It is a general security recommendation to run containers in read_only mode except for the volumes you need to use. On arangodb:3.3 we could simply mount /var/lib/arangodb3 to a data volume, and set tmpfs to the host's /tmp directory.
It seems that with arangodb:3.4 the foxx-cli are run as root and try to write a .foxxrc file to /root/.foxxrc and failing. The log shows:
Error: EROFS: read-only file system, open '/root/.foxxrc'
Side-note: the way the entrypoint.sh script loads initialization scripts, and specifically when it does so, isn't very clearly documented (we read through the script to figure this out). Since this is very valuable (seems to be one of the best ways to initialize ArangoDB) a little documentation would go a long way!
fceller
commented
5 years ago
It is a general security recommendation to run containers in
read_onlymode except for the volumes you need to use. Onarangodb:3.3we could simply mount/var/lib/arangodb3to a data volume, and settmpfsto the host's/tmpdirectory.It seems that with
arangodb:3.4the foxx-cli are run as root and try to write a.foxxrcfile to/root/.foxxrcand failing. The log shows:Side-note: the way the
entrypoint.shscript loads initialization scripts, and specifically when it does so, isn't very clearly documented (we read through the script to figure this out). Since this is very valuable (seems to be one of the best ways to initialize ArangoDB) a little documentation would go a long way!