search

FusionAuth / fusionauth-containers

Container definitions for docker, kubernetes, helm, and whatever containers come next!
https://fusionauth.io/
219 stars 68 forks source link

Can't use read-only file system anymore #87

Open GlebKuzmich opened 2 years ago

GlebKuzmich commented 2 years ago

Hey,

We've been using FusionAuth for quite a while, but starting with recent updates started to have the following error:

sed: couldn't open temporary file /opt/openjdk/conf/security/sedxxx: Read-only file system

Indeed, setting the container's read-only option to false does not seem to be a great idea.

Any advice or workaround would be much appreciated.

Best

GlebKuzmich commented 1 year ago

@mooreds I've been advised to tag you as a person that might help to find some solution to the above issue :)

mooreds commented 1 year ago

@GlebKuzmich 👋 .

Can you tell me a bit more about what you are doing where you are seeing this error? Are you creating a child image? Or are you seeing this with the default Dockerfile?

GlebKuzmich commented 1 year ago

@mooreds Hey, sorry about the delay, I need to turn on notifications :D

We use the default Dockerfile in EKS, we start to see the error mentioned above as soon we set 

          securityContext:
            readOnlyRootFilesystem: true

As far as I remember, that did not happen until FusionAuth version 1.37.x. (maybe 1.38.x). Ideally, we'd like to have the readOnlyRootFilesystem option on, so need your advice on how to get it back.

Best regards,

Gleb

mooreds commented 1 year ago

@GlebKuzmich does FusionAuth start up and when you set the readonly attribute to true? Or does it fail to start?

I looked at the startup script and the reason it does this is because of this issue: https://github.com/FusionAuth/fusionauth-site/issues/1202 and this issue: https://github.com/FusionAuth/fusionauth-issues/issues/1814 (which reverted 1202, essentially).

GlebKuzmich commented 1 year ago

@mooreds Nah, the EKS pod can't start properly with read-only being set to true, it just throws that temporary file error as soon as it spins up.

mooreds commented 1 year ago

@GlebKuzmich thanks. I will file a tracking issue in our issues repository.

No easy workaround right now, sorry.

mooreds commented 1 year ago

Feel free to add any additional info or commentary, @GlebKuzmich : https://github.com/FusionAuth/fusionauth-issues/issues/1924

Also upvote it by giving it a thumbs up emoji, as that helps us determine the roadmap.