diff --git a/pkg/ytconfig/canondata/TestGetExecNodeConfig/test.canondata b/pkg/ytconfig/canondata/TestGetExecNodeConfig/test.canondata
index 9ee9359a..aadd61ce 100644
--- a/pkg/ytconfig/canondata/TestGetExecNodeConfig/test.canondata
+++ b/pkg/ytconfig/canondata/TestGetExecNodeConfig/test.canondata
@@ -109,6 +109,7 @@
                 type=porto;
                 "start_uid"=19500;
             };
+            "enable_tmpfs"=%true;
         };
         "gpu_manager"={
             "gpu_info_source"={
diff --git a/pkg/ytconfig/canondata/TestGetExecNodeConfigWithCri/test.canondata b/pkg/ytconfig/canondata/TestGetExecNodeConfigWithCri/test.canondata
index 5ef61115..a1a9d54d 100644
--- a/pkg/ytconfig/canondata/TestGetExecNodeConfigWithCri/test.canondata
+++ b/pkg/ytconfig/canondata/TestGetExecNodeConfigWithCri/test.canondata
@@ -120,6 +120,7 @@
                 "use_job_proxy_from_image"=%false;
             };
             "do_not_set_user_id"=%true;
+            "enable_tmpfs"=%false;
         };
         "gpu_manager"={
             "gpu_info_source"={
diff --git a/pkg/ytconfig/canondata/TestGetExecNodeWithoutYtsaurusConfig/test.canondata b/pkg/ytconfig/canondata/TestGetExecNodeWithoutYtsaurusConfig/test.canondata
index 5e020e36..42721e11 100644
--- a/pkg/ytconfig/canondata/TestGetExecNodeWithoutYtsaurusConfig/test.canondata
+++ b/pkg/ytconfig/canondata/TestGetExecNodeWithoutYtsaurusConfig/test.canondata
@@ -118,6 +118,7 @@
                 type=simple;
                 "start_uid"=19500;
             };
+            "enable_tmpfs"=%false;
         };
         "gpu_manager"={
             "gpu_info_source"={
diff --git a/pkg/ytconfig/generator.go b/pkg/ytconfig/generator.go
index 01139d9c..16bcddc3 100644
--- a/pkg/ytconfig/generator.go
+++ b/pkg/ytconfig/generator.go
@@ -447,7 +447,7 @@ func (g *Generator) getControllerAgentConfigImpl(spec *ytv1.ControllerAgentsSpec
 		return ControllerAgentServer{}, err
 	}
 
-	c.ControllerAgent.EnableTmpfs = g.ytsaurus.Spec.UsePorto
+	c.ControllerAgent.EnableTmpfs = true
 	c.ControllerAgent.UseColumnarStatisticsDefault = true
 
 	g.fillCommonService(&c.CommonServer, &spec.InstanceSpec)
diff --git a/pkg/ytconfig/node.go b/pkg/ytconfig/node.go
index 8f04f329..c371c526 100644
--- a/pkg/ytconfig/node.go
+++ b/pkg/ytconfig/node.go
@@ -419,11 +419,29 @@ func fillJobEnvironment(execNode *ExecNode, spec *ytv1.ExecNodesSpec, commonSpec
 		// FIXME(khlebnikov): For now running jobs as non-root is more likely broken.
 		execNode.SlotManager.DoNotSetUserId = ptr.Bool(ptr.BoolDeref(envSpec.UseArtifactBinds, true))
 
+		// Enable tmpfs if exec node can mount and propagate into job container.
+		execNode.SlotManager.EnableTmpfs = ptr.Bool(func() bool {
+			if !spec.Privileged {
+				return false
+			}
+			if !ptr.BoolDeref(envSpec.Isolated, true) {
+				return true
+			}
+			for _, location := range ytv1.FindAllLocations(spec.Locations, ytv1.LocationTypeSlots) {
+				mount := findVolumeMountForPath(location.Path, spec.InstanceSpec)
+				if mount == nil || mount.MountPropagation == nil || *mount.MountPropagation != corev1.MountPropagationBidirectional {
+					return false
+				}
+			}
+			return true
+		}())
 	} else if commonSpec.UsePorto {
 		jobEnv.Type = JobEnvironmentTypePorto
+		execNode.SlotManager.EnableTmpfs = ptr.Bool(true)
 		// TODO(psushin): volume locations, root fs binds, etc.
 	} else {
 		jobEnv.Type = JobEnvironmentTypeSimple
+		execNode.SlotManager.EnableTmpfs = ptr.Bool(spec.Privileged)
 	}
 
 	return nil