aws-app-mesh-roadmap icon indicating copy to clipboard operation
aws-app-mesh-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

Bug: describe bug here

Open dgr237 opened this issue 1 year ago • 1 comments

Summary I am trying to run envoy on ecs fargate with a readonlyRootFileSystem as per ecs best practices. When I run in this mode Envoy crashes because it can't save the envoy bootstrap config. Is it documented anywhere the list of non readonly mountPoints that need to be configured in order to get aws-appmesh-envoy to run with a readonly filesystem?

In have tried adding a mountPoint to /tmp:

  {
    sourceVolume = "envoy-tmp"
    containerPath = "/tmp"
    readOnly=false
  }

But this still fails.

Steps to Reproduce Run envoy with: readonlyRootFilesystem = true set in the envoy container definition.

Are you currently working around this issue? Not make the envoy container readonly.

dgr237 avatar Oct 10 '22 16:10 dgr237

This works if you run the instance as root user:

environment            = [
{
    name  = "ENVOY_UID"
    value = "0"
  },

And the following mount point:

 {
    sourceVolume = "envoy-tmp"
    containerPath = "/tmp"
    readOnly=false
  }

But then you're running as root.

Would be fantastic if the dockerfile used for building appmesh had the following added to the bottom:

RUN mkdir -p /tmp
RUN chown -R envoy /tmp
VOLUME ["/tmp"]

This would then allow you to run as non-root but still with a read only root filesystem

ash5gfrankie avatar Dec 04 '23 04:12 ash5gfrankie