Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Make components work in a read-only file system and non root #593

Open
JRBANCEL opened this issue Oct 15, 2024 · 1 comment
Open

[Feature Request] Make components work in a read-only file system and non root #593

JRBANCEL opened this issue Oct 15, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@JRBANCEL
Copy link

Is your feature request related to a problem? Please describe.

A security context like this:

    containerSecurityContext:
      runAsNonRoot: true
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
    securityContext:
      fsGroup: 1000
      runAsUser: 1000
      runAsGroup: 1000

is standard.

Several components fail with those settings:

unable to create open /etc/temporal/config/docker.yaml: read-only file system

unable to create open ./config/docker.yaml: permission denied

Describe the solution you'd like

For the FS part, typically, an emptyDir is mounted where the code needs to write.
For the rest, not sure what's the issue, but the container should not need to run as root to run.
@JRBANCEL JRBANCEL added the enhancement New feature or request label Oct 15, 2024
@robholland
Copy link
Contributor

This will be fixed via: temporalio/temporal#6251.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robholland @JRBANCEL