Allow to run Blaze as Container with Read-Only Filesystem

[alexanderkiel]

It is best practise to run containers with read-only root filesystem [1], [2].

The only situation were Blaze like to write a file is while loading the RocksDB shared library. However we can mount a tmpfs at this location. Because the shared library will be also executed, the temps has to be mounted with execute option which isn't the default.

The proposed solution would be to use a separate directory vor RocksDB and mount a tmpfs with execute option there.

docker run -p 8080:8080 --read-only --tmpfs /app/rocksdb:exec -e ROCKSDB_SHAREDLIB_DIR=/app/rocksdb -v blaze-data:/app/data --rm blaze:latest