gunicorn icon indicating copy to clipboard operation
gunicorn copied to clipboard

Published 20 hours ago verified publisher icon benoitc

Read-only filesystem

Open dr1v3 opened this issue 2 years ago • 6 comments

Is there any possibility to run Gunicorn in read-only filesystem? I'm trying to launch Gunicorn in Fargate with r/o filesystem and got errors about failed writes to /tmp folder.

dr1v3 avatar Sep 01 '22 20:09 dr1v3

The 2 mains constraints are:

  • having a writable temporary folder somewhere: to make it workd you may have to mount the temporary folder in memory. You don't need a large folder for it. You can also direct the temp filed to another folder via the configuration or command line.
  • precompile python filed and start on the pyc.

Hope it helps

benoitc avatar Sep 02 '22 07:09 benoitc

you may have to mount the temporary folder in memory

Unfortunately this is not possible in AWS Fargate, tmpfs is disabled

precompile python filed and start on the pyc.

Thanks, I'll try this solution

dr1v3 avatar Sep 02 '22 07:09 dr1v3

for aws fargagate maybe this is still working ? https://aws.amazon.com/about-aws/whats-new/2018/03/amazon-ecs-adds-support-for-shm-size-and-tmpfs-parameters/

also ecs can gzt ephemeral storage according this doc: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/fargate-task-storage.html

benoitc avatar Sep 02 '22 07:09 benoitc

for aws fargagate maybe this is still working ? https://aws.amazon.com/about-aws/whats-new/2018/03/amazon-ecs-adds-support-for-shm-size-and-tmpfs-parameters/

This is related to EC2 launch type, not Fargate

also ecs can gzt ephemeral storage according this doc: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/fargate-task-storage.html

Yep, this is about regular Fargate storage, but I configured it in read-only mode for security reasons

dr1v3 avatar Sep 02 '22 07:09 dr1v3

I don't really see the point to make a file system as ready only when you control the container but you need to have a temporary place where you put files. Maybe you can have a small volume for it.

benoitc avatar Sep 07 '22 09:09 benoitc

Read-only filesystem is some kind of business requirement in my case, may be someone will try to launch Gunicorn on Raspberry Pi with r\o slow flash storage or something like this. Anyway I solved this problem with EFS mounted volume to /tmp.

dr1v3 avatar Sep 07 '22 10:09 dr1v3

Being in the same boat as dr1v3, I added the following to the Dockerfile of the image that runs Gunicorn: VOLUME ["/tmp"] Running gunicorn==20.1.0. Without further configuration, Gunicorn picked up the volume for the location of temporary files .

jpf18 avatar Jun 23 '23 16:06 jpf18

Sounds like there are workarounds. I'll close.

tilgovi avatar Dec 29 '23 03:12 tilgovi