Can't use read-only file system anymore

[GlebKuzmich]

Hey,

We've been using FusionAuth for quite a while, but starting with recent updates started to have the following error:

sed: couldn't open temporary file /opt/openjdk/conf/security/sedxxx: Read-only file system

Indeed, setting the container's read-only option to false does not seem to be a great idea.

Any advice or workaround would be much appreciated.

Best

[GlebKuzmich]

@mooreds I've been advised to tag you as a person that might help to find some solution to the above issue :)

[mooreds]

@GlebKuzmich 👋 .

Can you tell me a bit more about what you are doing where you are seeing this error? Are you creating a child image? Or are you seeing this with the default Dockerfile?

[GlebKuzmich]

@mooreds Hey, sorry about the delay, I need to turn on notifications :D

We use the default Dockerfile in EKS, we start to see the error mentioned above as soon we set

          securityContext:
            readOnlyRootFilesystem: true 

As far as I remember, that did not happen until FusionAuth version 1.37.x. (maybe 1.38.x).
Ideally, we'd like to have the readOnlyRootFilesystem option on, so need your advice on how to get it back.

Best regards,

Gleb

[mooreds]

@GlebKuzmich does FusionAuth start up and when you set the readonly attribute to true? Or does it fail to start?

I looked at the startup script and the reason it does this is because of this issue: FusionAuth/fusionauth-site#1202 and this issue: FusionAuth/fusionauth-issues#1814 (which reverted 1202, essentially).

[GlebKuzmich]

@mooreds Nah, the EKS pod can't start properly with read-only being set to true, it just throws that temporary file error as soon as it spins up.

[mooreds]

@GlebKuzmich thanks. I will file a tracking issue in our issues repository.

No easy workaround right now, sorry.

[mooreds]

Feel free to add any additional info or commentary, @GlebKuzmich : FusionAuth/fusionauth-issues#1924

Also upvote it by giving it a thumbs up emoji, as that helps us determine the roadmap.