search

supertokens / supertokens-docker-postgresql

Docker image for SuperTokens and PostgreSQL
43 stars 47 forks source link

[Kubernetes] Breaks on Kubernetes ReadOnlyFileSystem #39

Open Moep90 opened 2 weeks ago

Moep90 commented 2 weeks ago

On a ReadOnlyFileSystem Pod in Kubernetes, you got many Read-only file system errors

$ k logs -f supertokens-core-9fbc964db-t7vgj
Defaulted container "supertokens-core" out of: supertokens-core, create-db (init)
chown: changing ownership of '/usr/lib/supertokens/.started': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/LICENSE.md': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/argon2-jvm-2.11.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/argon2-jvm-nolibs-2.11.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/cli.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/gson-2.3.1.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/jackson-annotations-2.16.1.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/jackson-core-2.16.1.jar': Read-only file system
[....]
chown: changing ownership of '/usr/lib/supertokens/plugin-interface/plugin-interface-4.0.6.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/plugin-interface': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/version.yaml': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/webserver-temp': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/': Read-only file system

There are many chown commands in the entry point; could they be make it optional?

For Instance as an ENV

env:
  READ_ONLY_FS: true
  # OR
  K8S: true
  # OR
  ON_KUBERNETES: true

https://github.com/supertokens/supertokens-docker-postgresql/blob/e6a6dae16e6dcac96e8901e5e8dd650d6f561548/docker-entrypoint.sh#L39

rishabhpoddar commented 2 weeks ago

Hi @Moep90

We will have to investigate this, but not quite sure when, since this issue hasn't been bought up by others that use SuperTokens on Kubernetes.

Maybe you could fork our repo and make your own docker image? We have instructions on how to do that here: https://github.com/supertokens/supertokens-core/wiki/Building-from-source#creating-a-docker-image

Moep90 commented 2 weeks ago

I assume they either build their container or helm chart 🤷

https://github.com/supertokens/supertokens-docker-postgresql/blob/master/helm-chart/templates/deployment.yaml#L38

https://github.com/supertokens/supertokens-docker-postgresql/blob/master/helm-chart/values.yaml#L94

rishabhpoddar commented 2 weeks ago

Not quite sure. The helm chart is community contributed.

Moep90 commented 2 weeks ago

It is currently impossible to run the docker image in a Kubernetes cluster with specific security requirements, such as a ReadOnlyRootFilesystem and/or another UID.

rishabhpoddar commented 2 weeks ago

Oh yea, I get that. Which is why i suggested to create your own docker image from the link above without the chown command in it.

We can further investigate if we can remove that from our repo, but, not quite sure about the timeline for that, unless there is a lot of interest in this issue.