At least in production, some issues happened that required to have /tmp writable. To preserve the read-only state of the container, use a small tmpfs that is enough for the container to run. /run is another that might be needed so make it part of the defaults used.
Fixes #101 (closed)