3 files changed, 28 insertions, 1 deletions

diff --git a/pkg/inspect/inspect.go b/pkg/inspect/inspect.go
index 270e431ad..6978370ef 100644
--- a/pkg/inspect/inspect.go
+++ b/pkg/inspect/inspect.go
@@ -38,7 +38,8 @@ type HostConfig struct {
 	PidMode              string                      `json:"PidMode"`
 	Privileged           bool                        `json:"Privileged"`
 	PublishAllPorts      bool                        `json:"PublishAllPorts"` //TODO
-	ReadonlyRootfs       bool                        `json:"ReadonlyRootfs"`
+	ReadOnlyRootfs       bool                        `json:"ReadonlyRootfs"`
+	ReadOnlyTmpfs        bool                        `json:"ReadonlyTmpfs"`
 	SecurityOpt          []string                    `json:"SecurityOpt"`
 	UTSMode              string                      `json:"UTSMode"`
 	UsernsMode           string                      `json:"UsernsMode"`
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index e71d9d3db..064dedd45 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -113,6 +113,7 @@ type CreateConfig struct {
 	PublishAll         bool     //publish-all
 	Quiet              bool     //quiet
 	ReadOnlyRootfs     bool     //read-only
+	ReadOnlyTmpfs      bool     //read-only-tmpfs
 	Resources          CreateResourceConfig
 	Rm                 bool              //rm
 	StopSignal         syscall.Signal    // stop-signal
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 0371b6d4d..4cbed0ea4 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -341,6 +341,31 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 		}
 	}
 
+	if config.ReadOnlyRootfs && config.ReadOnlyTmpfs {
+		options := []string{"rw", "rprivate", "nosuid", "nodev", "tmpcopyup"}
+		for _, i := range []string{"/tmp", "/var/tmp"} {
+			if libpod.MountExists(g.Config.Mounts, i) {
+				continue
+			}
+			// Default options if nothing passed
+			tmpfsMnt := spec.Mount{
+				Destination: i,
+				Type:        "tmpfs",
+				Source:      "tmpfs",
+				Options:     options,
+			}
+			g.AddMount(tmpfsMnt)
+		}
+		if !libpod.MountExists(g.Config.Mounts, "/run") {
+			tmpfsMnt := spec.Mount{
+				Destination: "/run",
+				Type:        "tmpfs",
+				Source:      "tmpfs",
+				Options:     append(options, "noexec", "size=65536k"),
+			}
+			g.AddMount(tmpfsMnt)
+		}
+	}
 	for name, val := range config.Env {
 		g.AddProcessEnv(name, val)
 	}