aws-app-mesh-roadmap
aws-app-mesh-roadmap copied to clipboard
Bug: describe bug here
Summary I am trying to run envoy on ecs fargate with a readonlyRootFileSystem as per ecs best practices. When I run in this mode Envoy crashes because it can't save the envoy bootstrap config. Is it documented anywhere the list of non readonly mountPoints that need to be configured in order to get aws-appmesh-envoy to run with a readonly filesystem?
In have tried adding a mountPoint to /tmp:
{
sourceVolume = "envoy-tmp"
containerPath = "/tmp"
readOnly=false
}
But this still fails.
Steps to Reproduce Run envoy with: readonlyRootFilesystem = true set in the envoy container definition.
Are you currently working around this issue? Not make the envoy container readonly.
This works if you run the instance as root user:
environment = [
{
name = "ENVOY_UID"
value = "0"
},
And the following mount point:
{
sourceVolume = "envoy-tmp"
containerPath = "/tmp"
readOnly=false
}
But then you're running as root.
Would be fantastic if the dockerfile used for building appmesh had the following added to the bottom:
RUN mkdir -p /tmp
RUN chown -R envoy /tmp
VOLUME ["/tmp"]
This would then allow you to run as non-root but still with a read only root filesystem