A restrictive security context causes Read-only file system error

[giorgionanfa]

Hi, I am using the mail chart and trying to set this security context (necessary for project policies):

pod:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
container:
  postfix:
    securityContext:
      allowPrivilegeEscalation: false
      runAsNonRoot: true
      readOnlyRootFilesystem: true

After the chart is installed, the pod continuously restarts with the following logs:

chmod: changing permissions of '/scripts/common-run.sh': Read-only file system chmod: changing permissions of '/scripts/common.sh': Read-only file system chmod: changing permissions of '/scripts/cron.sh': Read-only file system chmod: changing permissions of '/scripts/email-anonymizer.sh': Read-only file system chmod: changing permissions of '/scripts/healthcheck.sh': Read-only file system chmod: changing permissions of '/scripts/opendkim.sh': Read-only file system chmod: changing permissions of '/scripts/postfix.sh': Read-only file system chmod: changing permissions of '/scripts/run.sh': Read-only file system

Do you have any ideas on how I can solve this problem or if it's possible? Thanks a lot!

[bokysan]

Huh, I have not tested this use case.

You will run into a lot of issues trying to run it this way:

• The image spins up several subprocesses (rsyslog, opendkim, cron, postfix ...), with each one having his own user accounts.
• The image creates a chroot for postfix on startup
• Postfix by default runs as root and then drops privileges immediately (it does this to be able to ports below 1024 -- e.g. 25, 587).

Even if we were to ignore all of this, by running this as specific, non-root user, you'd be forcing all these services to run under the same account. Doable? Most likely. Does it increase security? That is a question.

Frankly, I don't feel taking this on at this stage, but if there was someone providing a pull request, I would consider it merging.

[bokysan]

Duplicate of #195