My current workaround is to use /tmp (monkey patch, this folder is not the best from security perspective):

FROM node:18-bullseye              
ENV COREPACK_HOME /tmp/corepack
RUN corepack enable yarn

I think, the good solution from a security perspective would be to have an option to instruct corepack not to write anything.

[aduh95]

My current workaround is to use /tmp (monkey patch, this folder is not the best from security perspective)

Can you explain further? What's the security issue with /tmp?

I think, the good solution from a security perspective would be to have an option to instruct corepack not to write anything.

I'm not sure that's even possible, the downloaded code needs to be somewhere for Node.js to execute it – or we would need to ship a whole VFS implementation which I'm not sure is worth it. Yarn being only one file, that would not be necessary, and we would "just" need to monkey patch the CJS loader, however for the other package managers that ship in several files, that would get complicated I think.

[merceyz]

While it isn't what you're asking for, you could populate the cache before it becomes readonly:

FROM node:18-bullseye
RUN corepack enable yarn && yarn -v

Though ideally you wouldn't run yarn ... in production but node ./path/to/file.

[blephy]

Hi !

Many thanks for answering us.

Can you explain further? What's the security issue with /tmp?

/tmp isn't the security issue. As mentioned, we need (for security reason) run our final docker image in readonly. /tmp is the only folder which are not readonly, so we are installing corepack in it because it needs to write somethings after using yarn.

What we are trying to achieve is to have a docker image with corepack enable and with cache populated. Is there a solution to enable corepack so that when running the yarn command, corepack doesn't need to check the package manager (no network request), and doesn't need to write anything on disk ?

We must use yarn command to launch our production script, because it's a yarn berry workspaces, and the production script is encapsulated in a dedicated framework.