Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Enhancement: allow kubeinvaders to run with read-only FS

See original GitHub issue

Given the following deployment.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/instance: kubeinvaders
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: kubeinvaders
    argocd.argoproj.io/instance: kubeinvaders
    helm.sh/chart: kubeinvaders-1.9.2
  name: kubeinvaders
  namespace: kubeinvaders
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/instance: kubeinvaders
      app.kubernetes.io/name: kubeinvaders
  template:
    metadata:
      labels:
        app.kubernetes.io/instance: kubeinvaders
        app.kubernetes.io/name: kubeinvaders
    spec:
      containers:
        - env:
            - name: ENDPOINT
              value: space.alleaffengaffen.ch
            - name: NAMESPACE
              value: default
            - name: ALIENPROXIMITY
              value: '10'
            - name: HITSLIMIT
              value: '1'
            - name: UPDATETIME
              value: '0.5'
          image: 'luckysideburn/kubeinvaders:v1.9'
          name: kubeinvaders
          ports:
            - containerPort: 8080
              name: http
              protocol: TCP
          volumeMounts:
            - mountPath: /usr/local/openresty
              name: openresty
      securityContext:
        fsGroup: 999
        runAsGroup: 999
        runAsUser: 999
      serviceAccount: kubeinvaders
      serviceAccountName: kubeinvaders
      terminationGracePeriodSeconds: 30
      volumes:
        - emptyDir: {}
          name: openresty

I still get the following error log:

sed: couldn't open temporary file /var/www/html/sedJAIsTK: Read-only file system
2022/09/19 14:44:03 [emerg] 11#11: unknown directive "access_by_lua_file" in /etc/nginx/conf.d/KubeInvaders.conf:21
nginx: [emerg] unknown directive "access_by_lua_file" in /etc/nginx/conf.d/KubeInvaders.conf:21

*** FATAL CONFIG FILE ERROR ***
Reading the configuration file, at line 13
>>> 'logfile stdou'
Can't open the log file: Read-only file system

Given that the Dockerfile shows /var/www/html contains files from the repo/app which prevents my from mounting emptyDir in /var/www/html and the file that he want’s to write there is randomly generated, I guess kubeinvaders cannot be run when the container is run with a read-only FS.

So that would be an enhancement 😉

Issue Analytics

State:
Created a year ago
Comments:11 (11 by maintainers)

Top GitHub Comments

1reaction

lucky-sideburncommented, Oct 25, 2022

Thanks @the-technat!

I added new feature for programming mode… The purpose is use Yaml for do a kind of “Chaos Engineering Programming”… Please let me know what do you think!

Thanks Eug

1reaction

the-technatcommented, Oct 25, 2022

I tried it, there are still some issues with read-only FS and non-root. I guess the app is just not made to be run with read-only FS.

I’m closing this as it seems not easily achievable and not really necessary unless someone else has the same “problem”.

Top Results From Across the Web

Enhancement: allow kubeinvaders to run with read-only FS - lucky ...

Given the following deployment.yaml : apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/instance: kubeinvaders ...

Use Read-Only filesystem for containers where possible

A read-only root filesystem helps to enforce an immutable infrastructure strategy. The container should only write on mounted volumes that can persist, ...

KubeInvaders/README.md at master - GitHub

Press the button "Enable Shuffle" to switch randomly the positions of pods or k8s nodes (button changes to "Disable Shuffle" to disable this...

Security Best Practices for Kubernetes Deployment

Upgrading containers is extremely easy with the Kubernetes rolling updates feature - this allows gradually updating a running application by ...

Read-only filesystems in Docker and Kubernetes

Let's start a new container from the official ubuntu image with an ... start the container with read-only fs docker run -d -p...