readOnlyFilesystem not supported by init image
saefty opened this issue · 1 comments
saefty commented
Bug Report
When using the init image with custom s3 configuration files it is not possible anymore to start fluent bit in a readOnlyFilesystem environment using ECS Fargate.
https://github.com/aws/aws-for-fluent-bit/blob/mainline/init/fluent_bit_init_process.go writes various files into the file system.
It would be possible to mount volumns when the fluent_bit_init_process would clearly define a working directory which will be used to write files.
When we mount /init/ as a volumn this will wipe the folder leading to missing files.
When we only mount /init/fluent-bit-init-s3-files/ receive errors like:
time="2024-05-21T15:42:17Z" level=fatal msg="[FluentBit Init Process] Cannot create the file: /init/invoke_fluent_bit.sh\n"
To Reproduce
- ECS Fargate with readOnlyFilesystem
Expected behavior
- AWS security best pratices can be applied according to "[ECS.5] ECS containers should be limited to read-only access to root filesystems" from the AWS Foundations Security Benchmark: https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html
Screenshots
Your Environment
- Version used: init-2.32.2.20240425
- Configuration:
- Environment name and version (e.g. Kubernetes? What version?): ECS Fargate 1.4
- Server type and version: -
- Operating System and version: -
- Filters and plugins: -
saefty commented