Enhancement: allow kubeinvaders to run with read-only FS
the-technat opened this issue ยท 11 comments
Given the following deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/instance: kubeinvaders
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kubeinvaders
argocd.argoproj.io/instance: kubeinvaders
helm.sh/chart: kubeinvaders-1.9.2
name: kubeinvaders
namespace: kubeinvaders
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: kubeinvaders
app.kubernetes.io/name: kubeinvaders
template:
metadata:
labels:
app.kubernetes.io/instance: kubeinvaders
app.kubernetes.io/name: kubeinvaders
spec:
containers:
- env:
- name: ENDPOINT
value: space.alleaffengaffen.ch
- name: NAMESPACE
value: default
- name: ALIENPROXIMITY
value: '10'
- name: HITSLIMIT
value: '1'
- name: UPDATETIME
value: '0.5'
image: 'luckysideburn/kubeinvaders:v1.9'
name: kubeinvaders
ports:
- containerPort: 8080
name: http
protocol: TCP
volumeMounts:
- mountPath: /usr/local/openresty
name: openresty
securityContext:
fsGroup: 999
runAsGroup: 999
runAsUser: 999
serviceAccount: kubeinvaders
serviceAccountName: kubeinvaders
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: openrestyI still get the following error log:
sed: couldn't open temporary file /var/www/html/sedJAIsTK: Read-only file system
2022/09/19 14:44:03 [emerg] 11#11: unknown directive "access_by_lua_file" in /etc/nginx/conf.d/KubeInvaders.conf:21
nginx: [emerg] unknown directive "access_by_lua_file" in /etc/nginx/conf.d/KubeInvaders.conf:21
*** FATAL CONFIG FILE ERROR ***
Reading the configuration file, at line 13
>>> 'logfile stdou'
Can't open the log file: Read-only file systemGiven that the Dockerfile shows /var/www/html contains files from the repo/app which prevents my from mounting emptyDir in /var/www/html and the file that he want's to write there is randomly generated, I guess kubeinvaders cannot be run when the container is run with a read-only FS.
So that would be an enhancement ;)
Hi @the-technat if I undestood correctly I have to set correct permission to /var/www/html?
Not necessarily, you'd need to write the temporary sed file to another directory, e.g e tmp directory one could mount temoporare storage too. So ideally the files in the image shouldn't be touched at all on runtime. I saw there are some other files you edit when starting up kubeinvaders, that's also something that blocks using read-only FS.
For example,
https://github.com/lucky-sideburn/KubeInvaders/blob/master/entrypoint.sh#L13
For this I should put kubeinvaders.js on /tmp, make the sed and the copy in /var/www/html?
That wouldn't work. /var/www/html is read-only so copying files into it won't work. Is there the option to read the ENDPOINT from env directly inside your JS? Then you won't need the sed command.
Other option would be to mount a configmap as file into the container, then thay file would be editable (although I wouldn't put a .js file into a CM)
@the-technat Hi! I am sorry for my delay! Let me try.. I will let you know
Hi @the-technat I found a solution. I have released the version v1.9.3.
I have used sub_filter endpoint_placeholder $endpoint directly on Nginx
if you think it can be a good solution, I close the issue :)
Hey! Thanks for the fix! Unfortunately I can't test it this week, as I'm on vacation right now.
Would you mind keeping it open for a week?
Hi @the-technat not problem :) Thank you for much for you community contribution! Take your time.
I tried it, there are still some issues with read-only FS and non-root. I guess the app is just not made to be run with read-only FS.
I'm closing this as it seems not easily achievable and not really necessary unless someone else has the same "problem".
Thanks @the-technat!
I added new feature for programming mode... The purpose is use Yaml for do a kind of "Chaos Engineering Programming"... Please let me know what do you think!
Thanks
Eug