OpenLiberty with readonly container requires /tmp to be writeable

[punktilious]

The current documentation (https://hub.docker.com/_/open-liberty) suggests:

docker run -d -p 80:9080 -p 443:9443 \
    --tmpfs /opt/ol/wlp//output --tmpfs /logs -v /config --read-only \
    open-liberty:webProfile8

However, the server will now fail to start with this error:

/opt/ol/wlp/bin/server: line 196: cannot create temp file for here-document: Read-only file system

Please update the documentation to note that /tmp also needs to be writeable and provide a new example command:

docker run -d -p 80:9080 -p 443:9443 \
    --tmpfs /opt/ol/wlp/output --tmpfs /tmp --tmpfs /logs -v /config --read-only \
    open-liberty:webProfile8

Extra search terms: Kubernetes k8s readOnlyRootFilesystem.

[laveronec]

This document states that the WLP_OUTPUT_DIR env variable can be used to set the output directory. It seems that the creation of the here-document outside of the WLP_OUTPUT_DIR is breaking that contract.

This is blocking the ability to run liberty securely in a Kubernetes where setting readOnlyRootFilesystem: true is a best practice.

This issue looks like it has a possible workaround: https://github.com/OpenLiberty/ci.docker/issues/363