Run a Container with a readOnlyRootFilesystem

One approach to running a container with readOnlyRootFilesystem: true is to use writable volume mounts (e.g. emptyDir, generic ephemeral volumes, etc.) and then copy those directories in from the main image using an initContainer; for example, for a Deployment:

1. Create an initContainer using the same IMAGE as your main container, share a volumeMount (e.g. named scratch) between your main container and the initContainer, mount each desired writable folder in the initContainer under an arbitrary directory (e.g. /copy) within the scratch mount and at an arbitrary subPath, recursively copy each image's original directory contents into each mountPath during initContainer execution, and finally use these same subPath mountPaths to mount these writable directories in the main container:

   spec:
     template:
       spec:
         initContainers:
           - name: initcopy
             image: IMAGE
             volumeMounts:
               - name: scratch
                 mountPath: /copy/AppServer
                 subPath: appserver
               - name: scratch
                 mountPath: /copy/tmp
                 subPath: tmp
               - name: scratch
                 mountPath: /copy/home
                 subPath: home
             command:
               - /bin/sh
             args:
               - '-c'
               - "mkdir -p /copy && cp -rv /opt/IBM/WebSphere/AppServer /copy/ && cp -rv /tmp /copy/ && cp -rv /home/was /copy/"
         containers:
           - volumeMounts:
               - name: scratch
                 mountPath: /opt/IBM/WebSphere/AppServer
                 subPath: appserver
               - name: scratch
                 mountPath: /tmp
                 subPath: tmp
               - name: scratch
                 mountPath: /home/was
                 subPath: home
         volumes:
           - name: scratch
             emptyDir: {}

   1. If there are small, default namespace-level CPU limits, then ensure the initContainer has a CPU limit so that I/O is not bottlenecked on CPU.
2. Configure readOnlyRootFilesystem: true
   1. Get the restricted SCC:

      oc get scc restricted -oyaml > readonly-scc.yaml

   2. Edit readonly-scc.yaml and make the following changes:
      1. Change metadata.name to readonly
      2. Change readOnlyRootFilesystem to true
      3. Change groups to []
      4. Change users to []
      5. Change metadata.annotations.kubernetes.io/description to readonly scc
   3. Create the new SCC:

      oc create -f readonly-scc.yaml

   4. Create a new service account:

      oc create sa readonlysa

   5. Add the new SCC to the new SA:

      oc adm policy add-scc-to-user readonly -z readonlysa

   6. Edit the deployment to use the readonly service account:

      spec:
        serviceAccountName: readonlysa

Previous Section (OpenShift Determine files written in a container) | Next Section (Troubleshooting Java Recipes) | Back to Table of Contents