search

artemiscloud / activemq-artemis-operator

Apache License 2.0
69 stars 64 forks source link

support for read only root file-system #1017

Closed brusdev closed 1 hour ago

brusdev commented 2 months ago

Discussed in https://github.com/artemiscloud/activemq-artemis-operator/discussions/1014

Originally posted by **robert-mcnamara** September 17, 2024 Hi Artemis Cloud maintainers, We use the artemis-operator to deploy Artemis on EKS. Our EKS platform team is enforcing a strict security requirements where workloads must have a read-only root file-system. This applies to init containers and containers. We have tested out the following configuration when creating Artemis instances against our desired use-cases and so far testing has been positive. ``` extraVolumeMounts: - mountPath: /home/jboss/amq-broker name: amq-jboss-home - mountPath: /opt/jboss/container/jolokia/etc name: jolokia-configuration - mountPath: /tmp name: temp-dir extraVolumes: - emptyDir: {} name: amq-jboss-home - emptyDir: {} name: jolokia-configuration - emptyDir: {} name: temp-dir ``` These changes have enabled the init container and main broker container to start and function with `readOnlyRootFilesystem` set to `true`, by using volume of type `emptyDir` mounted on the paths the Artemis init-container is writing to. We would like to discuss how this could be supported 'natively' without a user have to apply a change like above. Perhaps something like; If readOnlyRootFilesystem is enabled, the operator would add the emptyDir volumes and mount for a tmp and 'run' directory, and the Artemis images could be updated to install into or use the tmp and run directory as needed. Your input on this would be much appreciated. Note: we recently experienced similar while exploring IBM MQ on EKS and found a newer version of IBM MQ approached this in a similar way Ref: https://github.com/ibm-messaging/mq-container/blob/master/docs/usage.md#running-with-a-read-only-root-filesystem
gtully commented 1 month ago

with the current release, this is a good use of extraVolumes.

I am working on a restricted deployment flag, where the broker is very much locked down, readOnlyRootFilesystem would be a default in that scenario. I think 'native support' would make sense in that context. There is a POC in progress at https://github.com/gtully/activemq-artemis-operator/tree/control_plane that I will flesh out a bit more by the end of next week.

gtully commented 1 hour ago

Am going to resolve this in the context of the restricted flag.