Support for read only file systems
arahlf opened this issue · comments
Description
I'm trying to get the Keycloak image to work in an environment that requires the use of read only root file systems, such as via the "--read-only" flag when running Docker directly, or the "readOnlyRootFilesystem" in the context of k8s.
Currently, the startup scripts in the image do some various forms of file manipulation, such as "sed -i" and "touch", and probably others I just haven't bumped into yet. When running the Keycloak image with the Docker locally using the "--read-only" flag, it immediately fails with:
sed: couldn't open temporary file /opt/jboss/keycloak/bin/sedwhvBHR: Read-only file system
because of: https://github.com/keycloak/keycloak-containers/blob/main/server/tools/docker-entrypoint.sh#L108
but there are seemingly other places that try to do file I/O as well.
Discussion
No response
Motivation
Running on a read only root file system is becoming more commonly enforced and is also recommended by the NSA: https://www.cisa.gov/uscert/ncas/current-activity/2021/08/02/cisa-and-nsa-release-kubernetes-hardening-guidance
Details
No response
Spent a few minutes investigating. Bottom line, the commit that introduced the "sed -i" should better have belonged to the wildfly repo which provides the standalone.conf file. https://github.com/wildfly/wildfly/blob/main/docs/src/main/asciidoc/_admin-guide/General_configuration_concepts.adoc
@radudd @slaskawi any chance you could relocate/reapply the patchset.
Otherwise i hope that quarkus keycloak is obsoleting some of this.
With Keycloak 20 the WildFly based distribution is no longer supported. For the newer Quarkus distribution of Keycloak, check out the new documentation, or the updated container sources.