mq-container
mq-container copied to clipboard
Simplify/improve running with read-only rootfs
We have a company-wide sec. requirement to run containers in k8s with a read only fs (We run it there for dev purposes only).
We have been able to implement that by building an own image that moves /etc/mqm/
to /config/mqm
and then mounts a tmpdir to /etc/mqm
at runtime and copying back from `/config.
Also a lot of mounts have been found out by trail&error:
docker run --user 1001:0 --read-only --tmpfs /etc/mqm/ --tmpfs /run/runmqserver --tmpfs /run/runmqserver/tls/ --tmpfs /tmp \
-vdata:/mnt/ -e LICENSE=accept
ibmmq/mq
I would suggest to make running with r/o rootfs simpler.
For example it would be easier if input files (.tpl
) would be stored in /usr/share
, so that runmqdevserver
would start with an empty /etc/mqm
.
Also maybe the documentation should be improved by specifying which folders have to be read-only and/or improving the error messages by showing which file is problematic.