ci.docker icon indicating copy to clipboard operation
ci.docker copied to clipboard
verified publisher icon OpenLiberty

OpenLiberty with readonly container requires /tmp to be writeable

Open punktilious opened this issue 2 years ago • 1 comments

The current documentation (https://hub.docker.com/_/open-liberty) suggests:

docker run -d -p 80:9080 -p 443:9443 \
    --tmpfs /opt/ol/wlp//output --tmpfs /logs -v /config --read-only \
    open-liberty:webProfile8

However, the server will now fail to start with this error:

/opt/ol/wlp/bin/server: line 196: cannot create temp file for here-document: Read-only file system

Please update the documentation to note that /tmp also needs to be writeable and provide a new example command:

docker run -d -p 80:9080 -p 443:9443 \
    --tmpfs /opt/ol/wlp/output --tmpfs /tmp --tmpfs /logs -v /config --read-only \
    open-liberty:webProfile8

Extra search terms: Kubernetes k8s readOnlyRootFilesystem.

punktilious avatar Sep 24 '23 14:09 punktilious

This document states that the WLP_OUTPUT_DIR env variable can be used to set the output directory. It seems that the creation of the here-document outside of the WLP_OUTPUT_DIR is breaking that contract.

This is blocking the ability to run liberty securely in a Kubernetes where setting readOnlyRootFilesystem: true is a best practice.

This issue looks like it has a possible workaround: https://github.com/OpenLiberty/ci.docker/issues/363

laveronec avatar Feb 23 '24 00:02 laveronec