supertokens-docker-postgresql icon indicating copy to clipboard operation
supertokens-docker-postgresql copied to clipboard
verified publisher icon supertokens

[Kubernetes] Breaks on Kubernetes ReadOnlyFileSystem

Open Moep90 opened this issue 1 year ago • 5 comments

On a ReadOnlyFileSystem Pod in Kubernetes, you got many Read-only file system errors

$ k logs -f supertokens-core-9fbc964db-t7vgj
Defaulted container "supertokens-core" out of: supertokens-core, create-db (init)
chown: changing ownership of '/usr/lib/supertokens/.started': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/LICENSE.md': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/argon2-jvm-2.11.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/argon2-jvm-nolibs-2.11.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/cli.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/gson-2.3.1.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/jackson-annotations-2.16.1.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/jackson-core-2.16.1.jar': Read-only file system
[....]
chown: changing ownership of '/usr/lib/supertokens/plugin-interface/plugin-interface-4.0.6.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/plugin-interface': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/version.yaml': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/webserver-temp': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/': Read-only file system

There are many chown commands in the entry point; could they be make it optional?

For Instance as an ENV

env:
  READ_ONLY_FS: true
  # OR
  K8S: true
  # OR
  ON_KUBERNETES: true

https://github.com/supertokens/supertokens-docker-postgresql/blob/e6a6dae16e6dcac96e8901e5e8dd650d6f561548/docker-entrypoint.sh#L39

Moep90 avatar May 02 '24 10:05 Moep90

Hi @Moep90

We will have to investigate this, but not quite sure when, since this issue hasn't been bought up by others that use SuperTokens on Kubernetes.

Maybe you could fork our repo and make your own docker image? We have instructions on how to do that here: https://github.com/supertokens/supertokens-core/wiki/Building-from-source#creating-a-docker-image

rishabhpoddar avatar May 02 '24 10:05 rishabhpoddar

I assume they either build their container or helm chart 🤷

https://github.com/supertokens/supertokens-docker-postgresql/blob/master/helm-chart/templates/deployment.yaml#L38

https://github.com/supertokens/supertokens-docker-postgresql/blob/master/helm-chart/values.yaml#L94

Moep90 avatar May 02 '24 10:05 Moep90

Not quite sure. The helm chart is community contributed.

rishabhpoddar avatar May 02 '24 10:05 rishabhpoddar

It is currently impossible to run the docker image in a Kubernetes cluster with specific security requirements, such as a ReadOnlyRootFilesystem and/or another UID.

Moep90 avatar May 02 '24 10:05 Moep90

Oh yea, I get that. Which is why i suggested to create your own docker image from the link above without the chown command in it.

We can further investigate if we can remove that from our repo, but, not quite sure about the timeline for that, unless there is a lot of interest in this issue.

rishabhpoddar avatar May 02 '24 11:05 rishabhpoddar