Since 0.7.14, uv tries to write to .venv, even when frozen #14411
Description
Summary
As a best practice in running production facing containers, we run our built python containers with a security context preventing writing to root. While we provide a writeable /tmp, the .venv folder is definitely not writeable.
The container, built with uv, will have installed any depencies it needs during the build phase, and therefore should not be trying to write when uv run is installed.
We are running uv with:
# enable uv to run without cache
ENV UV_NO_CACHE=true
ENV UV_FROZEN=trueIn later versions, with that security context we will see the following:
error: Read-only file system (os error 30) at path "/app/.venv/.tmpbgoo4f"
This appears to be related to https://github.com/astral-sh/uv/pull/14153/files.
uv was not attempting to write to this location in 0.7.13 and prior versions.
Small dockerfile to reproduce this (the pyproject/lock file can be any):
ARG UV_VERSION=0.7.17
FROM ghcr.io/astral-sh/uv:$UV_VERSION AS uv
FROM python:3.13-slim
COPY --from=uv /uv /uvx /bin/
WORKDIR /app
ARG USERNAME=app
ARG USER_UID=1000
ARG USER_GID=$USER_UID
# Create the user
RUN groupadd --gid $USER_GID $USERNAME \
&& useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \
&& chown $USERNAME:$USERNAME /app
# define the user to run the application
USER $USERNAME
# enable uv to run without cache
ENV UV_NO_CACHE=true
ENV UV_FROZEN=true
COPY pyproject.toml uv.lock /app/
# install dependencies
RUN uv sync
CMD ["uv", "run", "python", "--version"]This can be built and run with:
export VERSION=17
docker build --build-arg UV_VERSION="0.7.${VERSION}" . -f uv-test.Dockerfile -t uv-test:${VERSION}
docker run --rm -it --read-only --tmpfs /tmp:rw uv-test:${VERSION}This was tried with the range 13 through to 18. The error will be seen in any version 14 or later.
Platform
docker ghcr.io/astral-sh/uv + python:3.13-slim
Version
0.7.14, 15, 1,6 17, 18.
Python version
3.13